In zero trust for OT environments, what is the core principle and starting steps?

• A. Only verify external connections, not internal.
• B. No implicit trust; verification for every access request. Begin with strong identity, device posture checks, least-privilege access, and continuous authentication/monitoring.
• C. Use periodic full-network scans but not per-access verification.
• D. Trust devices inside network by default; increase monitoring later.

Answer: (B)

In zero trust for OT environments, the key idea is that there is no implicit trust for any user or device, whether inside or outside the network. Every access request must be authenticated and authorized before it’s allowed, and the decision is based on multiple factors, not just the identity.

Starting steps include enforcing strong identity for users and machines, checking device posture at the moment of access (ensuring the device is properly configured, patched, and compliant), and applying least-privilege access so entities have only the minimal permissions needed for their task. In addition, continuous authentication and ongoing monitoring are essential—re-evaluating access during a session and automatically responding to anomalies or changes in risk. These practices create tight, dynamic control over who or what can interact with OT assets, reducing the risk of lateral movement and limits the impact of any compromise.