AAU Student Projects is unavailable between June 15th 1.30pm and 17th 1.30pm due to planned system maintenance. The projects cannot be downloaded during this period.
AAU Student Projects - visit Aalborg University's student projects portal
An executive master's programme thesis from Aalborg University
Book cover


Evaluating Zero Trust Architectures for OT/ICS: Security Gains, Deployment Barriers, and Human-Factor Tradeoffs

Author

Term

4. semester

Education

Cyber Security, Master

Publication year

2026

Abstract

This thesis examines whether Zero Trust Architecture can be applied to Operational Technology (OT) and Industrial Control Systems (ICS)—the systems that run physical processes in industry. Zero Trust is a cybersecurity approach that assumes no implicit trust and continuously verifies users, devices, and access requests. Using semi-structured interviews with seven experienced practitioners and a targeted literature review, the study evaluates where security gains can be made, what deployment barriers exist, and the human-factor tradeoffs involved. The findings show clear value for access control, network segmentation, and protection of remote access. At the same time, full implementation in current OT/ICS environments is often constrained by legacy systems, real-time operational needs, cost, and limited specialized expertise. The thesis concludes that Zero Trust in OT/ICS is best treated as a selective, incremental, and context-dependent strategy rather than a blueprint for immediate full deployment. It contributes a practitioner-informed assessment of Zero Trust feasibility in industrial settings and offers practical recommendations for staged adoption aligned with operational continuity and industrial security requirements.

Denne afhandling undersøger, om Zero Trust-arkitektur kan anvendes i operationel teknologi (OT) og industrielle kontrolsystemer (ICS) – systemer, der styrer fysiske processer i industrien. Zero Trust er en cybersikkerhedstilgang, der ikke antager, at noget er pålideligt som udgangspunkt, og som kræver løbende verificering af brugere, enheder og adgange. Med semistrukturerede interviews af syv erfarne praktikere og en målrettet litteraturgennemgang vurderer studiet, hvor der opnås sikkerhedsgevinster, hvilke implementeringsbarrierer der findes, og hvilke menneskelige afvejninger der opstår. Resultaterne viser tydelig værdi inden for adgangskontrol, netværkssegmentering og beskyttelse af fjernadgang. Samtidig er fuld implementering i dagens OT/ICS-miljøer ofte begrænset af legacy-systemer, krav om realtid, omkostninger og mangel på specialiseret ekspertise. Afhandlingen konkluderer, at Zero Trust i OT/ICS bør ses som en selektiv, trinvis og kontekstafhængig strategi frem for en model, der kan indføres fuldt ud med det samme. Bidraget er en praksisinformeret vurdering af, hvor Zero Trust er realistisk i industrielle miljøer, samt praktiske anbefalinger til etaperet indførsel, der er afstemt med driftskontinuitet og industrielle sikkerhedskrav.

[This apstract has been rewritten with the help of AI based on the project's original abstract]

Documents

Download PDF
View record in AAU Student Projects