Pentagon rolls out Zero-Trust plan for operational technology as cyber threats evolve
The United States Department of Defense (DoD) has detailed the instruction in adopting zero-trust cybersecurity measures across its operational technology (OT) systems. This is a move away from the previous emphasis on IT-network security. The updated guidance comprises 105 zero-trust activities and expected results defined for the OT sector.
These 105 activities are classified into seven main areas: users, devices, applications/workloads, data, networks/environments, automation/orchestration, and visibility/analytics. They imply both the lowest “target level” requirements and higher security provisions.
OT systems cover the systems that directly interact with the physical world, facility controls, power grids, energy management, transportation systems, building automation, and other infrastructure components. Due to the fact that these systems frequently incorporate legacy hardware and have stringent safety and engineering requirements, the DoD still considers that zero-trust implementation needs some very careful adjustments.
The paper segments OT into two levels: an operational one which is responsible for the execution of real-time tasks and a process-control one which takes care of device behavior. Security measures have to be designed in a way that they can deal with such architectural differences.
This decision is based on the general zero-trust plan that the DoD unveiled in 2022. Agencies are expected to meet target-level zero-trust standards for IT systems by the end of the fiscal year 2027, but there is no exact date for OT compliance. A revised Zero-Trust Strategy with more guidance will be available in early 2026.
For defence purposes, this translates into more robust safeguards for infrastructure that relies on OT, a very important factor when adversaries are increasingly targeting industrial control systems and physical-world infrastructure. The Zero-trust for OT is not only a method of intrusion prevention but a way of making sure the systems are still resilient and can go on functioning under the threat condition.
