The Department of Defense (DoD) is sharpening its cybersecurity focus on operational technology (OT), the systems that sustain military operations. With hostile actors increasingly targeting these systems, the department is expected to release OT-specific zero trust guidance this summer.
Zero trust for information technology is familiar territory, but applying these principles to OT is fundamentally different—and far more complex. While protecting these systems has become a top defense priority, finding ways to use these principles across both technologies remains a challenge.
A critical and vulnerable domain
Since the 2022 rollout of its zero trust strategy, the DoD’s cybersecurity focus has centered on IT networks and data systems. OT systems remained in the background despite their essential role in sustaining operations.
In general, these systems include HVAC and fire suppression units that ensure environmental safety; access control and surveillance systems safeguarding facilities; shipyard systems critical to Navy readiness; and medical devices integral to Defense Health Agency missions. For the DoD, OT systems also include mission platforms, weapons systems, sensors and radars.
OT also encompasses technologies such as industrial sensors, alarm networks and factory machinery—all increasingly in the crosshairs as attackers escalate their efforts.
“For OT and weapon systems, we are coming out with initial zero trust guidance. Why? Because the adversary is attacking,” said Randy Resnick, the DoD’s zero trust portfolio management office senior advisor. “The adversary wants to get into weapon systems to prevent their launch or mess with the GPS coordinates, so the DoD is looking to initially secure these things beyond what they are today,”
Although the imminent guidance will focus on general OT, these guidelines likely will also address weapons systems and defense-critical infrastructure in follow-ons.
The stakes are high because OT is where cyber vulnerabilities translate into real-world consequences, such as disrupting physical operations, halting logistics and impairing critical manufacturing.
Why OT security isn’t plug-and-play
The core mission of OT systems—ensuring continuous, safe operations—sometimes runs counter to the agility demanded by modern cybersecurity practices. Often decades old and designed for nonstop operation, many OT systems are hard to patch or upgrade, with custom hardware and unsupported legacy software complicating security.
Although many OT systems now include networked components, servers and web interfaces, applying conventional IT security tools can jeopardize stability. Installing endpoint security may be routine on a workstation, but it can trigger failures on more complicated systems such as a programmable logic controller or other advanced components for managing factory operations.
DoD officials have indicated that the forthcoming OT zero trust guidance will outline 35 to 40 specific activities—roughly half the scope of its IT counterpart. While the final framework remains to be seen, this is a promising indication that the department recognizes OT security requires a tailored approach, not a one-size-fits-all solution.
Collaboration to drive practical outcomes
Securing OT under a zero trust framework isn’t just a technical challenge; it’s an organizational one. Success depends on aligning IT and OT stakeholders early. IT-driven policies often overlook OT’s operational realities, while OT teams may resist security measures they view as disruptive. Collaboration ensures strategies are practical, effective, and mission ready.
With alignment in place, agencies should start by implementing segmentation. Creating strict boundaries between systems, such as separating HVAC from surveillance and isolating fire suppression from medical devices, limits lateral movement and contains breaches. Most agencies already have the infrastructure, switches, routers and firewalls to implement segmentation and reduce risk quickly.
Next, agencies must enforce precise access and identity controls. Zero trust isn’t just about defining who can access a system, but also tightly controlling what users are allowed to do. In OT environments, this means highly granular, role-based permissions.
For example, HVAC technicians should have no access pathways to surveillance or alarm systems. OT’s fixed-function nature makes it easier to lock down expected behaviors and block everything else, but this demands close coordination between security teams and operational staff to align controls with real workflows.
Tool selection and visibility come next. Many IT vendors now offer OT-branded security solutions, but these tools must be purpose-built for OT’s unique constraints. Applying standard IT controls, even from trusted vendors, without verifying OT compatibility risks disruption instead of protection.
For systems that can’t support direct security agents, teams can embed network-based sensors to continuously monitor for anomalies without interfering with sensitive systems. This external visibility strengthens detection and response while protecting even outdated or fragile devices.
Together, these measures create a resilient foundation for OT security. Agencies that act now will strengthen their posture, meet compliance requirements and safeguard mission-critical operations in an increasingly contested landscape.
Securing for the long term
The DoD’s forthcoming OT guidance marks a pivotal shift in zero trust, expanding its reach from IT to the physical systems that sustain defense operations. But success depends on more than new policies; it requires disciplined execution and collaboration across various operational teams.
As adversaries increasingly target the operational backbone of defense, OT security has become the new frontline of cybersecurity. The forthcoming guidance will offer a roadmap, but true resilience demands action now.
Defense agencies that move decisively, segregating systems, tightening access controls, selecting purpose-built tools and fostering strong collaboration, will build lasting operational strength. They’ll be prepared for the next attack—and every one that follows.
