The Barriers and challenges to implement Zero Trust in OT Environments

Zero trust has become the preferred security approach for protecting digital assets; the core idea of “never trust, always verify” marks a stark departure from old-school perimeter security models. However, for those working in Operational Technology (OT), getting zero trust off the ground comes with a unique set of roadblocks that cannot be ignored.

The Legacy Anchor

OT systems rarely follow the refresh cycles standard in corporate IT. Walk into any power plant, and you will find PLCs from the 1990s still running critical processes. These machines predate modern security concepts. They have no authentication capabilities and were not built for network segmentation. They came from a time when physical isolation was considered sufficient protection.

The reality for many industrial operations is stark: critical processes rely on legacy controllers installed decades ago. Replacing these systems would require costly downtime that most operations cannot justify from a business perspective. This creates a fundamental challenge when implementing zero-trust architectures, which typically assume modern system capabilities, including robust authentication and fine-grained access controls.

Availability as the Ultimate Priority

IT departments balance confidentiality, integrity, and availability based on business needs. OT flips this equation entirely. A single minute of downtime in a factory, grid, or water facility translates immediately to physical consequences: lost products, safety incidents, or even worse outcomes that impact human safety and business continuity.

When security leaders propose new measures, operations teams inevitably question the impact on uptime. With zero trust tools, guaranteeing zero disruption during implementation remains challenging, especially in environments where five nines availability is the established standard. This tension creates substantial resistance to security changes perceived as potentially disruptive to production processes.

The Protocol Problem

Modern zero-trust systems rely on secure authentication, encrypted communications, and identity management. Meanwhile, factory floors run on Modbus, PROFINET, and other industrial protocols created decades ago for reliability, not security. These foundational protocols lack the basic security constructs required for zero-trust implementation.

Adding authentication to these protocols means inserting gateways or proxies that create new failure points and performance issues. Most plant engineers would rather avoid these risks entirely. The protocol limitations create significant technical barriers that cannot be easily overcome without substantial architectural changes that most organizations are reluctant to undertake.

Visibility Remains Elusive

You cannot protect what you cannot see. Zero trust begins with knowing every asset and connection on your network. Yet, industrial organizations struggle with basic inventory management. Surprise dependencies, undocumented changes, and equipment variety make this seemingly simple task extraordinarily difficult.

Network assessments frequently uncover surprising findings: legacy equipment communicating through undocumented channels, shadow IT systems and incomplete network maps. These discoveries can significantly complicate zero trust zone planning as organizations realize their visibility into OT network communications is far less complete than initially believed. The visibility challenge often delays implementation timelines as companies first must address foundational awareness gaps.

Skills Gap at the Convergence Point

Implementing zero trust in factories requires unicorn employees who understand cybersecurity and industrial operations. These professionals remain hard to find. Security experts know little about operational constraints, while OT engineers often lack security architecture knowledge.

This talent shortage creates real problems when designing security measures that satisfy zero trust needs without disrupting production. Organizations frequently struggle to assemble teams with the cross-functional expertise necessary to navigate zero-trust implementation’s technological and operational challenges in industrial settings.

Governance Across the Divide

Many companies maintain separate rulebooks for OT security and IT security, each with different priorities and risk tolerances. Zero trust demands unified policies that respect operational realities while maintaining security standards. This governance fragmentation creates significant challenges in establishing consistent security standards across environments.

Zero-trust projects often stall in governance discussions. Security teams push for comprehensive controls like universal multi-factor authentication, while operations leaders advocate for exemptions during emergencies or critical processes. These fundamental differences in perspective frequently require executive intervention to resolve. Policy harmonization becomes a substantial barrier when departments operate under conflicting security and operational priorities mandates.

The Path Forward: Pragmatic Zero Trust for OT

Despite these challenges, factories and utilities are making headway by taking a practical approach:

1. Segmentation First: Creating network zones based on function creates a foundation for more detailed controls later. This establishes security boundaries while minimizing operational impact.
2. Incremental Authentication: Securing key network boundaries before tackling device-level verification. This staged approach allows organizations to validate security controls before widespread deployment.
3. Context-Aware Access: Developing specialized rules for the importance of operational roles, emergencies, and processes. This approach acknowledges the unique requirements of industrial operations.
4. Monitoring as Compensation: Enhanced monitoring helps catch unusual behavior when verification is not feasible. This compensating control provides security value when full zero trust implementation faces technical barriers.

The real question is not whether zero trust belongs in industrial settings. Instead, it is how we thoughtfully modify these principles for environments where physical processes, old technology, and operational demands create an entirely different security landscape.