What is Zero Trust Architecture (ZTA)?
Zero Trust Architecture (ZTA) is a security model in which no user, application or device is automatically trusted, regardless of whether it is inside or outside the network. Access is only granted after thorough verification and continuous assessment.
In OT, Zero Trust means that access to systems such as SCADA, PLCs or Engineering Stations must be constantly checked, logged and limited — even within your own perimeter.
🧠 Core principles of Zero Trust
- Never trust, always verify – Every action requires explicit authentication and authorisation
- Least privilege access – Access is restricted to what is strictly necessary
- Microsegmentation – Networks are divided into small, secure zones
- Continuous validation – Identity, device posture and behaviour are continuously monitored
- Identity-driven policy – Access is based on who or what you are, not where you are
🔐 Zero Trust in OT environments
| Principle | Application in industrial systems |
|---|---|
| Strong authentication | Access to SCADA and HMI requires password + MFA |
| Jump Server | External access only via controlled access paths |
| Microsegmentation | OT network split per function or risk profile |
| Monitoring and logging | Every action by users or systems is recorded |
| Temporary rights | Technicians only get temporary access to systems |
Zero Trust is particularly important for remote access, supply chain integrations and segmentation of mixed IT/OT networks.
✅ Key components of ZTA
| Component | Function |
|---|---|
| Identity & Access Management | Management of users, roles and authentication |
| Device Trust & Inventory | Verifying that devices are trusted and up to date |
| Anomaly detection | Recognising abnormal behaviour or unusual network activity |
| Logging & auditing | Full overview of who does what and when |
| Policy and authorisation | Access based on context: location, time, role, device status |
🔁 Relationship with standards
| Standard | Relevance to Zero Trust |
|---|---|
| NIST SP 800-207 | Reference model for Zero Trust Architecture |
| IEC 62443-3-3 | Requirements regarding access, detection, segmentation in industrial networks |
| ISO 27001 | Identity management, access control, logging and policy |
| NIS2 | Mandatory measures regarding access management and network security |
📦 IT vs. OT in Zero Trust
| IT (classic ZTA) | OT application of ZTA |
|---|---|
| VPN with device posture checks | Jump Server with identity verification for field access |
| MFA for web applications | MFA for SCADA/HMI remote access |
| Microsegmentation in data centres | Segmentation of OT per function (SCADA, Historian, PLC) |
| Real-time user behaviour analytics | OT anomaly detection with protocol awareness (e.g. Modbus) |
Zero Trust in OT calls for tailoring: restrictions must not disrupt production processes, but must still mitigate risk.
📌 In summary
Zero Trust Architecture is a modern security principle that assumes no entity is trusted without verification. In OT environments, ZTA helps to limit external access, lateral movement, insider threats and misconfigurations through segmentation, access restrictions and continuous monitoring.