WinMagic warns that current Zero Trust models were not built for critical infrastructure environments where uptime and continuous trust are essential. Following new CISA guidance, the company introduces an endpoint-driven approach using Live Key and Live Identity in Transaction (LIT) to deliver continuous, hardware-bound identity assurance beyond login.

TORONTO, May 18, 2026 /PRNewswire/ -- The U.S. government is accelerating the expansion of Zero Trust into operational technology and critical infrastructure. On April 29, 2026, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI and the Departments of War, Energy, and State, released new guidance on adapting Zero Trust principles to operational technology environments. The guidance reflects a growing reality: systems that control energy grids, manufacturing plants, transportation infrastructure, and industrial operations are now frontline cyber targets.

For WinMagic, a cybersecurity innovator known for endpoint-based authentication and encryption, the guidance marks a critical turning point. As Zero Trust expands into environments where safety, uptime, and legacy infrastructure constraints are essential, the challenge is no longer simply controlling access. It is ensuring that identity can be trusted continuously throughout the entire interaction.

"CISA's guidance correctly identifies that IT-centric Zero Trust approaches do not translate cleanly into operational technology environments," said Thi Nguyen-Huu, founder and Chief Executive Officer of WinMagic. "Identity verification in OT must be continuous, locally verifiable, and operationally invisible. In much of the world's critical infrastructure, connectivity is intermittent or unavailable. A cloud identity provider cannot see what is happening at the endpoint in real time, and it cannot enforce trust when the network disappears."

Zero Trust Expands into OT as Critical Infrastructure Becomes a Frontline Target

The new guidance reflects growing urgency around protecting operational technology systems from increasingly sophisticated cyber threats. OT environments differ fundamentally from traditional enterprise IT. Industrial systems interact directly with the physical world and operate under strict safety and availability requirements. Authentication delays or interrupted access can create real-world consequences.

The timing is significant. The Operation Epic Fury conflict earlier this year demonstrated the strategic vulnerability of critical infrastructure during geopolitical conflict. Industrial controls, transportation networks, and energy infrastructure have become high-value cyber targets.

CISA's guidance also reflects a broader global shift already underway. While the United States is taking important steps to expand Zero Trust into operational technology, some international cybersecurity frameworks have already moved further, introducing mandatory continuous attestation requirements and hardware-anchored trust standards for critical infrastructure systems. WinMagic argues the U.S. is moving in the right direction, but the global trend is increasingly toward identity that must remain continuously provable throughout every transaction, not simply verified at login.

"Most Zero Trust models still verify identity through credentials and sessions that exist before or after the transaction itself," Nguyen-Huu explained. "That creates a gap. In operational environments, trust cannot depend on a session token that can persist long after conditions have changed. Identity must live in the transaction itself."

From Login-Based Access to Continuous Identity Assurance

WinMagic's architecture extends Zero Trust beyond traditional login and session models by anchoring identity directly at the endpoint through hardware-bound cryptographic trust. Using MagicEndpoint, Live Key, and Live Identity in Transaction (LIT), identity becomes a continuous signal tied to the device, the user, and operating conditions in real time.

Unlike cloud-dependent identity systems, MagicEndpoint performs verification locally at the endpoint using TPM-bound cryptographic keys. This allows identity assurance to continue even when systems are disconnected from the corporate network or operating in air-gapped environments.

Key capabilities include:

• Continuous identity verification: Trust is maintained from power-on to power-off, eliminating reliance on one-time authentication events and persistent session artifacts.
• Air-gapped operational resilience: Identity enforcement continues locally even when connectivity to a central identity provider is unavailable.
• Operationally invisible security: Authentication occurs once at endpoint login and continues silently without repeated MFA prompts or session interruptions.
• Unified protection for legacy OT systems: MagicEndpoint extends policy enforcement and credential security to systems that cannot support modern protocols like SAML or OIDC.
• Transport-layer identity assurance: Live Identity in Transaction embeds identity directly into the TLS handshake through mutual TLS, reducing reliance on bearer tokens and minimizing session hijacking risk.

"MagicEndpoint was architected for exactly the constraints CISA is now describing," Nguyen-Huu said. "When a grid operator is responding to a power emergency or a water treatment engineer is adjusting chemical dosing in real time, they do not have time for MFA prompts or session timeouts. The endpoint has already verified them continuously since power-on."

Completing Zero Trust for Critical Infrastructure

WinMagic positions its approach as an extension of existing Zero Trust strategies rather than a replacement for enterprise IAM systems. Organizations can continue using platforms such as Okta, Azure AD, Active Directory, SAML, and OIDC while extending continuous identity assurance into environments where cloud-dependent verification models break down.

"What CISA envisions, and what some global frameworks are already beginning to enforce, is identity that remains continuously provable throughout every transaction," Nguyen-Huu said. "The TPM hardware already exists. Mutual TLS already exists. The missing piece has been the architecture that ties them together. That is what Live Key and LIT provide: continuous identity assurance embedded directly into the secure channel itself."

About WinMagic

WinMagic's mission is to secure the digital world through high standards and strong ethics. For more than two decades, the organization has led innovation in encryption and endpoint security. Today, WinMagic is advancing a new paradigm for online access—anchoring the endpoint as the foundation of trust. By letting endpoints speak for users, WinMagic turns cumbersome logins into seamless, automated exchanges. What was once user-to-machine communication now becomes a machine-to-machine relationship, governed by policy and anchored in cryptography. This evolution eliminates friction, reduces risk, and lays the groundwork for the Secure Internet—where security is continuous, effortless, and requires no user action. Learn more at https://winmagic.com.

References:

• CISA. (2026, April 29). Adapting Zero Trust principles to operational technology.
  cisa.gov/sites/default/files/2026-04/joint-guide-adapting-zero-trust-principles-to-operational-technology_508c.pdf
• Yahoo News. (2026, April 30). U.S. agencies promote Zero Trust.
  yahoo.com/news/articles/us-agencies-promote-zero-trust-103952910.html
• U.S Department of State. (2026, April 21). Operation Epic Fury and International Law. United States Department of State. state.gov/releases/office-of-the-legal-adviser/2026/04/operation-epic-fury-and-international-law
• National Institute of Standards and Technology. (n.d.). Cryptographic Module Validation Program (CMVP). U.S. Department of Commerce. csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program
• National Institute of Standards and Technology. (n.d.). Certificate #5204: WinMagic Cryptographic Module for Windows 1.0. Computer Security Resource Center. csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/5204
• National Institute of Standards and Technology. (n.d.). Certificate #5214: WinMagic Cryptographic Module for macOS/Linux 1.0. Computer Security Resource Center. csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/5214
• National Institute of Standards and Technology. (2023). Cryptographic Module Validation Program (CMVP)-approved security functions: CMVP validation authority updates to ISO/IEC 24759 (NIST SP 800-140Cr2). U.S. Department of Commerce. doi.org/10.6028/NIST.SP.800-140Cr2
• National Institute of Standards and Technology. (n.d.). Validated modules search. Computer Security Resource Center. csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
• WinMagic. (2026). Zero trust for operational technology: Identity must live in the transaction. WinMagic Blog. winmagic.com/en/zero-trust-for-operational-technology-identity-must-live-in-the-transaction/
• WinMagic. (2026). Live Identity in Transaction (LIT) open-source reference implementation. GitHub. github.com/WinMagic/LIT

Media Inquiries:
Karla Jo Helms
JOTO PR™
727-777-4629
jotopr.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/winmagic-responds-to-new-cisa-ot-guidance-with-transport-layer-identity-architecture-302774649.html

SOURCE WInMagic