Analysis of the Feasibility and Benefit of Applying Zero Trust Paradigm to Operational Technology Systems

In response to evolving business demands, modern operational technology (OT) systems are increasingly exposed to external information technology (IT) environments. Consequently, their vulnerability to contemporary cybersecurity threats from legacy software and hardware necessitates proactive measures. While the Zero Trust (ZT) paradigm, outlined in NIST SP 800 207, has been embraced within IT systems, its use in OT systems remains largely uncharted. This work assessed the applicability of the ZT architectural model to modernize and secure critical OT systems. Our methodology commenced by defining requirements for OT systems, focusing on enabling remote access and bring your own device(BYOD). We then conducted threat modelling to identify potential vulnerabilities and formulated a cybersecurity policy for a water treatment plant. We designed the ZT-OT architecture, which applies the ZT tenets to protect a water treatment OT system. This architecture was evaluated against real-world use cases and preliminary results showed that a ZT approach can help mitigate vulnerabilities associated with remoteaccess and BYOD threats in specific cases. Yet, limitations surfaced concerning legacy components and ZT effects on normal operation. This research advances security in water treatment OT systems across governmental and industrial domains, offering insights into ZT potential and challenges.