Cybersecurity Risk Frameworks for Mission Critical Process Automation: From IT/OT Convergence to Zero-Trust Architectures
Article Sidebar
Main Article Content
Abstract
There is a gap in industrial cybersecurity. Above all, the frameworks that govern OT security, IEC 62443 for short, were built for a time when the air gap existed, and the threat model was physical. That era came to an end quietly, between the first remote vendor access agreement and the first cloud-connected historian. By 2024, more than 12,000 ICS-oriented cybersecurity incidents had occurred in one year, with dual IT/OT breaches averaging USD 4.56 million per event. Zero Trust Architecture, as specified in NIST SP 800-207, is the correct conceptual response: No longer should you trust your network location; verify everything at every step. The caveat is that NIST SP 800-207 is IT-oriented, and its accompanying implementation manual specifically excludes OT. No Zero Trust standard is specifically designed for OT. This paper examines the top-level cybersecurity governance platforms and their relevance to five dimensions of OT, presents a scenario of 2024-2026 industrially harmful environments, and introduces the Adaptive Zero Trust Framework for Industrial Control Systems (AZTF-ICS). AZTF-ICS is an innovative five-pillar model that uses Zero Trust principles to address the unique operational constraints of mission-critical process automation, with real-time requirements, high availability, and safety tasks that are not susceptible to interruption, irrespective of any security control policy.
Downloads
Article Details
Section
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
How to Cite
References
ISA/IEC, "ANSI/ISA 62443: Security for Industrial Automation and Control Systems," International Society of Automation, 2018. [Online]. Available:
https://www.isa.org/standards-and-publications/isa-iec-62443-series-of-standards
National Institute of Standards and Technology, "Guide to Operational Technology (OT) Security," NIST Special Publication 800-82, Revision 3, 2023. DOI: https://doi.org/10.6028/NIST.SP.800-82r3
National Institute of Standards and Technology, "Zero Trust Architecture," NIST Special Publication 800-207, 2020. DOI: https://doi.org/10.6028/NIST.SP.800-207
National Cybersecurity Centre of Excellence (NCCoE), "Implementing a Zero Trust Architecture," NIST SP 1800-35 (Fourth Draft), 2024. [Online]. Available: https://www.nccoe.nist.gov/zero-trust-architecture
ISA Global Cybersecurity Alliance (ISAGCA), "Zero Trust Outcomes Using ISA/IEC 62443 Standards," ISAGCA Whitepaper, August 2024. [Online]. Available:
https://www.isagca.org/zero-trust-outcomes-using-isa-iec-62443-standards
U.S. Department of Defence, "Zero Trust for Operational Technology Activities and Outcomes, Version 2," DoD CIO, November 2025. [Online]. Available: https://dodcio.defense.gov/Portals/0/Documents/Library/ZT-OT-v2.pdf
U.S. Department of Defence, "DTM 25-003: Implementing the DoD Zero Trust Strategy," July 2025. [Online]. Available: https://www.defense.gov/News/Releases/Release/Article/dtm-25-003-zero-trust
Dragos, Inc., "OT Cybersecurity Year in Review 2025," Dragos, Inc., 2025. [Online]. Available: https://www.dragos.com/year-in-review/
European Union Agency for Cybersecurity (ENISA), "ENISA Threat Landscape 2025," ENISA, 2025. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
Honeywell International, "Ransomware in Q1 2025: OT Threat Analysis," Honeywell International, 2025. [Online]. Available: https://www.honeywell.com/us/en/press/2025/q1-ot-ransomware-analysis
PwC, "Emerging OT Threats and Cybersecurity Strategies 2026," PricewaterhouseCoopers, 2025. [Online]. Available: https://www.pwc.com/gx/en/issues/cybersecurity/emerging-ot-threats
SANS Institute, "Introduction to ICS Security Part 2: The Purdue Model," SANS ICS, July 2021. [Online]. Available: https://www.sans.org/white-papers/ics-security-purdue-model-introduction/
IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach
Claroty, "Five Important Considerations for Implementing Zero Trust in OT Environments," Claroty, 2024. [Online]. Available: https://claroty.com/resources/whitepapers/zero-trust-ot
IoT Analytics, "OT Cybersecurity Insights Report 2026," IoT Analytics, December 2025. [Online]. Available:
https://iot-analytics.com/ot-cybersecurity-insights
The MITRE Corporation, "ATT&CK for ICS Framework," The MITRE Corporation, 2024. [Online]. Available: https://attack.mitre.org/matrices/ics/
Industrial Cyber, "Bridging the Gap: Integrating Zero Trust Strategies in IT and OT Environments," Industrial Cyber, November 2024. [Online]. Available: https://industrialcyber.co/zero-trust/bridging-it-ot-zero-trust
North American Electric Reliability Corporation (NERC), "Zero Trust Security for Electric Operating Technology," NERC, June 2023. [Online]. Available: https://www.nerc.com/pa/CI/Documents/ZeroTrust_OT.pdf
Cybersecurity and Infrastructure Security Agency (CISA), "Guidance on Secure Integration of AI in Operational Technology," CISA, December 2025. [Online]. Available: https://www.cisa.gov/resources-tools/resources/guidance-secure-integration-ai-operational-technology
DoD CIO, "Zero Trust Capability Execution Roadmap for Operational Technology," DoD Chief Information Officer, 2024. [Online]. Available: https://dodcio.defense.gov/Portals/0/Documents/Library/ZT-OT-Roadmap.pdf