The Federal government is ramping up its efforts to secure operational technology (OT) systems with new zero trust pilots and frameworks, and a consolidated Defense Department OT network, top defense cybersecurity officials shared.
Unlike traditional IT networks, many OT systems remain outdated, disconnected, and vulnerable to cyberattacks, explained Daryl Haegley, technical director of Control Systems Cyber Resiliency and the Cyber Resilience Office for Control Systems (CROCS) at the U.S. Air Force and Space Force, while speaking at a Federal News Network event on March 20.
To address these issues, where more than 70 percent of OT systems remain serial-based and lack cyber integration, Haegley explained that the military services have been developing zero trust pilots for OT.
The pilots build on the Purdue Model – a framework for structuring industrial control systems (ICS) and OT systems – to create a cybersecurity approach tailored to OT. The framework will also integrate IT convergence, with Haegley anticipating its finalization and publication by early fall.
“We took a look at [a] zero trust fan chart that … had 91 target activities and 61 advanced activities,” said Haegley. “Now we’re partnering with industry … and other government entities … to narrow down what should really be right for OT … now we think we’re at about 61 target and 31 advanced activities.”
The Department of Defense (DoD) first announced its plans to release new zero trust guidance related to OT in November. The agency expects to publish the guidance later this summer, and it extends beyond the department’s fiscal year (FY) 2027 zero trust goal.
Haegley explained that OT was initially left out of the services’ zero trust implementation plans, with the pilots now working to solidify best practices that can be incorporated into those plans to include OT systems.
“Over a year ago, when that first version of the plan came through … the CIO said, ‘Well, where’s the OT?’ And the people said, ‘We didn’t know it was going to be included,’” Haegley recalled, adding that OT zero trust pilots have a “long way to go.”
One of two pilots that the DoD is working on is located on two military bases, which will feature automation systems to evaluate real-time threat perspectives and secure monitoring. The other pilot is located on a different base and will outsource its cybersecurity to a third party to passively monitor the base’s network.
A third pilot, which was just completed in Germany, focused on protecting water and wastewater systems from cyber threats.
In addition to the pilots, Adarryl Roberts, chief information officer at the Defense Logistics Agency (DLA), said that the DLA has been exploring remote monitoring and maintenance tools to manage OT systems worldwide, especially for overseas sites where a physical presence isn’t always possible.
The DLA is also collaborating with the Department of Defense to develop a shared OT network to enable better visibility and integration of OT assets across the department.
“[The network would have] the same protocol, same monitoring, that we can move most of our OT assets to so that we can really understand that topography and how they interrelate with one another,” said Roberts.
He explained that the first step in securing OT systems is to conduct a clear system-wide inventory assessment, something that has traditionally been managed at the local level.
“How far down within the OT architecture can you see and can you defend?” Roberts said. “Because when you get into some of these systems, the topography … [is] so complex you can’t defend every node on an OT system, so you have to make those strategic decisions of, where’s that point of defense that creates a vulnerability for your agent.”
