Zero Trust Put to the Test of Connected OT: Defendability and Vulnerabilities
Context
Information system security has long relied on a perimeter-based model: the enemy is assumed to be external, and inside, agents presumed trustworthy benefit from more permissive policies [1]. However, the evolution of usage towards greater connectivity and interoperability makes the notion of a perimeter increasingly blurred. Should a remote-working employee, a subcontractor with remote access, or an industrial device connected to a cloud platform be considered "internal" or "external"? The perimeter model is not designed to handle these hybrid situations, which have now become the norm. Implicit trust in the local network and poor management of hybrid cases are major enablers that allow attackers to move laterally after an initial compromise and take control of entire systems [2], [3].
In response to the limitations of the perimeter model, the Zero Trust model is progressively establishing itself as a new reference. In this new paradigm, no implicit trust is granted by default, regardless of the agent [3]. Every access to the information system must be authenticated, evaluated against the security policy, and explicitly authorised: never trust, always verify. Conceptualised by the Jericho Forum in 2007 [2], tested at scale by Google from 2010 (BeyondCorp project) [4], and then formalised by NIST in 2020 (SP 800-207) [6], Zero Trust architecture is now widely recognised as the state of the art in information system security by major institutional and industrial actors [4], [6], [10].
There is not yet a standard implementation of the Zero Trust paradigm, but among the proposed variants, so-called data-centric approaches occupy an important place [8], [10]. They consist of placing data at the centre of the security model: each resource intrinsically carries its own access policy and protection level. This approach aims to ensure that security targets the resource itself, rather than a network perimeter.
Historically, the security of critical OT (Operational Technology) systems has relied primarily on physical and logical isolation [9]. However, the shift towards greater connectivity and interoperability (remote maintenance, cloud supervision, IT/OT integration) is making this isolation increasingly untenable [5], [9]. Applied to these systems, the Zero Trust paradigm faces specific constraints: heterogeneous assets, protocols lacking authentication or encryption, real-time and safety requirements, and dependence on tooling that introduces out-of-band pathways [7]. Under these conditions, the feasibility of applying Zero Trust is uncertain, and partial implementations of the paradigm are likely, opening the door to new attack vectors.
Academic literature has primarily focused on defining the Zero Trust paradigm and proposing architectures [3], [4], [6], [7], [8]. However, the vulnerabilities induced by these implementations and the empirical assessment of their defendability remain understudied, particularly for OT systems. Our research project aims to identify and measure the limitations of this new paradigm on these specific systems. We will seek to characterise potential structural limitations to implementing the data-centric Zero Trust paradigm on critical OT systems, and to provide guidelines for optimising a deployment that maximises the system's defendability against a real-world attacker.
Scientific Problem Statement
Data-centric Zero Trust architectures appear as a response to the limitations of the perimeter model. In OT environments, physical isolation (air gap) is no longer sufficient given the growing needs for connectivity and interoperability. Yet the constraints inherent to OT make Zero Trust implementation difficult and potentially introduce new vulnerabilities. The scientific question is therefore: does the deployment of data-centric Zero Trust architectures on connected OT systems improve their security and defendability against realistic attacks?
Research Questions
Q1: How can a realistic attacker model be constructed with respect to the attack surfaces specific to data-centric Zero Trust implementations in connected OT systems?
Q2: How can the effective security and defendability of a connected OT system based on data-centric Zero Trust be measured?
Q3: How can the cost of protection mechanisms be assessed against the operational constraints of OT?
Q4: How can digital investigations be conducted on a critical OT system whose security relies on data-centric Zero Trust principles?
Q5: What guidelines and structural limitations can be identified to guide the implementation of data-centric Zero Trust in connected critical OT environments?
Envisaged Methodology
The research project will make use of a critical OT systems testbed, incorporating typical protocols and equipment, in order to reproduce the constraints inherent to OT. A first step will consist of establishing a reference security configuration without Zero Trust mechanisms, reflecting current practices based on isolation and network segmentation. This baseline will serve as a point of comparison throughout the study. It will be subjected to realistic attack scenarios defined from a threat model adapted to the OT context, allowing the initial attack surface to be characterised and a first level of security to be measured.
In a second phase, various Zero Trust building blocks will be introduced progressively or in combination: machine identity management, dynamic access control via PDP/PEP, data-centric policies, supervision and logging mechanisms, and resource labelling. Each new configuration will give rise to a systematic attack campaign and a measurement of the system's resistance and defendability against attacks.
Finally, the results will be analysed in order to identify the most effective mechanisms, assess the operational cost of protections, and derive guidelines for implementing data-centric Zero Trust on real-world critical OT environments. This analysis will also aim to characterise any remaining structural limitations.
Expected Contributions
This work aims to enrich the scientific understanding of Zero Trust approaches in OT environments. While the majority of research focuses on defining models and architectures, the goal here is to produce an empirical assessment of their defendability.
The thesis will thus contribute:
Beyond these contributions, the thesis will seek to determine whether, with the objective of increasing the interoperability and connectivity of a critical OT system, a data-centric Zero Trust architecture can achieve a higher level of security than current security models, or whether irreducible structural limitations prevent it from doing so.
Bibliography
[1] J. Wack and L. Carnaham, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls. NIST, 1994.
[2] Jericho Forum, Jericho Forum Commandments. Jericho Forum, 2007.
[3] J. Kindervag, No More Chewy Centers: Introducing The Zero Trust Model Of Information Security. Forrester, 2010.
[4] R. Ward and B. Beyer, BeyondCorp: A New Approach to Enterprise Security. Google, 2014.
[5] W. Knowles, D. Prince, D. Hutchison, J. F. P. Disso, and K. Jones, "A survey of cyber security management in industrial control systems," International Journal of Critical Infrastructure Protection, vol. 9, pp. 52–80, Jun. 2015, doi: 10.1016/j.ijcip.2015.02.002.
[6] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, Zero Trust Architecture. NIST, Aug. 2020, doi: 10.6028/nist.sp.800-207.
[7] C. Zanasi, F. Magnanini, S. Russo, and M. Colajanni, "A Zero Trust approach for the cybersecurity of Industrial Control Systems," in Proc. 2022 IEEE 21st Int. Symp. Netw. Comput. Appl. (NCA), Dec. 2022, pp. 1–7, doi: 10.1109/nca57778.2022.10013559.
[8] A. Poirrier, L. Cailleux, and T. H. Clausen, "An Interoperable Zero Trust Federated Architecture for Tactical Systems," in Proc. MILCOM 2023 - IEEE Military Communications Conf. (MILCOM), Oct. 2023, pp. 405–410, doi: 10.1109/milcom58377.2023.10356247.
[9] K. Stouffer et al., Guide to Operational Technology (OT) Security. NIST, Sep. 2023, doi: 10.6028/nist.sp.800-82r3.
[10] Ministère des Armées, SIGNAL – vers une stratégie « Zero Trust » adaptée aux besoins de la Marine. Ministère des Armées, 2025.
