FBI issues zero trust OT guidance

Operational technology is the stuff that opens breakers, moves valves, starts turbines, and keeps physical systems running. That is why security advice for OT is always trickier than normal IT advice — you cannot just lock everything down and hope the plant survives. The news here is that CISA and federal partners put out a new guide on April 29, 2026 for applying zero trust to OT, which is basically a way to stop treating internal networks and connected systems as automatically safe. ### What changed this week? The new document is called *Adapting Zero Trust Principles to Operational Technology*. CISA released it with the Department of War, Department of Energy, FBI, and Department of State. The guide is meant for OT owners, operators, and security teams trying to bring zero-trust ideas into industrial environments without breaking safety or uptime. ### What does “zero trust” mean here? In plain English, it means you stop assuming that a user, device, network path, or application is trustworthy just because it is already inside the perimeter. OT environments were often built around exactly that assumption. But once those environments get remotely monitored, digitally connected, or linked back to enterprise IT, inherited trust becomes a liability. ### Why is OT the hard version? Because OT is attached to physical processes. A bad IT security change might lock someone out of email. A bad OT security change can interrupt a refinery, a water system, or a power operation. The guide leans hard on that distinction — safety, reliability, and uninterrupted operations are not side constraints here. They are the design boundary. ### So what does the guide actually push? Four things stand out. First, comprehensive asset visibility — you need to know what devices, software, and connections actually exist. Second, supply-chain risk controls, because industrial environments are full of vendor gear and third-party dependencies. Third, stronger identity and access management. Fourth, layered protections like segmentation, secure communications, and vulnerability management. ### Why are IT-OT links such a big deal? Because the easiest path into an industrial environment is often not through some dramatic direct attack on a controller. It is through a trusted connection that was added for convenience — remote administration, centralized monitoring, vendor support, or data connections. ### Why mention Volt Typhoon? Because this is not theoretical. CISA explicitly points to Volt Typhoon as an example of threat actors targeting OT systems to compromise, escalate, and maintain access in operational environments. That matters because the point of zero trust is not just preventing a login from the wrong person. It is limiting how far an attacker can move, what they can touch, and how long they can stay hidden after getting in. ### Is this just an IT framework pasted onto factories? Not quite. The document keeps stressing adaptation. It says zero trust in OT has to account for legacy systems, technology gaps, and operational constraints that are normal in industrial environments. In other words, the government is not saying “copy cloud security into a plant.” It is saying “apply the principle, but respect the machinery.” ### What is the real takeaway? The big shift is philosophical. OT security used to lean on zones of assumed trust — this network, this vendor path, this admin account. The new guidance says to assume breach instead, verify more continuously, and build systems so one trusted connection cannot become a full-environment compromise. That is a much harder model to implement, but for critical infrastructure.