Zero Trust for OT: a US playbook with direct relevance for Australian utilities and councils

On 29 April 2026, CISA, the Department of War, and the Department of Energy (with FBI, the Department of State, and NIST contributing) jointly published Adapting Zero Trust Principles to Operational Technology. The 28-page advisory is written for US federal agencies, but the guidance maps cleanly to the constraints Australian operators of OT and critical infrastructure already work within.

If you run SCADA, building automation, transport systems, water and wastewater, or distributed energy assets, this is worth reading.

What the advisory says

Zero Trust assumes the network is already breached. Every access request is verified against identity, context, and risk before it is granted, no matter where the request comes from. That model works well for IT. For OT it requires careful translation, because the systems involved interact with physical processes and have very different priorities.

The advisory aligns to the NIST Cybersecurity Framework (CSF) 2.0 functions: Govern, Identify, Protect, Detect, Respond, and Recover. It also references ISA/IEC 62443, the international OT security standard that Australian operators are increasingly held to.

The throughline is honest. Blanket IT-style Zero Trust does not work in OT. It needs to be adapted, and it needs OT engineers, IT architects, and security people in the same room.

Why this matters for Australian operators

The threat environment described in the advisory is the same one Australian utilities, water authorities, and councils face. Volt Typhoon is named explicitly, with its pattern of compromising IT credentials and pivoting to OT through shared identities. Living-off-the-land techniques in IT environments while prepositioning for OT access are now routine. Trisis, BlackEnergy, and Incontroller-style malware purpose-built for OT has been seen in production environments since 2017.

For an Australian operator, the practical pressure is doubled by:

• The Security of Critical Infrastructure Act, which requires asset registration, mandatory incident reporting (12 to 72 hours), and a documented Critical Infrastructure Risk Management Program
• ASD Essential Eight maturity expectations
• The same legacy-and-availability constraints described in the advisory: decades-old PLCs, proprietary protocols that cannot be actively scanned, and very little tolerance for downtime

The US advisory does not change any of those obligations. It does give Australian operators a clearer reference architecture for getting from where they are to where they need to be.

Five practical takeaways

1. Asset visibility comes first. You cannot apply Zero Trust to assets you cannot see. The advisory leads with comprehensive inventory and discovery for a reason. Many Australian operators rely on outdated spreadsheets or partial CMDB coverage. Fix this before anything else.
2. Network segmentation, then microsegmentation. Separate enterprise IT from OT, then carve OT into functional zones. The Purdue model still applies. Microsegmentation can come later, once visibility and policy control are in place.
3. Identity is the new perimeter, including for OT. Shared accounts, generic engineering logins, and reused credentials between IT and OT are the lateral-movement path. Identity and access management for OT is harder than for IT and must be designed for the operational reality.
4. Plan for incident response that does not assume you can take systems offline. Containment in OT is different. Backup of configuration, system state, and engineering files is the recovery foundation. Document who has authority to invoke a break-glass procedure during an incident.
5. Procurement is part of the strategy. Newer OT components support secure communication, identity, and logging that legacy gear cannot. Use refresh cycles deliberately to get out of the bind, not just to replace like-for-like.

How S5 thinks about this

S5 has published a SCADA Security Design whitepaper that brings the Purdue model and the Security of Critical Infrastructure Act together into a single design framework. Our Secure SCADA Architecture case study walks through how this looks in practice for a water and wastewater utility.

The CISA-led advisory adds weight to the same direction of travel. Structured segmentation, identity boundaries, asset visibility, and incident response designed for OT constraints, not retrofitted from IT.

For a broader view of how S5 supports OT environments, see our SCADA, ICS and OT Security Solutions overview.

If your team is reading this advisory and trying to translate it for your environment, talk to our consulting team.

Read the source

Adapting Zero Trust Principles to Operational Technology. CISA, Department of War, Department of Energy, FBI, Department of State, NIST. Published 29 April 2026.