The US Cybersecurity and Infrastructure Security Agency (CISA) is urging critical infrastructure operators to abandon implicit trust in their operational technology (OT) networks, instead adopting a zero-trust approach to security. This shift in strategy assumes that adversaries have already breached the network, and thus, every access request must be validated based on identity, context, and risk. CISA's guidance emphasizes the need for OT owners to design controls that prioritize least privilege access and continuous monitoring. By doing so, operators of power, water, transportation, and other critical infrastructure can reduce the attack surface and mitigate potential disruptions. The agency's warning comes as state-aligned activity increases, necessitating a new threat model that accounts for geopolitical motivations1. This change in approach matters to practitioners because it requires a fundamental overhaul of their security posture to stay ahead of sophisticated threats.