Operational technology (OT) environments are under increasing regulatory pressure. Requirements across energy, manufacturing, transportation, and other critical infrastructure sectors consistently point to one core expectation: networks must be segmented to protect critical systems and limit the impact of a breach.
While many regulations do not explicitly call for “Zero Trust,” they require controls such as segmentation, least privilege access, and tightly managed communication paths. These are controls that are best implemented using a Zero Trust architecture. Xage Security helps organizations meet these mandates through Zero Trust segmentation, providing a practical way to secure OT environments while aligning with compliance requirements.
IEC 62443 is one of the clearest examples. The standard is built around the concept of zones and conduits, where systems are grouped based on risk and function, and communication between those groups is restricted and controlled. Organizations are expected to define boundaries, enforce policy at those boundaries, and limit how systems interact. This structure forms the backbone of modern OT security architectures.
NERC CIP applies similar principles in the electric sector. It requires utilities to establish Electronic Security Perimeters around critical cyber assets and control all access into those environments. The intent is straightforward: isolate critical systems and ensure that only authorized communications are allowed. This approach reduces the likelihood that a compromise in one part of the network can spread to high-value assets.
Recent updates such as CIP-003-11 extend this focus by strengthening requirements around electronic access into low impact environments. In particular, authentication is now required at the edge where low impact assets reside, ensuring that any user or system must be verified before gaining access. The standard also emphasizes tighter control over who can connect, what they can access, and how that access is governed. It further reinforces limiting routable communications and maintaining strict control over vendor connectivity—cementing segmentation and least privilege as core architectural requirements.
Other frameworks reinforce the same expectations. NIST SP 800-82 recommends separating IT and OT networks and using layered architectures to reduce risk. The NIST Cybersecurity Framework (CSF) emphasizes protecting communication networks and enforcing access controls. NIS2 requires organizations to implement risk-based controls, which in practice includes segmenting networks and limiting system-to-system communication. TSA Security Directives explicitly call for isolating OT environments from IT networks and segmentation within OT environments. ISO 27001 and ISO 27019 emphasize network segregation as a way to reduce exposure, while PCI DSS promotes isolating sensitive environments to reduce scope and risk.
A newer addition to this landscape is the Department of War Zero Trust for OT guidance. This mandate moves beyond general best practices and defines specific Zero Trust activities and outcomes for operational environments. Segmentation is built directly into these requirements. The guidance calls for separating control, data, and management planes, implementing segmentation across bases and operational sites, and enforcing microsegmentation down to the level of devices, services, and communication pathways. It also emphasizes limiting lateral movement and enforcing identity- and policy-based controls on every interaction. In practice, segmentation is not treated as a supporting control. It is a core mechanism for enforcing Zero Trust in OT.
Across these regulations, the pattern is consistent. Critical systems are separated from enterprise networks. Different parts of the OT environment are isolated based on function and risk. Communication paths are explicitly defined and controlled. Access is limited to what is necessary. These are enforceable expectations that show up in audits and assessments.
This is where Zero Trust becomes relevant. The term itself may not appear in many of the regulations, but the underlying principles are already there. Traditional segmentation approaches often depend on rigid, static boundaries that are difficult to maintain in distributed OT environments, making it challenging to enforce consistent policies across the network.
Zero Trust shifts the focus to identity and policy, requiring every connection to be explicitly verified and granting access based on defined policies rather than network location. This enables more granular segmentation, allowing organizations to precisely control how individual systems communicate.
In OT environments, this model is often easier to implement than in traditional IT. Unlike IT networks, which frequently require broad and unpredictable interactions, OT systems operate within well-defined process hierarchies. Communication paths are intentional and structured between applications, controllers, and sensors, with little need for any-to-any connectivity.This determinism makes it more practical to enforce strict, policy-driven access controls that align naturally with Zero Trust principles.
For OT security teams, segmentation is not just a design choice. It directly impacts how well an organization can contain threats and sustain operations under stress. When networks are properly segmented, incidents are easier to isolate, contain, and investigate. When they are not, small issues can quickly escalate into broader operational disruptions.
The regulations all point in the same direction: segmentation is required, communication must be controlled, and access must be restricted. While these frameworks may notmandate Zero Trust by name, they require controls that are best implemented using a Zero Trust architecture.
Xage Security enables organizations to meet these requirements with Zero Trust segmentation built for OT. By combining identity-based access, granular policy enforcement, and distributed architecture, Xage provides a scalable way to secure critical infrastructure and support compliance efforts.
