The Department of Defense (DoD) is gearing up for a late summer reveal of its new zero trust strategy for operational technology (OT), which is currently under review.
“We’re going to come out with the [zero trust] for OT guidance, likely around August,” Randy Resnick, director for the DoD’s Zero Trust Portfolio Management Office, said today during a Merlin Group event in Washington, D.C.
Resnick first announced the DoD’s plans for the new zero trust guidance related to OT late last year at the Red Hat Government Symposium, citing differences in IT and OT necessitating a separate guidance to secure OT. While the specifics of the strategy remain largely unknown, Resnick has explained the new strategy will follow a similar framework to the DoD’s original zero trust strategy, maintaining the same concepts of target level and advanced level activities for zero trust.
Resnick noted that OT will require a different approach. While the IT strategy involves 91 activities to achieve the target level of zero trust, the OT strategy may require only 35 to 40. To identify these activities, the DoD has been piloting various efforts to determine what’s needed to secure the OT space.
“We were trying to build an idea of what we needed to do in the OT space to secure it enough where we would actually stop the adversary,” Resnick said, “That’s our definition of target, to stop lateral movement, to stop privilege escalation, to stop breaking out of the micro segment.”
Pilots began last year on with the launch of Project BlastWave at Spandahlem Air Base in Germany to determine which Zero Trust Capabilities specified in the DoD Zero Trust Architecture apply to OT networks. Since than the department has launched two more pilots.
While awaiting the strategy, Resnick warns that DoD components and military services must update and patch legacy OT systems, as the upcoming strategy is “mostly useful with newer systems,” he said.
“OT is in the ground [and] a lot of this stuff is 10, 20, 30 years in the ground. So, this [strategy] would mostly be useful for new systems, but the existing legacy systems would probably have to be upgraded or patched,” Resnick said.
Additionally, Resnick spoke of another zero trust challenge that the department has delt with for years – its people.
According to Resnick, that DoD has a zero trust culture problem “[and] culture is really hard” to solve.
“It has been generational [challenge] at the department, and I don’t think we’re going to solve it other than through time,” Resnick said, adding that to begin combatting this issue the department is adding zero trust to its cybersecurity courses, and it’s making it mandatory.
“We’re setting up training courses, and we’re now leading efforts to make these mandatory. So, you’re going to see zero trust principles enrolled into the cyber security annual class work that is absolutely required for everybody to do [and] you’re going to see that as part of the training,” Resnick said.
