Zero Trust for the Grid: Why IT/OT Convergence Demands a New Security Model

Sponsored by: Palo Alto Networks  
Volt Typhoon wasn't just a cyberattack - it was a strategic warning about the IT/OT boundary every utility now operates across. Zero trust is the only security model built for this threat environment, and private mobile networks are the foundation that makes it implementable. Here's what utilities need to know — and act on now.
Zero Trust for the Grid: Why IT/OT Convergence Demands a New Security Model

The convergence of information technology and operational technology is one of the defining infrastructure trends of the modern utility sector. The integration that makes AI-driven grid automation possible – connecting sensors, intelligent electronic devices, edge compute, and enterprise systems into a unified data and command architecture – also removes the traditional air gap that kept OT systems isolated from broader network threats.

Volt Typhoon made the consequences of this exposure concrete. The Volt Typhoon attack illustrates the sophistication of state-backed adversaries and the strategic risks that arise when attackers successfully bridge the gap between IT and OT environments. Adversaries use techniques to avoid detection and seek to position themselves for long-term disruption of critical infrastructure. When attackers establish a foothold in IT networks, they can move laterally into OT systems, threatening the operational stability of utilities and other essential services. By the time analysts identified the campaign’s scope, adversaries had positioned themselves for potential long-term disruption of critical infrastructure. They were patient, methodical, and specifically targeting the IT/OT boundary.

Traditional security models built around perimeter defense – the assumption that threats are external and internal systems are trustworthy – are not equipped for this threat environment. Zero trust is.

What Zero Trust Means in a Utility Context

Zero trust is not a product – it is an operating principle applied consistently across infrastructure. In addition to the inherent security capabilities of private mobile networks, utilities must deploy with zero trust and continuous visibility, and operate under the assumption that no device, user, or application is inherently trustworthy. They must continuously verify every interaction, tightly segment access, and ensure that anomalous behavior triggers immediate investigation.

For utilities, applying zero trust across IT, OT, and AI systems requires specific capabilities. Visibility into traffic protocols, applications, and potential threats, as well as into the mobile identifiers that belong to the devices within the private network, prevents lateral movement between IT and OT domains. Every endpoint – including the sensors, intelligent electronic devices, and edge routers that populate OT environments — must be uniquely identified and continuously verified.

The multilayered security approach that zero trust demands is well-defined. Together, zero trust and a multilayered security approach enable utilities to continuously authenticate all devices, use encryption for data in motion, implement network segmentation to contain breaches, and apply continuous monitoring for anomalies.

Private Mobile Networks as the Zero Trust Foundation

Private mobile networks are particularly well-suited to zero-trust implementation in utility environments. The architecture is built on assumptions that align directly with zero-trust principles.

PMNs offer enhanced security because private networks are separate from public networks and use a dedicated licensed spectrum, giving utilities the essential control and security for mission-critical applications. Private networks include a broad set of security capabilities and built-in features — as defined by 3GPP — to enable delivery of advanced cybersecurity protections. These include strong network and device authentication, subscriber identity protection, and robust authentication management and encryption.

Utilities own and manage SIM provisioning, device onboarding, and access policies. Every endpoint is uniquely identified, trusted, and continuously verified. Isolation from the public infrastructure helps ensure secure, traceable, and reliable data flows by preventing data poisoning and safeguarding the integrity of AI-driven operations that are critical to mission-focused utilities.

Network segmentation built into PMN architecture separates OT traffic from IT traffic and isolates different functional domains from each other. When utility companies reduce their reliance on shared carrier infrastructure, they gain stronger control over authentication, traffic segmentation, and endpoint validation. This isolation makes it significantly harder for adversaries to exploit the same systemic vulnerabilities used in attacks like Volt Typhoon. If an adversary does gain a foothold — in an edge node, in a field device, in a third-party system with network access — segmentation limits lateral movement and contains the blast radius.

The Salt Typhoon campaign further underscores why public network dependency is a structural risk. Salt Typhoon is a cyberespionage campaign operated by an instrument of the Chinese government that has penetrated US telecommunications systems, serving as a stark reminder of the dangers organizations face when relying too heavily on public telecommunications networks for critical operations. Encryption, segmentation, and redundancy are now baseline requirements for resilience — without these countermeasures, enterprises risk leaving their most valuable asset — information — vulnerable to persistent and large-scale espionage campaigns.

Combined with next-generation firewalls and AI/ML-driven anomaly detection embedded at the core and edge, PMNs enable utilities to achieve the continuous visibility that zero trust requires. Threats that use legitimate credentials and blend with normal traffic — the living-off-the-land techniques that made Volt Typhoon so difficult to detect — become identifiable through behavioral analysis rather than signature matching.

Zero Trust for the Grid: Why IT/OT Convergence Demands a New Security Model

Securing the AI Ecosystem Within the Zero Trust Framework

As utilities integrate AI into grid automation, the zero-trust boundary must explicitly extend to AI systems themselves. AI systems – including models, agents, orchestration layers, and training data — represent new attack surfaces. Edge-deployed AI applications should undergo runtime integrity checks and be sandboxed to isolate compromised modules.

Utilities must continuously perform red teaming exercises to simulate adversarial attacks and model scanning to automatically analyze AI models for vulnerabilities and misconfigurations. More secure update mechanisms, including model signing and audit logging, help maintain trust in distributed AI systems over time. To prevent risks such as poisoned training data, prompt injection, and sensitive data leakage, utilities must use security solutions that can discover, assess, and protect AI applications, agents, models, and datasets across their lifecycle.

The private mobile network plays a critical structural role in this protection. The PMN acts as the secure conduit in the flow from field devices to AI systems, helping ensure that only authenticated, encrypted, and validated traffic moves toward central or cloud-based AI systems. By positioning PMNs as the trust layer in this pipeline, utilities can reduce the attack surface and help ensure that AI decisions are based on accurate and uncompromised data.

Governance as the Binding Layer

Zero trust architecture and private mobile networks create the technical foundation for secure IT/OT operations. Governance provides the accountability framework that sustains it. Utilities face growing regulatory pressure to account for AI-driven operations. Effective governance is a critical success factor for AI adoption in utilities. Oversight must extend to AI models, data protection, and third-party risks, while aligning with regulatory frameworks such as NERC CIP, IEC 62443, and IEC 61850. Utilities should establish clear governance frameworks that balance innovation with accountability and compliance.

Clear governance frameworks that define accountability for AI-driven decisions, mandate audit logging and model integrity verification, and establish incident response protocols for AI system compromise are not bureaucratic overhead — they are the operational discipline that makes a zero trust posture sustainable over time.

The Urgency Is Real

The convergence of IT and OT is not a future state — it is the present reality of grid modernization. Utilities that deploy AI-ready private networks and adapt unified zero trust strategies across IT, OT, and AI systems will build the resilient, intelligent grid required for the future. The adversaries targeting that convergence are already active — and growing more sophisticated.

Securing AI requires protecting algorithms, but it demands safeguarding the data, devices, and networks that underpin intelligent operations. Utilities that have not implemented zero trust principles across their IT, OT, and AI systems, and that have not built those principles on the foundation of a private mobile network, are operating with a security posture that does not match the threat environment they actually face.

The path forward is clear. The urgency to travel it is immediate.


Assess Your Utility’s Private Network Security

TeckNexus has developed a free Private Network Security Assessment for Utilities, co-created with Palo Alto Networks. The 5-section assessment maps your security gaps to real threat scenarios – including Salt Typhoon, Volt Typhoon, AI data poisoning, and unencrypted OT traffic — and delivers a prioritised action plan tailored to your environment. Launch the Free Private Network Security Assessment.

Related Tools

Haven’t yet determined which private network technology fits your utility environment? Start here. 17 questions, 8 minutes, free – Private Network Technology Selector.

Determine who should own your network infrastructure, where your data sits, and how to structure vendor engagement. 15 questions, 6 minutes, free –  Private Network Architecture Selector.

Your Brand. Our Intelligence Tools.

Capture leads at the point of evaluation. Talk to Us →

Sponsored by Palo Alto Networks
⚡ Utilities ⏱ 8 min ✓ Free
This tool is built and hosted by TeckNexus.
Launch Tool →
Whitepaper
This whitepaper explains how utilities can use secure AI-enabled private mobile networks to modernize operations, support distributed intelligence, improve resilience, and strengthen cybersecurity across critical infrastructure. It covers AI applications, private network advantages, zero trust principles, multilayered security architecture, and governance considerations for AI-ready utility environments....
Whitepaper
Non-terrestrial networks are rapidly evolving from experimental satellite systems into an increasingly important part of the global 5G connectivity landscape. This eBook, developed by Radisys in collaboration with TeckNexus, explores how 3GPP standardization, satellite architecture innovation, and software-driven network design are reshaping NTN deployment models. It examines the transition from...
Whitepaper
Private cellular networks are transforming industrial operations, but securing private 5G, LTE, and CBRS infrastructure requires more than legacy IT/OT tools. This whitepaper by TeckNexus and sponsored by OneLayer outlines a 4-pillar framework to protect critical systems, offering clear guidance for evaluating security vendors, deploying zero trust, and integrating IT,...
Scroll to Top