将零信任原则应用于运营技术

Publication: April 29, 2026 Cybersecurity and Infrastructure Security AgencyDepartment of War This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when information carriesminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subjectto standard copyright rules, TLP:CLEAR information may be distributed without restriction. For more information on theTraffic Light Protocol, see Traffic Light Protocol (TLP) Definitions and Usage. Executive Summary AuthoringAgencies:The Zero Trust Operational Technologies Security Working Group developed thisdocument. The Working Group is a joint initiative led by the Cybersecurity and Infrastructure SecurityAgency (CISA), Department of War (DoW), and Department of Energy (DOE)—with the aim of supportingorganizations in applying zero trust (ZT) principles to operational technology (OT). The Zero Trust Purpose of Document: This paper provides considerations for applying ZT principles to OT systems andenvironments to system owners, operators, and security personnel. It addresses the unique challenges oftransitioning to a ZT architecture within OT, considering technology gaps from legacy infrastructure, Intended Audience: ZT practitioners and OT owners and operators who are responsible for implementing ZTin OT but may have limited understanding of OT environments and their unique constraints. While this Summary of Important Topics: Key focus areas include establishing comprehensive asset visibility,proactively addressing supply chain risks, and implementing robust identity and access management. Thedocument emphasizes layered security controls—encompassing network segmentation, securecommunication protocols and vulnerability management—alongside a fundamental shift in security Summary of Document’s Conclusion: Successful implementation requires a holistic approach, adaptationof ZT principles to the specific characteristics of each OT environment, and strong collaboration between IT,OT, and cybersecurity teams. By applying ZT to OT, organizations can significantly enhance the security and Table of Contents Introduction ...................................................................................................................................................................5Audience and Scope .......................................................................................................................................... 5Evolving Threat Landscape and the Need for Zero Trust .......................................................................................6Unique Constraints for Zero Trust in OT............................................................................................................ 7Govern ............................................................................................................................................................................8Governance Structures ...................................................................................................................................... 8Overcoming ZT for OT Constraints Through Procurement ............................................................................... 8 Identify ...........................................................................................................................................................................9 Comprehensive Asset Inventory and Asset Discovery ..................................................................................... 9Configuration and Change Management........................................................................................................10Risk Management, Threat Modeling, and Cyber-Physical Consequences....................................................11Risk Assessment Methodology: A Practical Approach ..............................................................................11Threat Modeling for OT: Mapping the Attack Surface ...............................................................................11 Protect......................................................................................................................................................................... 12Network and Microsegmentation....................................................................................................................12IT Segmentation Vs. OT Segmentation .......................................................................................................13Implementing OT Segmentation .................................................................................................................14Microsegmentation for Enhanced Security................................................................................................14Identity, Credential, and Access Management for OT....................................................................................15