Built-In Security: Expanding Zero Trust by Design 

Three people wearing hardhats looking a tablet.

David Smit | June 12, 2025

Operational technology (OT) environments are undergoing rapid transformation. As smart sensors multiply, cloud connections increase, and remote access becomes routine, long-standing network boundaries are being stretched—and sometimes erased altogether. While Zero Trust isn’t a new concept in OT security, there are new challenges that demand a broader perspective. Are organizations truly prepared for this change in network boundaries? It’s time to expand how we think about Zero Trust and evolve it into a secure-by-design approach. This article explores how Zero Trust must move from its network-centric origins into a secure-by-design mindset, ensuring that security is embedded at every layer of modern industrial architectures.

Originally, Zero Trust in OT focused on minimizing trust between systems on the same network. Firewalls, VLANs, and DMZs became the standard tools.

The principle was simple: never trust, always verify.

But while that worked well from a network segmentation process, today’s connected environments demand more. Verification is a critical piece that’s often overlooked or not possible within OT environments. 

Now, attackers target users, exploit endpoints, and move laterally through unmanaged assets. The traditional perimeter doesn’t stop them, especially when OT teams are juggling legacy systems that weren’t built for security in the first place. That’s why modern Zero Trust must go beyond segmentation. 

What does that look like?

It means rethinking what we protect and how. We need to apply Zero Trust principles across identity, devices, applications, and data: not just the network. That’s the bridge to secure-by-design: embedding protection into every layer of the architecture from day one. Here’s where to start: 

Map access beyond the network. Who’s logging in? From where? With what device? Identity is now just as important as IP. 
Enforce least privilege. Admin rights shouldn’t be a default. Only give access to what’s needed, and only for as long as it’s needed. 
Secure endpoints. Patching, Endpoint Detection and Response (EDR) tools, and hardening are essential. Especially in OT where those systems stay in place for years. 
Build in monitoring and response. It’s not just about preventing attacks. It’s about detecting and containing them fast. 
Align teams. IT, OT, and Security must be on the same page. Silos are the enemy of Zero Trust and secure-by-design strategies alike.

What’s the end goal?

Systems that assume compromise and are resilient by design. In other words, your architecture itself helps enforce security, even when people make mistakes or attackers get in. 

Expanding Zero Trust into secure-by-design isn’t about replacing what you’ve done, it’s about building on it. Segmentation still matters. So does protocol filtering. But we also need to secure the people and devices at the edges where decisions are made and data is generated. As we move beyond network segmentation toward holistic resilience, the real challenge is aligning people, processes, and technology from the ground up.

At Interstates, we’re helping clients rethink OT security through this lens. If you’re ready to evolve from perimeter-focused defenses to truly resilient architectures, we’d love to connect. Because Zero Trust isn’t just a network model anymore. It’s a design mindset for the future of operations. 

David Smit is an OT Architect at Interstates, focusing on infrastructure and security. If you’re interested in OT, you can subscribe to Interstates’ LinkedIn newsletter, Converging Clarity.

June 2, 2025

Five Reasons To Work Safely

Each of us has different reasons for the choices we make each day. When it comes to safety, your decisions can result in an incident. No matter what your motivator for making safe choices may be, keep in mind these five reasons why we should all strive to work safely.