As the Department of Defense (DoD) prepares its zero trust security guidance related to operational technology (OT), one U.S. Army official on Wednesday shared that it’s going to pose a “major challenge” due to the sheer scale of OT that has already been deployed.
Randy Resnick, the director of DoD’s Zero Trust Portfolio Management Office (PfMO), first announced the coming guidance in November at the Red Hat Government Symposium. Resnick said the guidance will be coming out later this summer, and it extends beyond the department’s fiscal year (FY) 2027 zero trust goal.
However, an Army official explained on Wednesday at the Elastic Public Sector Summit that DoD is looking to have three separate phases for the OT guidance, beginning in 2030.
“When we look at the Department of Defense and the Portfolio Management Office, they’re responsible for developing zero trust activity for operational technology. And that’s going to be on three different levels,” said Hussein Johnson, a senior cybersecurity analyst and the zero trust lead for policy and risk governance in the Office of the Chief Information Officer (OCIO) at the U.S. Army.
“That’s not going to happen until 2030, then the next phase is 2033, and then the next one is 2035 – because this is how big operational technology is,” Johnson added.
The Army official explained that the DoD is looking at everything including ATMs, traffic lights, and the electrical grid when it comes to OT. These systems and devices are essential to our everyday lives, and without strong cybersecurity, Johnson said “there will be some issues.”
“With our organization, we’re working primarily with the DoD PfMO to make sure we get the policy and all that stuff set up,” Johnson said. “We’re trying to work with other organizations to ensure that we’re doing things necessary [like] actually running test beds.”
“One thing that’s important is zero trust for the information technology – that’s one thing, because we’ve been doing cybersecurity on that for a long time. But ZT on OT, that’s going to be a major challenge,” he stressed. “It’s already a challenge in my head, so that’s the scary part.”
Johnson said his office is “working every day” to support Resnick and the DoD PfMO in their zero trust security for OT efforts.
Resnick made similar comments in November when announcing the zero trust guidance for OT, saying that the DoD needs integrated solutions to assist them in this major effort.
“Zero trust … it’s not easy. It’s going to require multiple vendors,” Resnick said.
Resnick shared a few more details on what to expect from the coming guidance earlier this month. The PfMO director explained that OT will require a different approach than IT.
While the IT strategy involves 91 activities to achieve the target level of zero trust, he said the OT strategy may require only 35 to 40. To identify these activities, the DoD has been piloting various efforts to determine what’s needed to secure the OT space.
“We were trying to build an idea of what we needed to do in the OT space to secure it enough where we would actually stop the adversary,” Resnick said, “That’s our definition of target, to stop lateral movement, to stop privilege escalation, to stop breaking out of the microsegment.”
The zero trust guidance for OT is currently under review, and Resnick said it will likely come out around August.
