Zero Trust in OT-IT convergence: Is it really applicable?

Digital transformation has blurred the traditional boundaries between Information Technology (IT) environments and Operational Technology (OT) systems. What were once completely separate worlds are now inevitably connected. This OT-IT convergence brings efficiency, visibility, and centralized control… but also a critical challenge: industrial cybersecurity. One of the most robust approaches in IT environments is the Zero Trust model, but the inevitable question arises:

Is Zero Trust truly applicable in OT-IT environments?
The short answer is yes, but not without rigorous adaptation. Let’s explore why.

What is Zero Trust?

Zero Trust is not a tool or a specific technology. It’s a cybersecurity strategy based on the principle of “never trust, always verify.”

Its philosophy opposes the old perimeter based security model. It is no longer enough to protect the network edge; every user, device, and connection must be authenticated, authorized, and continuously monitored, even if it’s “inside” the system.

In IT, Zero Trust is implemented through:

• Identity and Access Management (IAM)
• Network segmentation
• Multi-Factor Authentication (MFA)
• Behavioral analysis and continuous monitoring
• Context-based dynamic access policies

What Happens to Zero Trust Amid IT-OT Convergence?

The convergence of IT and OT is here to stay. Technologies such as:

• SCADA systems connected to corporate networks
• Real-time IIoT sensors
• PLCs accessible by remote technicians
• Cloud platforms for industrial analytics

…have shattered the separation that once protected OT environments. This offers numerous operational advantages but also vastly expands the attack surface.

This is where the Zero Trust model becomes relevant. But OT is not IT and that brings unique challenges.

Why Can’t Zero Trust Be Applied Directly to OT?

Implementing Zero Trust in OT environments requires careful consideration of industrial-specific characteristics:

1. Legacy Systems and Insecure Protocols

Many industrial devices still operate with protocols like Modbus, DNP3, FTP, or TELNET, which lack encryption and authentication. They also don’t support agents or security updates.

2. Extreme Availability Requirements

In OT, system uptime is the top priority. Any security control that introduces latency or risk of downtime is operationally unacceptable.

3. Lack of Digital Identity in Industrial Assets

PLCs, RTUs, sensors, etc., cannot authenticate like modern IT devices. This complicates the implementation of identity-based policies.

4. Critical Yet Unprotected Remote Access

Vendors or maintenance technicians often connect remotely using VPNs or exposed RDP access, which completely violates the Zero Trust philosophy.

How to Realistically Apply Zero Trust in OT?

While it cannot be applied “out of the box”, Zero Trust can be adapted to OT environments with specific solutions that respect real-time, stability, and industrial compatibility requirements.

At Cosmikal, we achieve this through solutions like Endurance, which allows Zero Trust principles to be applied without modifying OT systems. Here’s how.

Zero Trust in OT-IT with Cosmikal’s Endurance

Endurance is a secure remote desktop environment equipped with PAM, VDI, DLP, IAM functionalities, and more. It is designed from the ground up to protect hybrid OT/IT environments. It enables robust multi-layer security between the user and the asset without touching or compromising industrial systems.

Let’s explore how Zero Trust is applied to OT through this solution:

Strong Authentication and Identity Control

All access to industrial infrastructure goes through a multi-factor authentication (MFA) process, even for internal users or integrators. There is no default “trusted user.”

Secured Remote Desktop

Instead of allowing direct access to a PLC, industrial switch, or SCADA interface, users connect to a fully secured and controlled remote desktop. Only mouse, keyboard, audio, and video signals are transmitted. The asset is never exposed to the network.

This protects against:

• Credential leakage
• Malicious commands
• VPN or RDP-implanted backdoors
• OT asset exposure to the internet

Segmentation and Contextual Control

Users can only see and access the specific OT resources assigned to them, and only for the necessary time. All sessions are video-recorded and linked to a specific request.

Protection of Insecure Protocols

Endurance encapsulates connections to services using insecure protocols (FTP, Telnet, VNC, HTTP, etc.) within its secured architecture. This enables safe management of legacy environments without exposing known vulnerabilities.

Practical Use Case

Remote SCADA Maintenance

Imagine an energy company where an external provider needs to remotely access a SCADA system for reconfiguration.

Without Zero Trust:

• A VPN port is opened.
• The provider logs in with a generic account.
• No activity logs are kept.
• If credentials are compromised, the attacker reaches the OT network’s core.

With Endurance (Adapted Zero Trust):

• The provider logs in with MFA.
• Connects via a secured remote desktop.
• Has permissions only for the specific SCADA.
• The session is monitored and recorded.
• SCADA is never exposed to the internet.

Result: Secure, traceable operation with no disruption.

Conclusion

Yes, Zero Trust is applicable in OT-IT environments, but it requires adaptation. Applying the same rules used in IT is not enough. You need a strategy that respects real-time constraints, the fragility of legacy systems, and the need for constant availability.

At Cosmikal, we have years of experience implementing solutions that enable secure convergence. Endurance not only protects digital assets but also safeguards critical infrastructure, industrial devices, and SCADA systems, all while preserving the operational logic of the OT environment.

Want to know how to apply Zero Trust in your industrial environment?
Contact us.