When industrial control systems connect to corporate networks, traditional perimeter security crumbles, says Stefan Garczynski, security architect at Sopra Steria, who works on the Blue Jay defence network programme.
At 3:47am, the control room alarm triggered. A critical ventilation fan in the refinery's distillation unit had stopped responding. Engineers rushed to diagnose the problem, expecting a mechanical failure. Instead, they discovered something far more alarming. The fan hadn't failed, it had been remotely shut down through a compromised vendor maintenance portal. The attacker, having entered the network weeks earlier via stolen VPN credentials, had mapped the entire industrial control system, waiting for the optimal moment to strike.
For the facility operator, the six-hour shutdown cost millions in lost production. For the security team, it revealed a fundamental truth. Their IT security perimeter, designed to protect office networks, had left industrial systems completely exposed.
This credible scenario illustrates why traditional perimeter security fails when operational and information technology converge. Such challenges range across critical infrastructure, from aerospace and weapons manufacturing to transport and utilities.
When industrial devices cannot run protection software
The fundamental challenge lies in operational technology (OT) device limitations. "A lot of those conduits and PLCs that run industrial actuators are basically very dumb computers," Garczynski explains. "They're actual physical controls. You've got to get an engineer in there to turn a spanner or a valve."
These legacy systems lack computational resources for traditional security tools. "They don't have much power or RAM," he says. "Some don't even have logical space: it's a green light and a red light. If you get more than four transactions when expecting four, it just shuts down the server."
This simplicity creates a security paradox, devices designed for reliability through isolation now require protection in connected environments yet lack the capability to run conventional security software. Traditional endpoint protection, network monitoring tools, and authentication systems simply cannot function on these constrained devices.
From colonial pipeline to Zero Trust reimagined
The Colonial Pipeline attack demonstrates these vulnerabilities. "Attackers entered through a VPN account with no multifactor authentication," Garczynski recalls. "Lack of segmentation forced a shutdown within the OT space."
Building management systems present similar risks. "Manufacturers put in devices that pick-up Wi-Fi networks," he explains. "Now furnace and boiler systems are on Wi-Fi connected to public internet connections. Vendor remote access, protected only by VPN static credentials, allows attackers to teleport into networks where engineering functions use generic admin credentials," he says.
Rather than direct technology transplantation, Zero Trust in OT focuses on network integration points. "The Zero Trust element focuses on how that network integrates with IT and how we enable a trust model that separates components and environments," says Garczynski.
He relies on two frameworks: IEC 62443 (ISA 99) and Cyber Informed Engineering. "It's like secure-by-design," he says. "From conception to operation, you're managing that security process. When talking to vendors, you need to understand their processes, architecture, and Zero Trust policy."
This lifecycle approach ensures engineers understand security requirements, while IT teams grasp operational constraints. The result: security controls that work in practice, not just in theory. "Engineers are educated on what you're providing, understanding complexities around safety in the OT space, and IT understands that as well," he says.
Building security layer by layer: segmentation, identity, and continuous verification
Segmentation remains foundational. "Many networks are flat, maybe one VLAN," explains Garczynski. "Break down motion control and process control so nothing cross-talks. There's segregation to aid security."
The approach follows frameworks like the Purdue model, separating process layers, engineering layers, and management layers with controlled conduits between them, similar to how firewalls segment web applications into management, application, and database layers.
Identity management proves equally crucial, he says. "Start with identity: what people need to do and what access levels they need. Eliminate default accounts and create unique identities from both technology and physical perspectives, including cages, locks and doors."
Domain separation adds another layer, he explains. "Using the IT domain to manage SCADA systems is problematic. Instead, have a different domain It's more complicated from a management perspective, but it's a valid security layer."
Continuous verification requires balancing security with operations. "Understand safety implications and IT requirements," Garczynski continues. "Maybe it's predictive maintenance, such as IT needs to know a fan has 16,000 revolutions left and that part takes six months to replace from Poland. How do we pull that information without compromising the system?"
The pitfalls: when complexity becomes the enemy of security
The primary pitfall is excessive complexity, says Garczynski. "Having processes that are too onerous. Finding that fine line -- what are the requirements, who needs access, why, and at what level?"
Another mistake overlooks the human dimension. "Engineers don't typically work with IT. They fix machines," he says. "An engineer running an oil refinery process says, 'IT wants to plug stuff in and monitor everything? No.' You need balance, so it works for security, IT, and engineers without burdening their original process."
Four priorities for successful Zero Trust transitions in critical infrastructure
Garczynski says there should be four priorities for successful Zero Trust transitions. First, establish visibility through joint governance between vendors, IT, and OT teams. "Look at data feeds, engineering requirements and minimised downtime and safety," he says.
Second, implement pragmatic segmentation. "It won't happen overnight. Start with critical assets. They need a management layer, but that can't talk directly to IT, it goes through conduits, a DMZ layer," he explains.
Third, focus on identity and access control, eliminating default credentials and implementing least-privilege principles.
Finally, integrate suppliers from the outset. "Zero Trust only works in OT if suppliers are part of that model," says Garczynski. "Cyber Informed Engineering enforces their involvement from the beginning."