CISA, the FBI and the Departments of Defense, Energy and State co-authored the publication on Wednesday for operators of industrial systems.
It urges governance and supply-chain oversight, asset tracking, threat analysis, network segmentation, identity controls, secure remote access, vulnerability management and encryption tailored to OT constraints.
The guidance says legacy systems, safety requirements and limited downtime make OT different from IT, requiring layered compensating controls and closer collaboration across IT, OT and cybersecurity teams.
With so many unpatched OT vulnerabilities and exposed devices, is zero trust enough to stop the next wave of nation-state cyberattacks?
How can organizations overcome the deep-rooted IT/OT culture gap to make zero trust work in real-world industrial environments?
2026 Federal Zero Trust Mandate: Adapting Cybersecurity for Legacy Operational Technology Systems
Overview
In April 2026, U.S. federal agencies released groundbreaking Zero Trust guidance tailored for Operational Technology (OT) to address unique challenges like aging legacy systems, limited visibility, and the critical need for uninterrupted operations. This guidance responds to escalating cyber threats targeting critical infrastructure, highlighted by the 2025 water plant attacks exploiting weak credentials and poor network segmentation. It emphasizes collaboration between IT, OT, and cybersecurity teams, advocating adapted strategies such as passive monitoring and soft segmentation to protect fragile OT environments. Despite concerns over resource gaps and implementation hurdles, the guidance marks a pivotal policy shift, driving industry standards, supply chain security, and workforce development to enhance national infrastructure resilience.