Path of Science: International Electronic Scientific Journal

Securing critical infrastructure (CI), including energy, healthcare, transportation, and financial systems, has become a pressing concern in the face of increasingly sophisticated cyber threats. These essential systems underpin modern society, and disruptions to their operations can have severe economic, social, and safety consequences. Traditional perimeter-based cybersecurity approaches have proven insufficient against evolving attack vectors, highlighting the need for more resilient strategies such as Zero Trust Architecture (ZTA). Zero Trust Architecture represents a paradigm shift in cybersecurity, advocating "never trust, always verify." Unlike legacy models, ZTA emphasises continuous authentication, least privilege access, and network micro-segmentation to mitigate external and internal threats. By assuming that breaches are inevitable, ZTA enforces stringent access controls and real-time monitoring to safeguard critical systems. This review examines the adoption of ZTA in the protection of critical infrastructure.

Key findings showed the benefits of ZTA, including enhanced resilience against cyberattacks and improved regulatory compliance. The paper also discusses challenges such as integration with legacy systems, resource constraints, and organisational resistance. Recommendations are provided to guide the phased implementation of ZTA and promote cross-sector collaboration to secure critical infrastructure effectively. 

1. Zanasi, C., Russo, S., & Colajanni, M. (2024). Flexible zero trust architecture for the cybersecurity of industrial IoT infrastructures. Ad Hoc Networks, 156, 103414. doi: 10.1016/j.adhoc.2024.103414

2. Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture. National Institute of Standards and Technology Special Publication 800-207 doi: 10.6028/nist.sp.800-207

3. Adapa, V. R. K. (2024). Zero Trust Architecture Implementation In Critical Infrastructure: a Framework For Resilient Enterprise Security. International Journal Of Advanced Research In Engineering & Technology, 15(6), 76–89. doi: 10.34218/ijaret_15_06_006

4. Kang, H., Liu, G., Wang, Q., Meng, L., & Liu, J. (2023). Theory and Application of Zero Trust Security: A Brief Survey. Entropy, 25(12), 1595. doi: 10.3390/e25121595

5. Kilovaty, I. (2023). Cybersecuring the Pipeline. Houston Law Review, 60

6. Elete, N. T. Y. (2024). Impact of ransomware on industrial control systems in the oil and gas sector: Security challenges and strategic mitigations. Computer Science & IT Research Journal, 5(12), 2664–2681. doi: 10.51594/csitrj.v5i12.1759

7. Kindervag, J. (2010) No More Chewy Centers: The Zero Trust Model of Information Security. Forrester Research Inc

8. He, Y., Huang, D., Chen, L., Ni, Y., & Ma, X. (2022). A survey on Zero Trust architecture: Challenges and future trends. Wireless Communications and Mobile Computing, 1–13. doi: 10.1155/2022/6476274

9. Fernandez, E. B., & Brazhuk, A. (2024). A critical analysis of Zero Trust Architecture (ZTA). Computer Standards & Interfaces, 89, 103832. doi: 10.1016/j.csi.2024.103832

10. Alaba, F. A., Othman, M., Hashem, I. A. T., & Alotaibi, F. (2017). Internet of Things security: A survey. Journal of Network and Computer Applications, 88, 10–28. doi: 10.1016/j.jnca.2017.04.002

11. Rapuzzi, R., & Repetto, M. (2018). Building situational awareness for network threats in fog/edge computing: Emerging paradigms beyond the security perimeter model. Future Generation Computer Systems, 85, 235–249. doi: 10.1016/j.future.2018.04.007

12. Stergiopoulos, G., Gritzalis, D. A., & Limnaios, E. (2020). Cyber-Attacks on the Oil & Gas Sector: A Survey on Incident Assessment and Attack Patterns. IEEE Access, 8, 128440–128475. doi: 10.1109/access.2020.3007960

13. Al-Hawawreh, M., Alazab, M., Ferrag, M. A., & Hossain, M. S. (2023). Securing the Industrial Internet of Things against ransomware attacks: A comprehensive analysis of the emerging threat landscape and detection mechanisms. Journal of Network and Computer Applications, 223, 103809. doi: 10.1016/j.jnca.2023.103809

14. Cao, Y., Pokhrel, S. R., Zhu, Y., Doss, R., & Li, G. (2024). Automation and Orchestration of Zero Trust architecture: Potential solutions and challenges. Deleted Journal, 21(2), 294–317. doi: 10.1007/s11633-023-1456-2

15. Buchanan, S. S. (2022). Cyber-Attacks to Industrial Control Systems since Stuxnet: A Systematic Review. (Thesis; Capitol Technology University)

16. Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021). Phishing Attacks: a recent comprehensive study and a new anatomy. Frontiers in Computer Science, 3. doi: 10.3389/fcomp.2021.563060

17. Zhang, Y., Sun, Z., Yang, L., Li, Z., Zeng, Q., He, Y., & Zhang, X. (2020). All your PLCs belong to me: ICS ransomware is realistic. 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 502–509. doi: 10.1109/trustcom50675.2020.00074

18. Dudley, R., & Golden, D. (2021). The colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms. ProPublica

19. Gawazah, L., Rondla, A., & Balhareth, M.S.A. (2024). To Pay or Not to Pay: The US Colonial Pipeline Ransomware Attack. Thunderbird School of Global Management

20. Daly, P. (2022). "Writing on a curved surface" The operational response to the cyber-attack on the Irish health service. Médecine De Catastrophe - Urgences Collectives, 6(4), 275–277. doi: 10.1016/j.pxur.2022.10.002

21. Tunc, C., Hariri, S., Merzouki, M., Mahmoudi, C., De Vaulx, F. J., Chbili, J., Bohn, R., & Battou, A. (2017). Cloud Security Automation Framework. Conference: 2017 IEEE 2nd International Workshops on Foundations and Applications of Self* Systems (FAS*W), 307–312. doi: 10.1109/fas-w.2017.164

22. Sharma, A., Sharma, S., & Dave, M. (2015). Identity and access management- a comprehensive study. Conference: 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), 1481–1485. doi: 10.1109/icgciot.2015.7380701

23. Makrakis, G. M., Kolias, C., Kambourakis, G., Rieger, C., & Benjamin, J. (2021). Vulnerabilities and attacks against industrial control systems and critical infrastructures. arXiv (Cornell University). doi: 10.48550/arxiv.2109.03945

24. Kara, I., & Aydos, M. (2021). The rise of ransomware: Forensic analysis for Windows-based ransomware attacks. Expert Systems With Applications, 190, 116198. doi: 10.1016/j.eswa.2021.116198

25. Mohammed, A. S., Reinecke, P., Burnap, P., Rana, O., & Anthi, E. (2022). Cybersecurity challenges in the offshore oil and gas industry: An Industrial Cyber-Physical Systems (ICPS) perspective. ACM Transactions on Cyber-Physical Systems, 6(3), 1–27. doi: 10.1145/3548691

26. Romsom, E. (2022). Global oil theft: impact and policy responses. In Working Paper Series. doi: 10.35188/unu-wider/2022/147-1

27. Bobbert, Y. (2020). Zero trust validation: From practical approaches to theory. Scientific Journal of Research & Reviews, 2(5). doi: 10.33552/sjrr.2020.02.000546

28. Pookandy, J. (2021). Multi-factor authentication and identity management in cloud CRM with best practices for strengthening access controls. International Journal of Information Technology and Management Information Systems (IJITMIS), 12(1), 85-96.

29. Emmanni, P. S. (2024). Implementing a zero-trust architecture in hybrid cloud environments. International Journal of Computer Trends and Technology, 72(5), 33–39. doi: 10.14445/22312803/ijctt-v72i5p104

30. Chen, Z., Yan, L., Lü, Z., Zhang, Y., Guo, Y., Liu, W., & Xuan, J. (2021). Research on Zero-trust Security Protection Technology of Power IoT based on blockchain. Journal of Physics Conference Series, 1769(1), 012039. doi: 10.1088/1742-6596/1769/1/012039