The defense industrial base ecosystem must expand its zero trust approach to ensure that all of the systems on which our warfighters depend are… secure.
The Defense Department is increasingly connecting operational technology (OT) systems to its information technology (IT) networks. This effort is needed to improve facility situational awareness and provide remote management. But it also exposes legacy OT systems to cyber threats from which they were previously isolated.
To counter threats that OT systems were not designed to endure, in late 2025 the DoD released new guidance on Zero Trust for Operational Technology Activities and Outcomes. In it, the Pentagon separates zero trust standards for IT like edge devices and cloud computing from those for OT like power, water and energy infrastructure and extending to modern weapons systems like tanks and unmanned aerial vehicles.
This guidance underscores a critical distinction in the two domains. OT environments regularly use legacy equipment and diverse process standards requiring specialized engineering expertise that prioritizes uptime. These qualities are quite different from IT security. Historically, it was sufficient to only consider the physical security of OT systems that are separated or air-gapped from IT. But convergence is becoming the norm as the department looks to simplify management of widely-distributed systems and mine data about OT performance, utilization, efficiency and more. Unfortunately, that connection increases the cyber attack surface.
Tackling the limits of zero trust for OT
Zero trust, a doctrine to never trust and always verify, is focused on defending against cyber threats and protecting data through exhaustive access-controlled security that emphasizes transaction rather than perimeter defense. After major cyberattacks revealed that perimeter-based security was inadequate, the federal government mandated zero trust adoption as of 2021. But it is very difficult to implement many of the frameworks’ controls in an OT environment. In some cases, it is not even possible.
OT’s real-time and uptime requirements conflict with zero trust’s layered security approach, as legacy OT systems cannot support the modern security software integral to a zero trust architecture. Older programmable logic controllers and even newer Internet of Things devices have limited to no security controls; implementing dynamic trust algorithms is quite complex; and monitoring user behavior and data flows poses very different problems in each environment.
The DoD guidance acknowledges these cybersecurity challenges and expands the zero trust model beyond cyber defenses to explicitly incorporate physical security measures for OT systems. This means that in addition to software-based controls, operators must deploy and integrate traditional physical protections such as perimeter surveillance systems, environmental monitoring, access card readers and motion sensors as part of a unified security strategy. Taken together, cyber and physical measures ensure that zero trust does not stop at the network boundary but extends to how and where OT systems can be reached and manipulated in the real world.
The guidance simplifies OT network architectures into two layers: the operational layer and the process control layer. This enables limited changes to legacy process control equipment when it is protected with hardware-enforced mechanisms at the operational layer. For example, installing a data diode at the operational layer — between the OT environment and any external or internet-connected network — ensures that data can only flow out of OT, effectively blocking adversary access from outside in. That changes the security equation. Zero trust focuses on mitigating damage a rogue actor could cause once inside a network, but the right hardware-enforced security will prevent many breaches from happening in the first place.
Micro-segmentation is the core strategy
Implementing hardware-enforced security devices enables network micro-segmentation, creating boundaries that separate subsets of data associated with different work environments while restricting data flow to only one way. This prevents lateral data movement between the OT and IT networks, but still allows collection and routing of information that provides visibility into key performance metrics.
Because a network environment is far more dynamic in reality than in inventory documents, there is a heavy lift needed to intelligently devise the appropriate segmentation. All workflows, data flows and users must be identified in order to evaluate what can be separated and isolated. This involves detailing every point where data can be touched and manipulated, and evaluating the dynamic trust algorithms that control what can happen after a user is allowed to view or change it.
Certain data flows, such as for auditing or monitoring, will still require some connection of micro-segments. But given software’s inherent vulnerabilities, limiting that transfer to a hardware-enforced, one-way connection is the only option for truly mediating external threats and ensuring the data is trustworthy — the ultimate application of zero trust.
A new standard for superior defense
While much needed and certainly laudable, the DoD’s new guidance is predicated on best practices and standards that have been used for decades to protect highly sensitive information in commercial sectors, such as nuclear energy. It also incorporates existing government rules protecting air-gapped classified networks.
By acknowledging the limitations of software-based zero trust approaches in the complicated OT-IT converged domain, the department is directing its personnel to prioritize the most effective controls available ― hardware-enforced security and micro-segmented boundaries.
As the DoD standardizes and makes its guidance public, the defense industrial base ecosystem must expand its zero trust approach to ensure that all of the systems on which our warfighters depend are as secure and reliable as possible.
Ralph Spada is a technical fellow at Owl Cyber Defense.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
