Small budget, strong security: Why Zero Trust is key to protecting critical infrastructure

Earlier this year, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) issued a joint advisory, warning government agencies of potential disruptions to U.S. critical infrastructure by cyber actors. Since then, reports have surfaced highlighting state and local governments as increasing targets for these attacks, particularly from foreign adversaries.

Most recently, the Department of Homeland Security (DHS) noted in its 2025 Homeland Threat Assessment that, “domestic and foreign adversaries almost certainly will continue to threaten the integrity of U.S. critical infrastructure, in part, because they perceive targeting these sectors would have cascading impacts on U.S. industries and our standard of living. We are particularly concerned about the credible threat from nation-state cyber actors to U.S. critical infrastructure.”

This is concerning news, especially for state and local governments who often lack the funding and resources to adequately defend against these increasingly advanced and frequent threats to critical infrastructure, leaving them ill-equipped to secure their systems. It is much like asking a small-town police department to handle a bank heist with only a whistle and flashlight. Despite these limitations, there are actionable steps governments can take to enhance their cybersecurity posture—starting with a holistic approach to security and embracing Zero Trust.

The attacker’s advantage
Threat actors have a clear advantage: they don’t have the same constraints—legal, ethical, budgetary—as their targets. This imbalance poses a grave risk to essential public services, from emergency response systems to water treatment facilities. The challenge is compounded by critical infrastructure networks’ reliance on operational technology (OT) and Internet of Things (IoT) systems, many of which are outdated and don’t meet modern cybersecurity standards, thus creating exploitable vulnerabilities.

As the threat landscape has grown more severe and unrelenting over the years, agencies must address vulnerabilities and bolster their efforts to improve their cybersecurity posture and cyber resilience. Today, resilience isn’t just about preventing breaches—it’s about ensuring that critical information remains secure, and operations continue after an attack occurs. Once inside a network, attackers will seek to move laterally across systems, targeting the most critical assets.

Traditional security measures, reliant on perimeter defense, are no longer sufficient. Agencies must stop solely focusing on perimeter defenses and flip the paradigm with an inside-out strategy. This strategy mirrors how threats operate, enabling faster detection and neutralization before escalation, and ultimately building the resilience needed for modern defenses. This approach is at the heart of Zero Trust.

Zero Trust: A necessity for state and local governments
Unlike their federal counterparts, state and local governments are not mandated to implement a Zero Trust framework into their cybersecurity operations. The federal mandate is driving significant progress in Zero Trust efforts and is helping fortify cybersecurity posture. Given the stakes—the potential disruption to critical public services that affect millions of lives—it is essential for state and local governments to follow in the footsteps of the federal government and adopt Zero Trust efforts as well.

Zero Trust assumes a breach will happen and operates under a “never trust, always verify” mindset. The architecture adopts the mindset that threats can originate from inside or outside the network, continuously verifies users, and ensures they are only accessing the resources they need to access. Every access attempt, whether from inside or outside the network, is treated as potentially hostile.

Making progress with limited resources
For resource-constrained agencies, the idea of implementing Zero Trust might seem daunting. But progress doesn’t require an immediate, large-scale overhaul. By examining organizational objectives, identifying pain points, and prioritizing security around their most critical data sets, workloads and operations first, agencies will be better enabled to achieve quick but lasting wins on the road to Zero Trust.

Agencies can start by mapping enterprise traffic. They should investigate: What connections exist on their network? Which servers are talking to the internet, and more importantly, should they be allowed to? How is the cloud environment communicating internally and externally?

Another essential element of Zero Trust is segmentation. By identifying and isolating critical assets, agencies can contain breaches and stop the spread of threat actors moving throughout the network. This approach ensures sensitive information remains secure and operations can continue with minimal disruption.

Lastly, it’s crucial for state and local governments to secure leadership support. Their backing is instrumental for driving the necessary changes and adopting Zero Trust, ensuring that resources are allocated effectively, even when they are limited from the start.

A holistic approach to cybersecurity
Zero Trust also prioritizes some of the basic cyber hygiene practices that agencies can start now without needing to invest in people or budgets. Measures like multifactor authentication (MFA), regular backups, patching known vulnerabilities, and well-tested incident response plans are the backbone of a holistic approach to cybersecurity. These actions, paired with an “assume breach” mindset, are essential to maintaining strong defenses while progressing toward Zero Trust.

It’s critical that IT leaders fully embrace this comprehensive approach to cybersecurity and the significant benefits basic cyber hygiene practices can have on their Zero Trust journey. A holistic approach allows agencies to make strategic use of available resources. Agencies don’t need to tackle every cybersecurity problem across the whole enterprise. However, with Zero Trust, they can focus on protecting critical systems and preventing breaches from turning into major disasters.

Building resilient communities
The threat to critical infrastructure isn’t theoretical—it is immediate and growing. Every day without adequate protection is a day that critical systems remain vulnerable. While perfect security may be impossible, effective security measures, such as Zero Trust, are achievable, even when resources are limited.

By adopting Zero Trust and taking incremental steps now, state and local governments can better protect the essential services their communities depend on. The approach may be incremental, but the need is immediate. In a world where cyberattacks on critical infrastructure are a matter of “when,” not “if,” waiting is no longer an option. The time to act is now.

Gary Barlet is the public sector chief technology officer at Illumio, where he works with government agencies, contractors and the broader ecosystem to incorporate Zero Trust Segmentation, or microsegmentation, as a strategic enabler of Zero Trust architecture.