By NHI Mgmt Group Editorial TeamPublished 2026-02-18Domain: Cyber SecuritySource: ColorTokens

TL;DR: Critical infrastructure still relies on indirect connectivity, legacy software, and assumptions of isolation that fail under pressure, and ColorTokens argues for Zero Trust in OT to limit operational impact when breaches occur. The real issue is not whether compromise happens, but whether identity-aware containment can stop it from becoming mission failure.


At a glance

What this is: This is an analysis of why Zero Trust principles matter for critical infrastructure and OT, with the key finding that “air-gapped” isolation is often false and indirect connectivity creates breach paths.

Why it matters: It matters because IAM, PAM, and segmentation decisions increasingly determine whether OT compromise becomes a contained security event or a safety and resilience incident.

👉 Read ColorTokens' analysis of Zero Trust for critical infrastructure


Context

Critical infrastructure security fails when teams assume isolation that does not exist. OT environments often have indirect connectivity through vendor access, shared infrastructure, and remote monitoring, which means the security problem is not just perimeter defence but operational containment.

For identity and access programmes, the intersection is clear: if human, vendor, and system access paths are not tightly governed, Zero Trust in OT becomes a control design problem rather than a network slogan. Mission continuity depends on knowing which connections are necessary, which are inherited, and which should never have existed.


Key questions

Q: What breaks when organisations assume OT environments are air-gapped?

A: When teams assume OT is air-gapped, they overlook indirect pathways such as vendor access, shared infrastructure, and remote monitoring tools. That false baseline leads to weak segmentation, broad trust, and delayed containment. The result is that an attacker can move from a supposedly isolated foothold into operational systems before defenders realise the path existed.

Q: Why do Zero Trust principles matter in critical infrastructure?

A: Zero Trust matters because critical infrastructure cannot rely on perfect prevention or rapid patching alone. Legacy systems, constrained maintenance windows, and hidden dependencies make containment the practical control objective. By limiting what each user, vendor, or system can reach, organisations reduce the chance that one compromise turns into mission failure.

Q: How do security teams know whether OT segmentation is actually working?

A: Segmentation is working when an incident in one zone cannot reach adjacent operations, and when access requests are narrow enough to match business need. Teams should test whether vendor tools, service accounts, and support channels can traverse boundaries they should not cross. If they can, segmentation is cosmetic rather than functional.

Q: Who is accountable when indirect OT access creates operational risk?

A: Accountability usually spans infrastructure owners, OT operators, IAM teams, and third-party risk owners because indirect access is a governance issue as much as a technical one. NIST SP 800-207 is useful for framing least-privilege and continuous verification, but organisations still need named owners for access paths, review cycles, and resilience outcomes.


Technical breakdown

Why the OT air-gap assumption breaks down

OT environments are frequently described as isolated, but in practice they often contain indirect trust paths through remote support tools, shared services, maintenance channels, and vendor connectivity. That means the effective attack surface is wider than the visible network diagram. Once an attacker finds one reachable path, the problem is not only initial access but the hidden operational dependencies that make lateral expansion possible. Zero Trust in OT starts by rejecting assumed isolation and mapping actual connectivity, not intended architecture.

Practical implication: inventory every indirect OT connection and classify it by business necessity before you design containment controls.

How microsegmentation limits mission impact in critical infrastructure

Microsegmentation divides OT and supporting environments into smaller trust zones so compromise in one area does not automatically open the rest of the estate. In critical infrastructure, this matters more than perfect prevention because patch windows are constrained and legacy systems remain exposed for longer. The architectural goal is to reduce blast radius, preserve essential functions, and keep safety-critical operations running even when a vulnerable asset cannot be remediated immediately.

Practical implication: segment by mission criticality and operational dependency, not just by technology stack or site boundary.

Identity enforcement for users, vendors, and systems

Identity enforcement in OT is about making access explicit, temporary, and observable for both people and non-human actors such as service accounts and remote monitoring tools. Strong authentication alone is not enough if privileges persist or vendor access is too broad. The control objective is to ensure each session, account, and system only reaches the minimum set of functions needed for the task, with logging sufficient to support containment and forensics when something goes wrong.

Practical implication: bind remote access, privileged actions, and service credentials to least-privilege policies with reviewable session records.


Threat narrative

Attacker objective: The attacker aims to turn a narrow foothold into operational disruption by exploiting trust paths that were never meant to be exposed.

  1. Entry occurs through indirect OT connectivity such as vendor access, remote monitoring, or shared infrastructure rather than a direct internet-facing exploit.
  2. Escalation follows when the attacker moves from a reachable support path into adjacent operational systems that were assumed to be isolated.
  3. Impact is mission disruption, where compromise spreads from a technical event into safety, continuity, or public-service failure.

NHI Mgmt Group analysis

Mission resilience in OT is now an identity and access problem, not only a network design problem. The article correctly centres Zero Trust as a containment model, but the deeper governance issue is that OT trust paths often exist because access was granted for convenience and never fully rationalised. Vendor connectivity, shared infrastructure, and remote monitoring create standing pathways that undermine the idea of isolation. Practitioners should treat every persistent path into OT as an access-governance decision with operational consequences.

Implicit connectivity is the named failure mode: organisations inherit links they did not intend, then defend against an air gap that never truly existed. That assumption collapse is common in critical infrastructure, where legacy operations and maintenance realities outlive original design boundaries. Once hidden dependencies are accepted as normal, containment, segmentation, and review all start from a false baseline. Practitioners should map actual trust relationships before they attempt to secure them.

Zero Trust in OT only works when identity controls and resilience planning are sequenced together. Microsegmentation, strong authentication, and visibility are all necessary, but they fail if mission criticality is not used to prioritise them. Systems that cannot tolerate downtime need stricter containment and more explicit access governance than less critical assets. Practitioners should align identity policy, segmentation, and resilience tiers to operational importance.

The article signals a broader shift from perimeter security to dependency governance across critical infrastructure. The lesson is not simply that OT is exposed, but that resilience now extends across vendors, utilities, and public-sector partners whose connectivity shapes mission outcomes. That widens the governance scope for IAM, PAM, and third-party access management. Practitioners should assume that resilience boundaries no longer match organisational boundaries.

Identity-aware containment is the right named concept for this problem space. In OT, containment must follow who or what can access a system, not just which network segment it sits in. That includes human operators, vendors, service accounts, and remote monitoring agents. Practitioners should design OT security around access scope, session control, and mission impact rather than perimeter assumptions.

What this signals

Critical infrastructure teams should expect Zero Trust programmes to expand from network segmentation into access-path governance. The operational question is no longer whether a system is on an isolated subnet, but whether any human, vendor, or service credential can reach it without a clearly justified reason. The control model now needs to match mission criticality, not just infrastructure topology.

Implicit connectivity debt: that is the governance burden created when convenience links, vendor channels, and remote tools accumulate faster than organisations can review them. The more OT environments depend on inherited access, the more likely it is that resilience, IAM, and third-party controls become the same conversation. For practitioners, the next step is to treat every persistent pathway as a liability until proven necessary.


For practitioners

  • Map all indirect OT access paths Inventory vendor access, shared infrastructure, remote monitoring, and maintenance channels that can reach OT assets. Classify each path by necessity, owner, and revocation method, then remove any connectivity that exists for convenience rather than mission need.
  • Segment around mission criticality Build microsegmentation zones around safety-critical and business-critical assets so compromise in one zone does not spread laterally. Use mission impact to decide which systems receive the strictest containment controls and shortest review cycles.
  • Enforce explicit identity for remote and system access Require strong authentication, least privilege, and session logging for operators, vendors, service accounts, and remote tools that touch OT. Review privileged access separately from standard user access so standing trust does not accumulate unnoticed.
  • Plan for patch delays with containment first Assume some OT vulnerabilities will remain exposed because maintenance windows are constrained. Use network isolation, access restrictions, and compensating controls to reduce blast radius while patching catches up.

Key takeaways

  • Critical infrastructure security fails when organisations assume OT isolation that does not actually exist.
  • Microsegmentation, identity enforcement, and visibility only work when they are tied to mission criticality and real access paths.
  • The control priority is containment around indirect connectivity, because patching alone cannot keep pace with operational exposure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access control is central to limiting indirect OT pathways and standing trust.
NIST Zero Trust (SP 800-207)Section 3.1The article is fundamentally about zero trust assumptions in OT environments.
NIST SP 800-53 Rev 5AC-6Least privilege is required for users, vendors, and systems entering OT.
CIS Controls v8CIS-6 , Access Control ManagementOT access governance and segmentation align with access control management.
MITRE ATT&CKTA0001 , Initial Access; TA0008 , Lateral MovementThe threat pattern involves indirect entry followed by movement across exposed OT dependencies.

Map OT access paths to PR.AC-4 and remove any connection that is not explicitly required.


Key terms

  • Zero Trust Architecture: A security model that assumes breach and requires continuous verification instead of trusting a network boundary. In OT, it means access is granted only after identity, context, and mission need are checked, so hidden dependencies and broad connectivity do not become silent trust channels.
  • Microsegmentation: A containment approach that splits environments into small trust zones so compromise cannot spread freely. In critical infrastructure, it is used to isolate safety-critical assets, reduce blast radius, and keep essential operations running even when patching is delayed or an upstream system is compromised.
  • Indirect Connectivity: Any access path into a system that is not obvious in the primary network design, such as vendor tooling, shared services, or remote monitoring. In OT, indirect connectivity is often the reason an environment that appears isolated still has real exposure to external or adjacent threats.
  • Mission Continuity: The ability of an operational environment to keep delivering essential services during or after a security event. For critical infrastructure, mission continuity is the practical outcome that Zero Trust, segmentation, and identity enforcement are meant to protect when prevention is incomplete.

What's in the full article

ColorTokens' full post covers the operational detail this post intentionally leaves for the source:

  • How the Zero Trust OT roadmap is sequenced around mission impact and public-safety dependency
  • Where microsegmentation fits into containment for legacy systems that cannot be patched quickly
  • Why vendor access, shared infrastructure, and remote monitoring create hidden trust paths into OT
  • How the article frames recent Department of War Zero Trust OT guidance in a broader resilience context

👉 ColorTokens' full post expands on mission continuity, segmentation, and OT access assumptions

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management for practitioners building stronger access control. It gives identity and security teams a common framework for governing the accounts and credentials that shape operational resilience.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org