As the Pentagon accelerates toward its 2027 deadline for full “zero trust,” one critical challenge remains: securing the intricate and expansive landscape of Internet of Things (IoT) and operational technology (OT) systems.
“Zero trust” refers to the adoption of a security framework that requires every user, device and application to continuously verify their identity and permissions, which can be challenging even without the complexity of IoT and OT systems.
IoT systems encompass a wide range of connected devices that gather and synthesize data, while OT systems are purpose-built to automate and control specific industrial processes. Within the military, these systems underpin everything from base infrastructure and logistics to weapons platforms and industrial depots. Left untouched, these systems pose enormous security risks and operational inefficiencies that could devastate our national security and impede mission readiness.
Over the last year, the government sector saw a 370% rise in IoT malware attacks. For the U.S. military, these threats and attacks are magnified by the nature of its missions and the distributed footprint of its overall digital ecosystem.
Closing the security gaps
Unlike traditional IT systems, IoT and OT devices often run on legacy protocols, lack encryption and are not designed with modern cybersecurity needs in mind. Additionally, many OT systems control critical infrastructure and mission-critical processes, making them attractive targets for adversaries seeking to disrupt operations.
Historically, the government treated them separately from core IT infrastructure, creating security silos and with outdated assumptions around perimeter defense. But as these devices are connected to networks, applications and cloud services, their exposure and their risk skyrockets.
Recognizing this evolving threat, the Pentagon is developing new guidance that will explicitly address zero trust principles in the context of these technologies, a vital step in securing the operational edge and eliminating inefficiencies. By collapsing these environments into the organization’s enterprise zero trust architecture, the U.S. military can significantly improve mission assurance and cost savings, ensuring that digital modernization delivers both security and efficiency.
Zero trust solution
The military’s zero trust architecture redefines security principles with a focus on drastically reducing attack surfaces, minimizing lateral movement and implementing continuous verification. In today’s world of connected sensors, controllers and autonomous systems, a zero-trust solution offers protection for the entire spectrum of IoT and OT assets.
Under a robust zero trust architecture, all devices from tactical sensors to industrial controllers are authenticated, authorized, and continuously monitored to ensure they interact only with the resources necessary for their function.
This approach shifts IoT and OT systems to an identity-based, least-privilege model granting access after verifying the user’s identity and providing only the necessary access needed. This is supported by adaptive policies instead of traditional IP-based connectivity, which relies on broad network access tied to IP addresses, rather than identity, and can often expose large portions of the network to unnecessary risk.
By implementing microsegmentation –a security practice that isolates workloads, applications and devices into small, secure units within a network and blocks unauthorized access–operators can minimize lateral movement, and they can quickly segment compromised devices to prevent malware spread or operational disruptions. For example, if an IoT sensor is hijacked during a mission, microsegmentation can contain the threat, preventing it from infiltrating the wider network or accessing sensitive systems.
Driving cost savings
The potential to deliver meaningful cost savings is equally as compelling as its potential for enhanced security. By embracing commercial market leaders, the Pentagon can reduce reliance on expensive legacy appliances that plague network infrastructure. This shift lowers the cost of compliance and audit efforts, as security policies are centrally enforced and monitored. Moreover, preventing breaches in IoT and OT environments reduces the financial burden of incident response and recovery.
For example, the U.S. Navy is already demonstrating how these efficiencies translate into measurable value by reducing its number of legacy accepted networks from more than 300 to fewer than 180 while expanding its enterprise Flank Speed ecosystem.
By doing so, the Navy is quantifying the return on its investments showing that secure modernization can strengthen resilience, lower maintenance costs and justify continued investment in future capabilities.
The military can adopt similar architectures to provide scalable, adaptable protection across diverse mission environments.
The road to solving zero trust implementation is challenging, especially for systems with long lifecycles and limited computing resources. But the risks of inaction are far greater. By extending an organization’s modern enterprise zero trust architecture to IoT and OT environments, the military not only can bolster cyber defenses but also achieve greater mission success and cost efficiency.
