The Department of the Air Force is implementing zero trust cybersecurity principles for its operational technology (OT) systems, which manage critical infrastructure at bases. This initiative aims to bolster defenses against cyber threats, as adversaries increasingly target these environments. Speaking at the Alamo ACE conference in San Antonio, Aaron Bishop, the Chief Information Security Officer for the Air Force, emphasized that the unique characteristics of OT require a customized approach distinct from traditional information technology (IT).
The Pentagon has set ambitious goals for its zero trust framework, mandating a minimum of 91 target-level objectives for IT systems to be met by the end of fiscal 2027. However, Bishop noted that these stringent requirements cannot be directly applied to OT systems, which include critical infrastructure such as airport runway lighting and elevators. “You cannot apply 100 percent identically what you did with your laptop to a PLC,” Bishop explained, referring to the programmable logic controllers integral to many OT environments.
Bishop outlined that while the Department of Defense (DoD) is advancing its zero trust initiatives for IT, OT compliance targets are expected to extend into the latter part of the decade. The DoD Chief Information Officer’s office is developing an OT “fan chart,” a visual roadmap detailing necessary zero trust capabilities and their implementation timeline, which may be released by the end of the year.
Operational Technology as a Critical Vulnerability
Bishop framed the push for enhanced OT security in stark operational terms, highlighting the vulnerabilities these systems present. Adversaries do not need to breach networks directly to disrupt military operations. Instead, targeting utility systems or power supplies that support military bases can achieve similar disruptive effects. “OT systems are typically not connected, so you can’t see them every day; you don’t know what’s happening with them,” he stated. This lack of visibility, combined with the proprietary nature of many OT systems and their long life cycles, complicates the application of security measures like zero trust.
Bishop remarked on the lifecycle challenges posed by OT systems, some of which may have been operational for over a decade. “You expect to get 20 more years out of it for your capital cost, but now it’s outdated from an IT or OT perspective and we need to update it,” he said. This situation underscores the need for a tailored approach that acknowledges the distinct operational characteristics of OT compared to IT.
Building Resilience Through Zero Trust
The ultimate goal, according to Bishop, is not simply to meet compliance standards but to create an infrastructure resilient enough to withstand active cyber attacks. Zero trust principles aim to ensure that systems remain operational and secure, even under threat. While redundancy and recovery processes are important, the focus is on preventing systems from being compromised in the first place. This is particularly challenging given the diversity of supervisory control and data acquisition (SCADA) systems in use across the OT landscape.
Bishop stressed that the forthcoming OT fan chart will provide realistic benchmarks for achieving future zero trust compliance. He acknowledged that the journey toward enhanced security will require time and iterative efforts. Importantly, he noted that excluding OT from the zero trust strategy is not viable in an environment where adversaries are willing to exploit any connected system that could disrupt military operations. “Zero trust is never done,” he said. “You can always find new ways to protect yourself within yourself.”
The Air Force’s proactive stance on zero trust cybersecurity reflects a broader recognition that safeguarding operational technology is crucial for maintaining mission effectiveness and security in an ever-evolving threat landscape.
