Overview
- The CISA-led guide, released Wednesday, explains how to apply zero trust in operational technology that drives critical services.
- Key steps include passive asset discovery, tight network segmentation, identity controls that fit legacy gear, jump-host remote access with MFA, and supply chain checks during procurement.
- The authors note many OT devices cannot run full security agents or support heavy scanning, so they call for lightweight telemetry on CPU, memory, processes, and configuration changes with DMZ staging servers for updates.
- Healthcare is not named, yet hospital security teams can map the playbook to medical-device networks, including vendor access through jump hosts, session recording, vaulted credentials, and just-in-time approvals.
- The guidance says zero trust will not erase OT risk and urges IT, OT, and engineering teams to align security work with safety procedures and recovery plans.