Exploring how Zero Trust actually fits industrial control systems.
My current research focus is mapping Zero Trust guidance onto ICS and OT realities, with an emphasis on where theory breaks against legacy constraints, safety requirements, and organizational boundaries.
How can Zero Trust concepts be adapted to constrained OT/ICS-style networks—shaped by legacy devices, safety constraints, and 24/7 operations—without breaking availability or operator workflows?
Zero Trust Without Clean Identity
Many ICS and OT assets cannot run modern identity stacks, so current work surveys how NIST SP 800-207, NIST SP 800-82, and CISA’s Zero Trust Maturity Model handle devices that lack strong per-entity identity, and where they implicitly assume IT-style identity and access management that OT cannot support.
Segmentation That Doesn't Break Things
Zero Trust literature for ICS converges on micro-segmentation at Purdue Levels 2–3, but real deployments rarely extend cleanly to Levels 1 and 0; this theme catalogs proposed patterns, their preconditions, and the safety and availability risks they introduce when applied to legacy industrial networks.
Telemetry Before Control
Frameworks like NIST SP 800-207 and CISA’s Zero Trust Maturity Model emphasize visibility and continuous monitoring as prerequisites for policy enforcement, yet there are persistent telemetry gaps at lower Purdue levels; this work tracks how different authors propose closing those gaps before pushing Zero Trust controls into ICS environments.
[~] Drafting early reference scenarios and architectures across all Purdue levels
[ ] Empirical lab validation and formal publication (planned)