Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

What Does the Future of Zero Trust in OT Look Like?

Read More

Categories Arrow

All Posts

What Does the Future of Zero Trust in OT Look Like?

Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwide, being frequently referenced in architectures, solutions and public discourse. To illustrate how pervasive it has become and its rate of adoption, earlier this year Gartner reported that 63% of organizations globally have at least partially implemented a zero-trust strategy. That is encouraging, but keep in mind that OT networks will make up a small portion of that percentage. The ISA Global Cybersecurity Alliance (ISAGCA)’s white paper on zero trust outcomes provides a breakdown of how zero trust concepts may manifest in OT environments. And for organizations attempting to achieve those outcomes, they’ll find legacy equipment with missing functionality, competing priorities and system complexity will hold them back.

With that said, the irreversibility of IT/OT convergence and the pervasiveness and effectiveness of zero trust in enterprise IT systems give clear signaling that OT networks will adopt it, eventually. So what, exactly, will zero trust look and feel like in the future? And when will it happen?

If history is an indicator of the future (it is), we can consider that modern IT technologies and approaches that are eventually adopted in OT do so later, at a more cautious pace and in different ways that accommodate the unique requirements of OT. Classic examples are cloud computing, industrial IoT and virtualization technologies. It is very reasonable to draw parallels from those examples to zero trust concepts and — considering true adoption and maturity of the concepts remains in-progress within enterprise IT systems — deduce those zero trust outcomes referenced earlier may be on a 10-20 year horizon. Solutions associated with zero trust concepts — already an established and growing market — will facilitate adoption, but just like in past examples, the extent to which zero trust philosophies are adopted and the rate at which they are adopted will be influenced by the long lifespan of those legacy systems and the complexity of implementation. And the way zero trust concepts will be adopted will be heavily modified to protect existing priorities in OT, chiefly, essential functions as defined in the ISA/IEC 62443 series of standards (which includes safety instrumented functions).

The Cybersecurity and Infrastructure Security Agency (CISA) has published and iterated on a Zero Trust Maturity Model for OT which helps to envision what the future might look like. Staples of optimal concepts from that model include:

  • Enterprise-wide identity integration with tailed, as-needed automated access
  • Continuous analysis of assets with integrated threat protections and access that depends on real-time device risk analytics
  • Micro-perimeters with just-in-time and just-enough access controls
  • Applications available over public networks with continuously authorized access and protections against sophisticated attacks
  • Continuous and automated data inventorying, categorization, with dynamic access controls

The summation of that maturity description should feel akin to what we experience today in enterprise IT systems, reflecting both enhanced security and enhanced utility. Today, in enterprise IT systems, ongoing adoption of passkeys enable one-click biometric authentication. User access can be easily and dynamically centrally managed to individual applications and with appropriate least-privileges per-user, which permit the user access over public networks. And teams have accurate, real-time data and analytics available to administrate, operate and optimize.

Using history as a guide and extrapolating from technical guidance what future zero trust concepts in OT might look like, it is a future that brings both enhanced security and utility. It comes at a time when a younger generation — which expects (demands) technology to be intuitive and convenient — will be holding the reins of the world’s most critical and sensitive OT environments.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to thought leadership, research and other insights from the OT cybersecurity community.
Jacob Chapman
Jacob Chapman
Jacob Chapman has a professional background in automation engineering, project management, account management, industrial networking and ICS cybersecurity within the food and beverage, pharmaceutical and energy generation sectors, among others. In his role as Director - BD & Alliances at Nozomi Networks, he leads the organization's strategic partnerships with OT OEMs and technology vendors.

Within the ICS cybersecurity community, he participates in international societies and standard bodies, including serving as an advisory board member to the ISA Global Cybersecurity Alliance (ISAGCA), a member of the Cybersecurity Committee of ISA’s Smart Manufacturing & IIoT Division and a contributor within the ISA99 standards development committee.

    Recent Posts

    Brighten Your Automation Future with ISA Self-Paced, Modular Training

    Related Posts

    What Does the Future of Zero Trust in OT Look Like?

    Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwi...
    Jacob Chapman Dec 20, 2024 7:00:00 AM

    North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

    The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
    Kara Phelps Dec 13, 2024 7:00:00 AM

    Securing PLCs Through the Backplane: Balancing Performance and Simplicity

    With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
    Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.