How agencies can secure operational technology in a zero trust world

From water plant breaches to ransomware targeting energy grids, recent headlines highlight a growing blind spot in cybersecurity: operational technology (OT). In July 2025, Michigan State Police and the Great Lakes Water Authority began investigating a potential breach of a monitoring and reporting system at one of the authority’s water treatment facilities in Detroit. This highlights an urgent reality: Physical infrastructure is now in the crosshairs of cyber adversaries. America’s OT landscape is increasingly vulnerable — and many of these systems remain unprepared for today’s threat environment. Many agencies and infrastructure operators still rely on outdated, siloed defenses that weren’t built for today’s threat landscape.

To help agencies act, the Cybersecurity and Infrastructure Security Agency recently released an updated Zero Trust Maturity Model implementation guide that emphasizes visibility, segmentation and secure interconnectivity — principles that are especially critical as OT environments converge with IT.

But guidance alone is not enough. Agencies should move from planning to execution — and that starts with understanding why OT systems are so vulnerable in the first place.

Table of Contents

Why OT systems are prime targets

Operational technology systems were not built for today’s sophisticated threat landscape. Many are decades old, difficult to patch, and originally designed to function in isolation from external networks. But as agencies modernize infrastructure and connect OT systems to IT environments, these previously siloed assets have become prime targets for cyber adversaries.

Recent data underscores this growing risk: Nearly three-quarters of OT devices are between six and 30 years old, making them difficult, or impossible, to secure using traditional IT patching methods. Compounding the issue, attackers are increasingly targeting both domains simultaneously. In 2025, 60% of organizations experienced breaches that impacted both OT and IT environments, up from 49% the year prior.

This convergence of attack surfaces means that a breach in one domain can quickly cascade into the other, putting critical operations — like energy delivery, transportation systems, or even weapons platforms — at risk. Yet despite this, many agencies have not fully integrated OT into their broader security strategies.

Most traditional security platforms lack visibility into industrial control systems and supervisory control and data acquisition environments. And because OT is often managed by siloed operational teams — outside the oversight of IT or cybersecurity leaders — tools like conventional firewalls, security information and event management, and endpoint detection solutions frequently miss early indicators of compromise.

To meet the moment, government and critical infrastructure stakeholders should move beyond reactive defenses. The path forward starts with bridging IT and OT through unified governance, shared visibility and risk-based response strategies — all within a modern, integrated cybersecurity architecture.

Best practices to unify IT and OT cybersecurity

Federal agencies often see the same foundational challenges surface time and again: limited visibility, poor segmentation and disconnected security governance between IT and OT. As agencies modernize and connect previously isolated systems, getting the basics right is essential.

Here are four best practices for government cyber teams seeking to strengthen OT security and close the cyber gap:

1. Segment the network: Separate IT and OT environments through macrosegmentation, then isolate critical OT functions using microsegmentation to limit lateral movement and contain threats.

2. Expand visibility: Use passive, non-intrusive monitoring tools to discover assets, detect rogue devices, and identify unusual behavior across the network.

3. Adopt OT-specific threat intelligence: Choose platforms that understand OT protocols and can detect firmware-level anomalies and unauthorized control commands.

4. Centralize governance: Bring OT security under a unified framework that aligns with incident response, compliance and asset management to eliminate silos and improve accountability.

These practices move agencies closer to a cohesive, mission-aligned security posture — one that leverages zero trust as a practical path forward — especially for ICS environments where traditional controls often fall short.

Agencies can operationalize zero trust in line with CISA’s maturity model and the Defense Department’s Zero Trust Reference Architecture by implementing practical capabilities like role-based segmentation, identity-aware controls and real-time telemetry sharing between tools. For OT environments in particular, zero trust provides a powerful framework to reduce risk without disrupting critical operations.

To succeed, agencies should also address common challenges: hidden assets, outdated patching models and siloed expertise. For instance, agencies are often not aware of all devices on their converged networks. It’s also important to keep staff up to date on the latest policies and practices and understand that traditional patch cycles don’t apply to legacy OT; virtual isolation is critical. Cross-training IT, security and OT staff is essential for consistent protection. Use dynamic segmentation, visibility tools and virtual patching as steppingstones toward zero trust maturity.

Threat actors are no longer targeting only data; they’re going after the infrastructure itself. As OT and IT networks converge, securing them under a unified zero trust architecture is no longer optional. It’s mission critical. Agencies need to act now to modernize their defenses, protect operational assets, and strengthen the resilience of the nation’s most vital systems.

Ben Brooks is systems engineer at Fortinet Federal.

link