Modernizing Manufacturing Security with Zero Trust

The strategy could be key in meeting new compliance mandates.

Zero Trust Maxxa Satori
istock.com/MaxxaSatori

In the face of rising cybersecurity threats, tightening technology budgets, and maturing regulatory standards, manufacturers are continually being asked a simple, but increasingly urgent question: How are you securing your control systems?

For most organizations, that answer can take the form of complying with IEC 62443, an international series of standards that defines how manufacturers secure their industrial automation, operational technology (OT), and control systems. The IEC standards, developed by the International Electrotechnical Commission, present a framework for how security teams can group digital assets into “zones,” control communications through network “conduits,” and enforce least-privilege access controls throughout their manufacturing plants.

Although the standards are straightforward, implementing them in environments with legacy technologies, hybrid networks, required vendor connections, and varying security controls can be a real challenge. In many plants, the security posture has been shaped more by operational necessity than by deliberate design; tools were added to solve immediate problems rather than work together as a cohesive system.

Fortunately, the Zero Trust security model offers a different approach. Instead of overhauling an entire network design to meet IEC 62443 standards, Zero Trust offers an option for enforcing these principles without downtime or technology overhauls.

How Zero Trust Fits IEC 62443 Standards

There will always be a place for perimeter firewalls, antivirus products, and segmented VLANs in OT security, but the IEC 62443 standards help security teams in manufacturing environments think more granularly about risk.

Using the concept of “zones,” or groups of digital assets that share similar security access or availability requirements, together with “conduits,” which define and protect the network paths that connect them, the IEC 62443 standards organize risk based on how digital assets should communicate, regardless of how the network is arranged. 

On paper, this is a strong security model. The real challenge lies in implementing it within a technology ecosystem that features legacy devices working alongside modern systems, often operating together in hybrid, yet flat, architectures. 

Fortunately, Zero Trust security tools provide a powerful mechanism for plants to jump from their current reality to meeting IEC 62443 standards. Instead of trusting devices because of where they sit in the network, Zero Trust security tools evaluate each connection based on identity, intent, and context. A device, user, or service must prove who or what it is before being allowed to communicate, every time.

The Nuts and Bolts of Implementing Zero Trust 

Manufacturing network environments and technology stacks are rarely homogeneous. They often consist of engineering workstations, cloud-based servers, and controllers installed decades earlier—each running different software, different operating systems, and sometimes no modern software at all. 

Zero Trust works in this context because, instead of focusing solely on devices, it treats the communications between devices as something that must be continuously and explicitly validated. It does this via:

  • Identity-Based Access. With the help of identity and access management systems, Zero Trust enforces the principle that every user, device, and service must authenticate before interacting with anything else. This foundational element of Zero Trust directly supports IEC 62443’s requirements for defined, controlled access. In other words, even when a legacy device cannot authenticate directly with a modern workstation running the latest security tools, its communication path can still be tightly controlled and tied to verified identities at either end.
  • Segmentation. Instead of relying solely on VLANs or static firewall rules that can cause downstream effects, segmentation managed under a Zero Trust model creates clear boundaries around systems. Each zone becomes its own logically isolated environment that is only allowed to communicate through defined conduits. Not only is this approach easier to maintain and audit, but it also prevents lateral movement in the event of a breach in an otherwise flat or hybrid network.
  • Encrypted Conduits. When data flows or connections occur between zones, Zero Trust creates encrypted network tunnels, ensuring confidentiality and integrity. Modern Zero Trust solutions enable this communication via zones and the network segments that manage them, without requiring the replacement of legacy systems. This gives manufacturers the peace of mind that connection paths between zones are protected, even if the zones contain aging or insecure hardware.

Future-Proofing Compliance

IEC 62443 gives manufacturers a clear framework for securing their control systems. The harder question has always been how to get there without disrupting the operations those systems support. This evolution becomes especially necessary as networks continue to rely on remote connectivity and threat actors grow more sophisticated.

Fortunately, modern Zero Trust solutions cover controls to new equipment, access requirements, and system workflows, all without undergoing network redesigns, enduring costly downtime, or replacing legacy systems. For manufacturers looking to strengthen their cybersecurity posture and meet the IEC 62443 standards, a Zero Trust strategy could be a practical way to achieve these goals.

 Dr. Jaushin Lee is the founder and CEO of Zentera Systems.

More in Cybersecurity