* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Points of View](https://www2.paloaltonetworks.com/blog/category/points-of-view/)
* 5 Steps to Realize a Zero...

# 5 Steps to Realize a Zero Trust Enterprise in Critical Infrastructure

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F10%2Fzero-trust-enterprise-in-critical-infrastructure%2F)  
[](https://twitter.com/share?text=5+Steps+to+Realize+a+Zero+Trust+Enterprise+in+Critical+Infrastructure&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F10%2Fzero-trust-enterprise-in-critical-infrastructure%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F10%2Fzero-trust-enterprise-in-critical-infrastructure%2F&title=5+Steps+to+Realize+a+Zero+Trust+Enterprise+in+Critical+Infrastructure&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2021/10/zero-trust-enterprise-in-critical-infrastructure/&ts=markdown)  
\[\](mailto:?subject=5 Steps to Realize a Zero Trust Enterprise in Critical Infrastructure)  
Link copied  
By [Del Rodillas](https://www.paloaltonetworks.com/blog/author/del-rodillas/?ts=markdown "Posts by Del Rodillas")  
Oct 28, 2021  
7 minutes  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)  
[critical infrastructure](https://www.paloaltonetworks.com/blog/tag/critical-infrastructure/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)

Recently, we announced the Zero Trust Enterprise --- a comprehensive framework to deploy Zero Trust using what you have while also developing a clear roadmap. How does this work for critical infrastructure? In part one of our blog series on critical infrastructure (CI) security, we looked at why [modernizing critical infrastructure requires security transformation](https://www.paloaltonetworks.com/blog/2021/09/critical-infrastructure-security-transformation/). We briefly mentioned how a Zero Trust approach was a key component to its transformation. This time, we look at exactly how the [5-step approach to Zero Trust](https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture) in critical infrastructure and its underlying operational technology (OT) can be applied.

## Why Zero Trust for OT

I often get asked how relevant is Zero Trust in critical infrastructure/operational technology. To answer that, let's revisit the definition. As described in the [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture), "Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization's network architecture. Rooted in the principle of 'never trust, always verify,' Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control." While the most important objective in CI cybersecurity is preventing damaging cyber physical effects to assets, loss of critical services and preserving human health and safety, the principles are highly relevant. We'll see that CI/OT's purpose-built nature and correspondingly predictable network traffic (as well as being unpatched for long periods of time and therefore creating vulnerability) make them ideal for Zero Trust.

## 5 Steps for Realizing Zero Trust in Critical Infrastructure OT

Let's discuss the five steps and some of the OT related considerations for each step.

#### Step 1: Define the Protect Surface

This step involves identifying the "crown jewels" which are critical to the operation of the business. IT and OT teams should work together to identify these surfaces which could include the holistic systems/networks within control centers, substations, power plants, production sites or factory floors. They could also be defined in granular detail as specific Distributed Control Systems (DCS), production lines, even specific automation servers or PLCs. Risk-based prioritization of surfaces is critical as it is not practical to try to secure every asset that's given limited resources. In the early stages of Zero Trust deployment, the protect surface may need to be defined at a more coarse-grained level (think DCS) versus device level (think PLC), to encourage progress.

#### Step 2: Map the Transaction Flows

The next step is to understand the transactions to and from the protect surfaces. For example a third-party support engineer in a control center may be interacting with systems in other backup control centers and substations. You may find that they access only certain systems in a subset of substations, which has that third-party vendor's equipment. Furthermore, you may observe that they only utilize certain OT protocols and network utilities, such as DNP3, ICCP and HTTPS during normal work hours. In essence, you've identified what is needed for that person to do their job through awareness of their interactions with the assets. The Next-generation Firewall (NGFW), with its deep packet inspection capabilities, is used to gain visibility over OT/IIoT applications, protocols and devices, as well as users. Furthermore, the NGFW can be deployed passively to make this learning process more friendly with risk-averse operation teams, who may not be keen on deploying new technologies inline without a better understanding of the value.

#### Step 3: Architect a Zero Trust Network for OT

With the transaction flows well understood, one can now define the actual zoning scheme that allows for the proper inline controls and threat prevention. The segmentation gateway or conduit, which is used to create zones and the interzone policy, is again realized through the NGFW. For the example in Step 2, the zone architecture may include the primary control center, backup control center, as well as separate zones for the different substations. More granular zoning may be required within each of these zones depending on the asset definitions, assessed risk and transaction flows. Think of an unsupported Windows XP HMI which needs to be hardened to reduce cyber risk. Again, it is important to find that balance between risk management and reducing operational complexity and risk-based approaches, such as Hazards and Operability studies (HAZOP) that could help to determine the level of segmentation required. For retrofitting brownfield environments, minimally disruptive inline deployment modes provided by the NGFW, such as Layer 2 VLAN insertion and VWIRE transparent mode, could be applied.

#### Step 4: Create the Zero Trust Policy

This step is all about codifying the granular rules into the NGFW. It involves using the Kipling Method to establish the who, what, why, when, where and how of the policy. It also utilizes the NGFW's policy engine to establish application controls, role-based access, device policy and threat prevention via App-ID, User-ID, Device-ID and Content-ID technologies. Going back to our example, we utilize the Kipling method and the NGFW to ensure that a third-party engineer (Who) is allowed to access the DNP3 and HTTPS protocols (What) to monitor and administer (Why) a Remote Telemetry Unit in the substation (Where) between 5PM to 7PM (When). Furthermore, decryption and threat services provided by the NGFW could be coupled to the access control policy to identify and stop any malicious traffic that may have come in through this allowed traffic.

#### Step 5: Monitor and Maintain the Network

As thorough as one might be in the planning phases, certain transactions may have been overlooked as a result of not considering the transactions across the entire operational life cycle of the OT systems. Furthermore, as static as OT is, it still might have some changes and in fact could be substantial with the rollout of a digital transformation project, such as 5G. It is important then that the inventorying of protect surfaces and transactions happen on a regular basis and that the associated zoning and policy schemes be adapted as needed. Again the NGFW with the granular visibility and ML features and services (such as the Policy Optimizer for fine tuning application policy and IoT Security service for asset inventorying and device policy optimization) will be invaluable in this process of monitoring the network and maintaining zero trust.

## Zero Trust for CI/OT is a Journey

The path to realizing Zero Trust in CI/OT could become overwhelming so it's important to remember that deploying zero trust architecture doesn't have to be "all-in" from the get go. You can start with implementing Zero Trust at the IT-OT perimeter. As you get more comfortable you can then move into the lower layers of OT. Finally utilizing the framework you established, you can then also apply the same Zero Trust approach to secure your extended OT infrastructure in public clouds, 5G networks and even secure access service edge (SASE) connections with consistency and central management.

This blog was intended to highlight the relevance and benefits for Zero Trust in critical infrastructure. This awareness hopefully triggers a journey of learning to better understand what Zero Trust is and how it can help you to better protect your critical infrastructure. To that end, read this [white paper that covers Zero Trust Enterprise (ZTE)](https://www.paloaltonetworks.com/resources/whitepapers/architecting-zero-trust-enterprise), which is a strategic approach to cybersecurity that simplifies and unifies risk management under one important goal: to remove all implicit trust in every digital transaction. For a more detailed view on Zero Trust for OT, read how a [Zero Trust approach for OT aligns with the ISA/IEC 62443 standard](https://www.paloaltonetworks.com/resources/whitepapers/simplifying-adoption-of-isa-iec-62443-using-zero-trust).

*** ** * ** ***

## Related Blogs

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Securing the New Frontiers of Critical Infrastructure Networks](https://www2.paloaltonetworks.com/blog/2022/03/new-frontiers-of-critical-infrastructure-networks/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### AI and ML: The Keys to Better Security Outcomes](https://www2.paloaltonetworks.com/blog/2023/10/ai-and-ml-the-keys-to-better-security-outcomes/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### The Zero Trust Journey for Federal Agencies: The Next Phase](https://www2.paloaltonetworks.com/blog/2022/08/the-zero-trust-journey-for-federal-agencies/)

### [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Are SASE and Zero Trust the Key for Manufacturers Grappling with IoT?](https://www2.paloaltonetworks.com/blog/2022/08/are-sase-and-zero-trust-the-key-for-manufacturers-grappling-with-iot-cyber-risks/)

### [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Securing 5G and Edge Computing Environments with Zero Trust](https://www2.paloaltonetworks.com/blog/2022/08/5g-and-edge-computing-environments/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### How to Balance the Zero Trust Journey with the Speed of the Mission](https://www2.paloaltonetworks.com/blog/2022/06/balance-zero-trust-journey-with-the-speed-of-the-mission/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language