Many operational technology (OT) environments still rely on legacy systems that were built decades ago, long before ransomware, supply chain attacks, and nation-state cyber threats became everyday concerns. Yet these same systems now support critical operations across many sectors; including manufacturing and public services.
As OT environments become increasingly connected to IT networks, cloud services, and remote access solutions, organizations face a difficult challenge:
How do you secure legacy OT systems that cannot be easily patched, upgraded, or replaced?
The answer is not to add more security tools. Instead, adopt a Zero Trust approach that assumes no device, user, application, or connection should be trusted by default.
Why legacy OT systems create security challenges
Unlike traditional IT environments, OT systems prioritize availability above all else. A software update that causes a production outage can have far greater consequences than a typical IT disruption.
Many organizations operate OT assets that:
- Run unsupported operating systems
- Cannot be regularly patched
- Use proprietary or insecure protocols
- Lack modern authentication capabilities
- Have limited visibility and monitoring
- Were originally designed for isolated environments
Historically, many OT networks relied on physical separation, or "air-gapping", as their primary security control. However, digital transformation initiatives, remote maintenance requirements, and IT/OT convergence have dramatically expanded connectivity and increased the attack surface.
As a result, attackers are increasingly targeting OT environments through ransomware campaigns, supply chain compromises, and credential-based attacks that begin in IT environments before moving laterally into operational networks. OT systems are particularly vulnerable because many legacy devices cannot support modern security controls, making prevention and containment critical.
Why traditional perimeter security falls short
Traditional security models assume that anything inside the network can be trusted. That assumption no longer holds true.
A compromised contractor account, infected laptop, or vulnerable remote access solution can provide attackers with a pathway into critical OT systems. Once inside, insufficient segmentation often allows attackers to move laterally throughout the environment.
For legacy OT systems, the challenge is even greater because organizations frequently cannot install endpoint protection agents or deploy modern security software directly on the devices themselves.
This is where Zero Trust becomes essential.
Applying Zero Trust to operational technology
Zero Trust is based on a simple principle: Ensure everything in your environment is explicitly verified.
Rather than granting broad access based on network location, Zero Trust continuously validates users, devices, applications, and communications before allowing access to critical resources.
While Zero Trust originated in IT environments, industry guidance increasingly recognizes its importance for OT environments as well. However, OT implementations must account for operational realities such as safety requirements, uptime demands, and legacy infrastructure constraints.
Organizations do not need to replace legacy OT systems to adopt Zero Trust. Instead, they can reduce risk by surrounding these systems with stronger security controls.
Build visibility
You cannot protect what you cannot see. One of the most common OT security challenges is incomplete asset visibility. Many organizations lack a definitive inventory of every controller, workstation, sensor, engineering station, and remote connection operating within their environment.
Before implementing Zero Trust controls, organizations should establish:
- A complete OT asset inventory
- Network communication maps
- Device ownership information
- Third-party access dependencies
- Criticality classifications
Comprehensive visibility provides the foundation for risk-based decision making and helps identify unmanaged devices that could become entry points for attackers.
Limit access with least privilege
One of the core principles of Zero Trust is least privilege access.
Users, applications, and systems should have access to nothing more or less than the exact resources necessary to perform their functions. This becomes particularly important in OT environments where administrator accounts, engineering workstations, and vendor access often possess extensive privileges and as credential theft attacks are seeing increased success.
Organizations should:
- Eliminate shared administrative accounts
- Restrict privileged access to approved personnel
- Implement role-based access controls
- Regularly review access permissions
- Limit third-party vendor access to specific systems and timeframes
By reducing unnecessary privileges, organizations significantly reduce the opportunities for attackers to escalate access after an initial compromise.
Segment and micro-segment OT networks
Network segmentation is one of the most effective ways to secure legacy OT environments. Rather than allowing unrestricted communication between systems, segmentation limits which devices can communicate with each other. Micro-segmentation takes this concept further by enforcing highly granular communication policies between individual assets.
For example, a programmable logic controller (PLC) may only be permitted to communicate with a specific engineering workstation or supervisory controller.
This approach reduces attack surfaces, limits lateral movement, and helps contain incidents before they impact critical operations. Industry guidance specifically highlights micro-segmentation as an effective way to support Zero Trust principles in environments with mixed trust levels and legacy systems.
Control what runs in OT environments
Many OT attacks succeed because unauthorized activity is allowed to execute inside the environment. Legacy systems often cannot support traditional security agents, making application control particularly valuable.
By implementing a deny-by-default strategy, organizations can ensure that only approved applications, processes, and tools are allowed to run. This reduces the risk of ransomware, unauthorized utilities, malicious scripts, and living-off-the-land techniques frequently used by attackers.
Rather than attempting to identify every possible threat, organizations can focus on allowing only what is necessary for operations.
Secure remote access
Remote connectivity remains one of the most significant risks to OT environments. Vendors, contractors, and maintenance personnel often require access to operational systems, creating additional pathways for attackers.
Organizations should ensure that remote access:
- Is approved and documented
- Uses strong authentication
- Is limited to specific assets and functions
- Is continuously monitored
- Can be revoked immediately when no longer needed
Zero Trust principles require validating every remote connection regardless of whether the user is internal, external, or previously trusted.
Strengthen security without disrupting operations
A common misconception is that Zero Trust requires a complete modernization project. In reality, many of the most effective Zero Trust controls can be implemented around legacy systems without impacting production environments.
Organizations can improve security by:
- Enforcing least-privilege access
- Controlling application execution
- Segmenting critical systems
- Monitoring communications
- Restricting remote access
- Continuously validating trust relationships
This layered approach helps organizations strengthen security while maintaining the availability and reliability requirements that OT environments demand.
The future of OT security is Zero Trust
Legacy OT systems will remain part of critical operations for years to come. Replacing every unsupported controller, workstation, or industrial device is rarely practical. It is pivotal that security teams seek to reduce the risk they introduce.
Zero Trust provides a practical framework for protecting these environments by assuming compromise is possible and limiting what attackers can do when they gain access. Through visibility, least privilege, segmentation, application control, and continuous verification, organizations can significantly improve resilience without disrupting critical operations.
As IT and OT environments continue to converge, organizations that embrace Zero Trust principles will be better positioned to protect their operations, maintain uptime, and reduce the impact of modern cyber threats.
