Zero Trust Meets the Plant Floor: What the NSA ZIGs Mean for ICS/OT—and What’s Feasible Today
Zero Trust is no longer an abstract philosophy—it’s being operationalized into phased implementation playbooks. In January 2026, the U.S. National Security Agency (NSA) published Phase One and Phase Two of its Zero Trust Implementation Guidelines (ZIGs), designed to move organizations from “Discovery” to a defined Target-level Zero Trust maturity.[1]
That’s a big deal in enterprise IT. But what happens when you try to push the same rigor into industrial control systems and operational technology (ICS/OT)—down to Purdue levels 0–3, where deterministic control, safety constraints, and legacy device capability dominate?
This blog summarizes (1) what the NSA ZIGs are, (2) what is not feasible today in OT environments, and (3) what you can do now vs. what’s hard vs. what likely requires new technology.
1) What are the NSA Zero Trust Implementation Guidelines (ZIGs)?
The NSA Zero Trust Implementation Guidelines (ZIGs) are a structured, phased set of implementation activities intended to help practitioners achieve Target-level Zero Trust as defined by the U.S. Department of Defense/“Department of War” CIO Zero Trust framework. NSA’s press release describes Phase One and Phase Two as mapping “activities, requirements, precursors and successors,” emphasizing modularity and customization.[1]
A phased “activity model,” not a single checklist
The NSA ZIG program currently consists of:
The Primer explains how these phases organize the framework’s activities:
This is explicitly aligned to NIST SP 800-207 (Zero Trust Architecture) concepts and language.
The conceptual core: identity- and policy-driven enforcement
NIST SP 800-207’s framing is useful because it clarifies what “doing Zero Trust” tends to require in practice: moving from perimeter-based trust to explicit authentication and authorization (including device identity), making access decisions per-request, and using policy decision points (PDP) and policy enforcement points (PEP) as first-class architectural components.[2]
The ZIGs operationalize that into implementation guidance: they break down activities into tasks, list dependencies, and describe expected outcomes and end states—aimed at “skilled practitioners.”
So the ZIGs are best understood as a playbook for building:
…in a way that approaches “continuous verification” rather than “authenticate once, trust forever.”
2) What isn’t feasible today in ICS/OT environments?
If you try to implement the ZIGs “literally” down to Purdue levels 0–1 (sensors/actuators, PLCs/RTUs/IEDs), you quickly hit constraints that are structural, not merely “immature tooling.”
NIST’s OT security guide is blunt: some OT components (e.g., PLCs, controllers, HMI) may not support the technologies or protocols required to fully integrate with a Zero Trust Architecture, and therefore ZTA “will not be practical for some OT devices.” NIST recommends applying ZTA to compatible devices, typically found at higher functional levels (e.g., Purdue levels 3–5 and the OT DMZ).[3]
That single paragraph captures the heart of the issue: in OT, many lower-layer devices and workflows cannot tolerate the enforcement patterns and dependencies that enterprise Zero Trust assumes.
What breaks first: determinism, safety, and lifecycle reality
ICS/OT environments differ from IT in ways that directly oppose common ZT implementation patterns:
What is “not feasible” (today) at Purdue 0–1
In practical terms, the following are commonly not feasible across the bulk of installed ICS/OT at levels 0–1:
The right takeaway is not “Zero Trust doesn’t apply to OT.” It’s: Zero Trust must be implemented with OT-safe control points—often at boundaries, supervisory layers, and mediated access paths.
3) What’s achievable today vs. what’s difficult vs. what needs new technology in ICS/OT?
A workable strategy is to separate “Zero Trust principles” from “Zero Trust mechanics”:
Below is a practical capability map.
A) Brokered OT–IT connectivity via DMZ patterns
A modern best practice is to keep legacy/industrial control protocols inside isolated OT segments and broker OT–IT exchange through a DMZ, using secure interoperable protocols (e.g., OPC UA over TLS, MQTT over TLS, HTTPS) and historian replication patterns.[4]
This is “Zero Trust compatible” because you:
B) Strong user access controls for OT administration and remote access
Even if you cannot identity-enable every PLC, you can identity-enable the humans and systems that administer them:
This is standard practice in high-consequence environments. For example, NERC CIP-005-7 requires interactive remote access to use an Intermediate System such that the initiating asset does not directly access the target asset.[5]
C) Zero Trust for Purdue level 2–3 endpoints and services
Most plants can meaningfully apply ZT-style controls to:
This is aligned with NIST’s recommendation to apply ZTA more readily to the higher levels (e.g., Purdue 3–5 and the OT DMZ).[3]
A) PKI-based device identity at “controller scale”
Some industrial ecosystems support strong identity and encryption, but scaling it is the hard part.
Examples of technologies that can support stronger device identity/crypto:
However, the operations side is the barrier: enrollment, renewal, replacement workflows, revocation handling, and safe behavior under outage conditions. Without OT-friendly lifecycle tooling, PKI becomes fragile and labor-intensive.
B) Fine-grained microsegmentation inside OT cells
Segmentation at zone boundaries is doable. Microsegmentation inside a control cell—without breaking cyclic traffic, multicast/broadcast dependencies, and vendor support assumptions—requires deep traffic baselining, rigorous change control, and often vendor coordination.
C) Continuous monitoring that is “complete” enough for policy automation
OT teams can deploy logging and network monitoring at higher layers, but turning that into reliable automated enforcement (“orchestration”) is hard because false positives can have production consequences.
If “ZIG-level rigor” means pushing identity and policy deeper—into levels 1–0—the industry will need better primitives and safer defaults.
A) First-class device identity with safe lifecycle automation
OT needs device identity that is:
CIP Security’s work on profiles for constrained devices points in this direction, but broad adoption across the installed base is still limited.[7]
B) Signed/attested controller state and control logic
A future “ZT-native PLC” world would include:
Today, pieces exist in pockets, but it’s not yet a broadly interoperable norm.
C) Determinism-friendly cryptography and enforcement patterns
NIST highlights that encryption adds latency and may not suit all OT devices.[3]
Newer OT architectures need security mechanisms designed explicitly for bounded latency/jitter budgets, with engineered fail-safe behavior.
D) Policy enforcement that fails safely (not merely “fails closed”)
Enterprise ZT often prefers “deny by default.” OT often must “fail operational” in tightly defined scenarios. That implies a different enforcement design philosophy: safety-aware PEPs, graded modes, and predictable degradation.
A pragmatic interpretation is:
In other words: the NSA ZIGs are an excellent blueprint for where Zero Trust maturity is heading, but in ICS/OT, the “last mile” into Purdue 0–1 is constrained by physics, safety engineering, and the long tail of legacy control technology.
If you want more details, continue reading.
What NSA released and how the guidance is meant to be used
On Jan. 30, 2026, NSA published Phase One and Phase Two of its Zero Trust Implementation Guidelines (ZIGs) to outline the activities needed to reach “Target-level” Zero Trust maturity as defined by the DoW CIO Zero Trust Framework.[1]
A few framing points NSA makes up front:
How the ZIGs are organized (the “elements”)
1) The DoW CIO Zero Trust Framework alignment
The ZIGs are organized around the DoW CIO framework’s phased activity model. A key diagram shows:
2) Pillars → Capabilities → Activities
NSA’s methodology closely follows the framework structure:
3) What’s inside each Capability
For each capability, the ZIGs include:
4) What’s inside each Activity
Activities are presented in a structured “Activity Table” format that includes:
Then the ZIG expands each activity with:
5) Definitions, roles, and appendices
A few additional structural elements that matter in practice:
Drivers and mindset
The guidelines anchor Zero Trust adoption to U.S. government direction such as EO 14028 and NSM-8, and they describe a ZT mindset as assuming traffic/users/devices/infrastructure may be compromised—driving rigorous authentication/authorization and continuous validation.
The “Adopt a Zero Trust Mindset” section emphasizes practices like:
Guiding principles (NIST SP 800-207–aligned language)
NSA highlights core ZT principles as:
Design concepts (mission-driven and DAAS-centered)
NSA frames ZT architecture design around:
Strategic goals and enabling functions
The documents also reference four high-level strategic goals (as described in the DoW ZT strategy context):
ZT cultural adoption, secured and defended information systems, technology acceleration, and ZT enablement, and they call out policy and training as important enablers (even if not deeply handled in the ZIG scope).
The ZIGs use seven pillars (shown in the pillar diagram), with the intent that they work together:
NSA describes Phase One as 36 activities to build on/refine the environment and establish a secure foundation supporting 30 ZT capabilities in this phase.[1]
Below are practical highlights (by pillar) based on the Phase One contents:
User pillar: establish strong identity and privileged access foundations
Phase One includes capabilities/activities centered on:
Device pillar: inventory, manage, and continuously assess endpoints
Phase One emphasizes getting the endpoint/device baseline under control:
Application & Workload pillar: build a secure delivery pipeline and baseline workload controls
Phase One’s contents highlight:
Data pillar: governance + tagging + initial protection and monitoring
Phase One focuses heavily on data fundamentals needed for ZT policy:
Network & Environment pillar: map and segment
The Phase One contents emphasize the network steps you need before finer-grained policy can work:
Automation & Orchestration + Visibility & Analytics: start building the feedback loop
Phase One also includes early building blocks for scalable ZT operations:
NSA describes Phase Two as 41 activities that initiate integration of core ZT solutions inside the component environment and enable 34 capabilities specific to the phase.[1]
NSA’s own Phase Two “Purpose” section is explicit about the progression:
User pillar: conditional access, behavior/context, and stronger ICAM integration
Phase Two’s contents show a move toward richer access decisions:
Device pillar: compliance-to-connect, real-time inspection, BYOD/IoT, and XDR
Phase Two expands device controls toward continuous authorization:
Application & Workload pillar: automate remediation and validate continuously
Compared with Phase One’s baseline pipeline establishment, Phase Two highlights:
Data pillar: policy-driven storage/access and analytics-enforced protections
Phase Two’s contents show a shift from “standards + initial tooling” toward enforceable, integrated data policy:
Network & Environment pillar: more granular segmentation + protect data in transit
Phase Two pushes into deeper segmentation and transport protection:
Automation & Orchestration + Visibility & Analytics: operationalizing ZT with ML and baselining
Phase Two’s contents emphasize the operational maturity needed to run ZT continuously:
A useful way to interpret the two phases (based on NSA’s own wording) is:
Finally, NSA flags that Phase Two’s alignment may not perfectly match older NSA ZT CSI publications and notes an intent to update the CSIs in 2026 to better align with these ZIGs.
Implementing the NSA Zero Trust Implementation Guidelines (ZIGs) “as-written” all the way down into ICS/OT Purdue levels 0–3 runs into a hard reality: the ZIGs assume you can do identity-centric, policy-driven, continuously verified access control and telemetry across users, devices (including non-person entities), networks, and services—but many lower-layer OT components either can’t support those control points or can’t tolerate the latency/fragility of enforcing them inline.
NIST says this plainly in its OT security guide: some OT components (e.g., PLCs, controllers, HMI) may not support the technologies/protocols required to fully integrate with a Zero Trust Architecture, and therefore a ZTA “might not be practical for some OT devices”; it suggests applying ZTA to compatible devices typically found at Purdue Levels 3–5 and the OT DMZ instead.
Below is what tends to break, what can be done today, and what would likely require new(ish) OT product capabilities to achieve NSA-ZIG-like rigor at levels 0–3.
A few ZIG expectations become especially challenging in lower Purdue layers:
1) Centralized identity + MFA, and retiring local accounts
Phase One guidance explicitly emphasizes centralizing identities via an IdP/MFA and retiring local/built-in accounts, denying access if multiple factors aren’t presented.
That maps well to engineering workstations, jump hosts, historians, OT application servers—but much less well to PLCs, RTUs, safety controllers, and field devices that may only support local users, shared accounts, or vendor-specific mechanisms.
2) “Non-person entity” (device) identity, PKI, lifecycle management
Phase Two puts substantial weight on PKI governance and certificate lifecycle processes spanning User/Person Entities and Non-Person Entities.
In OT, doing true device identity at scale means you need (at minimum): device certificate enrollment, renewal, revocation handling, secure time, resilient key storage, and safe failure modes. Many legacy devices don’t have the compute, storage, UX, or maintenance model for this.
3) Defined policy enforcement points (PEPs/PDPs) and “cataloging” enforcement components
Phase Two also assumes you can enumerate and manage ZT components like PDPs, PEPs, PIPs and integrate them into a service catalog/CMDB.
In OT, you can do this at Level 2/3 and at cell/area boundaries, but you usually cannot insert a “PEP per resource request” in front of a time-critical PLC I/O cycle without risking operational impact.
Core constraint: timing, uptime, safety, and resource limits
NIST highlights OT’s time-critical/deterministic response requirements, high availability expectations, and resource constraints that often exclude “typical contemporary IT security capabilities,” warning that indiscriminate use of IT security practices can cause availability and timing disruptions and that adding resources/features “may not be possible.”
This is the single biggest reason “full ZIG-style ZT everywhere” collides with plant-floor reality.
Purdue Level 0 (field I/O: sensors/actuators)
Typical obstacles
What “ZIG-like” would look like
Bottom line
Purdue Level 1 (basic control: PLCs, RTUs, IEDs, controllers)
Typical obstacles
What can be supported today (selectively)
Modern industrial ecosystems are moving toward stronger cryptography/identity in some segments:
What remains hard
Purdue Level 2 (supervisory control: HMI, SCADA servers, engineering workstations)
This is where many ZIG practices become achievable—with OT-specific care.
What’s achievable now
What’s hard
Purdue Level 3 (site operations: historians, batch/MES interfaces, OT domain services, patch mgmt)
Level 3 is where you can implement a lot of “ZT plumbing” without touching Level 0/1 timing.
What’s achievable now
NIST shows the Purdue segmentation concept and the role of boundary devices/DMZs to control communications.
A practical way to reconcile ZIG expectations with OT constraints is to treat OT control protocols as toxic-to-route across trust boundaries, and instead broker data/services through controlled chokepoints.
A recent OT connectivity guidance document recommends:
That pattern is very compatible with ZIG ideas (least privilege, explicit authorization, strong enforcement points), because you move “policy enforcement” to places you can safely control.
Short answer
This aligns with NIST’s recommendation that full ZTA integration may not be practical for some OT devices and should focus on higher levels (L3–L5 + OT DMZ).
What “support” really means in OT
In OT, “supporting ZT” often means:
1) Typical manufacturer (discrete or process manufacturing)
Likely state: heterogeneous brownfield, long-lived PLCs, vendor remote support needs, flat-ish networks in pockets.
A realistic ZIG-to-OT implementation
Main obstacles
2) Hyperscale datacenter
There are two “OTs” here:
Practical picture
Common advantage
3) Power generation / grid environments
Power environments already have regulatory drivers around segmentation and controlled remote access. For example, NERC CIP requires for interactive remote access:
Where ZIG rigor fits
Main obstacles
It depends on consequence and threat model, not on whether the environment is “OT.”
A key OT takeaway from NIST is that security measures that impair safety/availability are unacceptable, and that OT environments are time-critical and resource constrained.
So OT ZT rigor must be applied selectively, with explicit safety and operational impact analysis.
What can be achieved today vs. what’s difficult vs. what needs new technology
Achievable today (high confidence)
1. Strong remote access controls2. Segmentation + brokered OT–IT data exchange
3. ZT for Level 2–3 endpoints
4. Selective “secure protocol islands”
Difficult today (but sometimes doable with constraints)
2. Device identity (PKI) at controller scale
3. Fine-grained microsegmentation inside control cells
Likely to require new or significantly improved OT technologies
4. Pervasive, interoperable controller/workcell identity
5. Signed/attested control logic and control actions
6. Determinism-friendly cryptography and enforcement patterns
7. Policy enforcement that fails safely
If you’re aiming for the spirit of the ZIGs in OT (minimize implicit trust, reduce lateral movement, make access explicit and auditable), the best practical approximation is:
Quantified Vulnerability Management (QVM) — Relevant when you need risk-based vulnerability prioritization and remediation planning.
Cyber Risk Quantification Management (CRQ) — Relevant when you need to quantify cyber risk in financial terms for decision-making and reporting.
[1] National Security Agency. “NSA Releases Phase One and Phase Two of the Zero Trust Implementation Guidelines.” Press Release, 30 Jan. 2026, https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4393480/nsa-releases-phase-one-and-phase-two-of-the-zero-trust-implementation-guidelines/.
[2] Rose, Scott, Oliver Borchert, Stu Mitchell, and Sean Connelly. “Zero Trust Architecture.” NIST Special Publication 800-207, National Institute of Standards and Technology, Aug. 2020, https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf.
[3] Stouffer, Keith, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams, and Adam Hahn. “Guide to Operational Technology (OT) Security.” NIST Special Publication 800-82 Revision 3, National Institute of Standards and Technology, Sept. 2023, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf.
[4] Internet Crime Complaint Center (IC3). “Secure Connectivity Principles for Operational Technology (OT).” Cybersecurity Advisory, 14 Jan. 2026, https://www.ic3.gov/CSA/2026/260114.pdf.
[5] North American Electric Reliability Corporation. “CIP-005-7 — Cyber Security – Electronic Security Perimeter(s).” Reliability Standard CIP-005-7, https://www.nerc.com/globalassets/standards/reliability-standards/cip/cip-005-7.pdf. Accessed 4 Feb. 2026.
[6] OPC Foundation. “UA Part 2: Security — Certificate Management.” OPC UA Online Reference (Version 1.04), https://reference.opcfoundation.org/Core/Part2/v104/docs/8. Accessed 4 Feb. 2026.
[7] ODVA. “CIP Security™ | Common Industrial Protocol.” ODVA Technology Standards, https://www.odva.org/technology-standards/distinct-cip-services/cip-security/. Accessed 4 Feb. 2026.
[8] OPC Foundation. “UA Part 2: Security — OPC UA Security Architecture.” OPC UA Online Reference (Version 1.04), https://reference.opcfoundation.org/Core/Part2/v104/docs/4. Accessed 4 Feb. 2026.