The Department of the Air Force is set to adopt zero trust cybersecurity principles for its operational technology (OT) systems, marking a significant shift in its approach to securing critical infrastructure. During the Alamo ACE conference in San Antonio, Aaron Bishop, the Chief Information Security Officer for the Department of the Air Force, emphasized that the unique nature of OT environments necessitates a tailored security framework.
As the Air Force prepares to align its industrial control systems with zero trust principles, Bishop highlighted that the requirements established for information technology (IT) systems cannot be directly applied to OT. The Pentagon has mandated a minimum of 91 target-level goals for IT compliance across the Defense Department by the end of fiscal year 2027. However, Bishop pointed out that the OT landscape encompasses distinct challenges that require a different approach.
The upcoming framework acknowledges that components like airport runway landing lights and elevators behave differently from traditional IT systems such as email servers. Bishop stated, “You cannot apply 100 percent identically what you did with your laptop to a PLC,” referring to programmable logic controllers that are integral to many OT environments. The Air Force plans to develop a specific set of compliance targets for OT, which are expected to extend into the next decade.
Operational Technology as a Vulnerable Target
Bishop framed the urgency of the OT initiative in stark operational terms. The Air Force recognizes that adversaries do not need to infiltrate networks to disrupt operations. Disabling utilities or support systems at a base can achieve similar effects, as can disrupting power supplies that feed the base. He explained, “[OT systems are] typically not connected, so you can’t see them every day; you don’t know what’s happening with them.”
The long lifecycles of OT systems, often exceeding a decade, compound the challenges. As Bishop noted, this creates a situation where outdated systems must be updated, even as they are expected to remain operational for several more years. The combination of proprietary hardware, limited visibility, and the need for updates complicates the application of any security framework, particularly one as nuanced as zero trust.
Building Resilience into Infrastructure
Bishop stressed that the goal of implementing zero trust is to ensure that infrastructure remains operational even when under attack. This approach deviates from merely focusing on redundancy or recovery processes. Instead, the aim is to prevent systems from being compromised in the first place. He acknowledged that the diversity of supervisory control and data acquisition systems in the OT realm presents unique challenges, requiring a rethinking of traditional secure-by-design engineering principles typically employed in IT.
The anticipated OT “fan chart” will serve as a visual roadmap for zero trust activities, outlining the necessary capabilities and their timelines for implementation. Bishop cautioned that this effort will require time and ongoing adjustments. He emphasized that excluding OT from the zero trust initiative is not viable in an environment where adversaries may target any connected system capable of disrupting operations.
“Zero trust is never done,” Bishop concluded. “You can always find new ways to protect yourself within yourself.” This comprehensive approach highlights the Air Force’s commitment to enhancing the security of its operational technology as a crucial component of its broader cybersecurity strategy.
