The Pentagon’s recent zero trust guidance for operational technology (OT) systems recognizes that OT environments vary widely across missions and sectors – requiring tailored approaches.
Zero trust is a security framework rooted in the principle of “never trust, always verify,” where no user, device or workload is inherently trusted, and access is continuously verified.
OT systems provide mission-critical services and require reliable, real-time automation – making them valuable targets for bad actors. By treating OT as distinct from enterprise information technology, the guidance acknowledges a fundamental reality: These systems cannot be secured using the same playbook designed for traditional IT environments.
However, the Pentagon’s guidance alone is not sufficient.
Without enforceable timelines and accountability mechanisms, even well-intentioned policies often fail to drive adoption. Many OT systems rely on legacy technology that cannot be easily patched or replaced. In these environments, even minor disruptions can result in operational failure.
Zero trust continuously verifies identity and enforces least privilege – granting users only the access required to perform their functions. In OT environments, however, these principles only become operationally meaningful when segmentation is enforced as close to the systems themselves as possible.
Guidelines without timelines
More than 15 years after Stuxnet demonstrated the physical consequences of cyberattacks on operational systems, U.S. critical infrastructure remains vulnerable. Assessments have documented recent incidents in which foreign-affiliated actors accessed U.S. industrial control systems, affecting essential sectors including water, energy, healthcare and agriculture. In some cases, operators were forced to temporarily switch to manual operations.
These incidents reinforce that our adversaries have both the capability and intent to target operational systems, and every delay provides additional opportunity to probe exposed systems. Yet agencies are left without clear direction on how to prioritize today’s cyber challenges. Without this direction, any guidance simply adds to their pile of marching orders with no clear place to start.
When priorities aren’t clearly defined, agencies can unintentionally waste time and resources that are already in short supply. Too often, agencies assume they must complete every foundational task before moving on to more advanced controls, thereby making perfection the enemy of progress.
Instead, agencies should evaluate their existing capabilities and begin with the actions they can realistically implement – prioritizing measures that reduce risk and improve resilience today.
‘Assume breach’ changes the equation
In the absence of direction and accountability, an “assume breach” mindset can help agencies and OT operators prepare for attacks and expedite the implementation of this guidance.
This mindset shifts the focus from attempting to stop every intrusion to ensuring systems remain resilient, even when an attack occurs. It accepts that prevention measures alone are not enough and that controls must be in place to minimize the downtime that can occur after an attack takes place.
It acknowledges that attackers may already have access to parts of the network and reframes the problem from keeping them out to containing them once they are in and minimizing the damage.
Such a mindset shift is key to helping agencies develop their network detection and response strategies.
This is where segmentation’s value comes in. Segmentation constrains lateral movement and preserves operations after a compromise. When coupled with visibility into what systems are communicating and strong authentication to limit access, these controls determine whether an incident is contained or escalates into mission disruption – limiting lateral movement, reducing blast radius and allowing operations to continue even when parts of the environment are compromised.
What defense agencies should do now
Defense agencies should not wait for formal timelines to act. Unsecured OT systems can degrade facility controls, disrupt logistics, slow response times and compromise mission readiness.
Applying an “assume breach” mindset enables agencies to make progress toward preserving mission continuity despite existing constraints and limited resources. As offensive cyber operations become increasingly central to modern-day warfare, strengthening OT defense is no longer optional – it is a national security imperative.
