Zero Trust vs. Near Zero Trust in ICS/OT: A Safety-Driven Approach to Industrial Cybersecurity
Introduction
Zero Trust has become a cornerstone of modern cybersecurity, built on a simple principle:
“Never trust, always verify.” While this model works effectively in IT environments, applying it directly to Industrial Control Systems (ICS) and Operational Technology (OT) is not straightforward.OT environments are not just digital systems, they directly control physical processes, where incorrect decisions can impact:
- Human safety
- Production
- The equipment
- The environment
This fundamental difference requires a different cybersecurity mindset.
IT vs. OT: A Fundamental Shift in Priorities
In traditional IT environments, cybersecurity is built around the well-known CIA triad:
- Confidentiality – protecting data from unauthorized access
- Integrity: Ensuring data is accurate and trustworthy
- Availability: Ensuring systems and data are accessible when needed
However, in OT environments, the priorities shift significantly due to the direct interaction with physical processes and critical infrastructure:
- Availability: Ensuring continuous operation of systems and processes
- Integrity: Maintaining accurate and reliable control of physical assets
These priorities are driven by a higher-level objective:
- Safety of personnel
- Protection of equipment and industrial assets
- Preservation of the environment
Key Insight: In OT, safety always overrides security.
Why “Pure” Zero Trust Doesn’t Fit OT
A strict Zero Trust implementation can introduce operational risks in industrial environments:
- Operator lockouts during critical situations
- Delays caused by MFA or authentication challenges
- Blocking legitimate control traffic due to false positives
- Latency from deep inspection or inline enforcement
In IT, these are acceptable trade-offs, while in OT, they can lead to:
- Process disruption
- Loss of visibility
- Unsafe operating conditions
Introducing “Near Zero Trust”
To bridge this gap, we introduce a more practical model:
Definition
Near Zero Trust is the controlled, context-aware application of Zero Trust principles ensuring that security controls never compromise safety or operational continuity.
It is not about rejecting Zero Trust, but about adapting it to industrial reality.
Applying Near Zero Trust Across Purdue Levels
A layered approach aligned with the Purdue Model provides the right balance:
Level 3.5 – Industrial Demilitarized Zone
- Secure remote access
- Jump servers & Privileged Access Management (PAM)
Level 3 – Operations / Process Management
- Strong Zero Trust candidate
- Network segmentation and monitoring
Level 2 – Supervisory Control (SCADA / HMI)
- Controlled and limited enforcement
- Focus on monitoring over blocking
- Avoid latency-sensitive controls
Practical insight:
- Apply stricter controls on Engineering Workstations (EWS)
- Maintain operational flexibility for Operator Workstations (OWS)
Level 1 – Process Control (PLCs)
- No Zero Trust enforcement
- Focus on deterministic communication
- Use segmentation and isolation
Design Principles of Near Zero Trust
An effective OT cybersecurity strategy should follow:
- Process-aware design
- Fail-safe operation
- Monitoring over blocking (in critical layers)
- Segmentation over heavy inspection
- Minimal latency & deterministic communication
Reality Check: Emergency Scenario
During an emergency:
- Operators must react immediately
- Any delay can be critical
Security mechanisms such as:
- MFA prompts
- Session validation
- Traffic filtering
Which can delay response time and in OT, even seconds of delay can escalate into safety incidents.
Alignment with ISA/IEC 62443
Near Zero Trust aligns naturally with ISA/IEC 62443, especially:
- Maintaining essential functions
- Ensuring system availability under abnormal conditions
- Applying security controls without disrupting operations
Mapping Zero Trust Concepts to IEC 62443
- Strong identity → FR1 / FR2
- Secure communications → FR3 / FR4
- Network segmentation → FR5
- Continuous monitoring → FR6
- Least privilege → SR 2.1 / SP.03.08
When Security Becomes the Risk
A real-world scenario highlights this challenge:
- A firewall with strict anomaly detection was deployed
- During a process upset:
- Traffic patterns changed
- Legitimate traffic was flagged as malicious
- Communication was blocked
Result:
- Loss of operator visibility
- Delayed response
- Increased operational risk
In OT, false positives are not just alerts, they can become safety incidents.
Our Approach: Near Zero Trust, not blind Zero Trust
At CS4 from DTS solution, cybersecurity is approached from a process-aware engineering perspective:
- Security aligned with industrial processes
- Controls evaluated based on operational impact
- Architecture designed using Purdue segmentation
- Solutions implemented without compromising safety
Conclusion
Zero Trust is powerful but in OT, it must be applied with engineering judgment.
The goal is not to eliminate trust entirely, but to apply it intelligently within safe operational boundaries because in OT, the mission is always: Safe, reliable, and continuous operations.