The United States Air Force is set to implement zero trust cybersecurity principles within its operational technology (OT) environments, aimed at enhancing the security of its bases and critical infrastructure. During his address at the Alamo ACE conference in San Antonio, Aaron Bishop, the Chief Information Security Officer for the Department of the Air Force, emphasized that OT systems cannot simply replicate the cybersecurity requirements established for information technology (IT) systems.
As part of the Pentagon’s broader cybersecurity strategy, the Defense Department aims to achieve a minimum of 91 target-level goals for IT systems by the end of fiscal 2027. However, Bishop noted that the unique characteristics of OT environments—such as airport runway landing lights and elevators—require a tailored approach. “You cannot apply 100 percent identically what you did with your laptop to a PLC,” Bishop stated, referring to the programmable logic controllers central to many OT systems.
The Pentagon’s existing zero trust requirements focus primarily on IT systems, but Bishop pointed out that the Air Force’s OT systems face different operational challenges. This includes the need for a specialized framework that acknowledges the distinct functionalities and security profiles of OT compared to conventional IT.
Operational Technology as a Target
Bishop framed the necessity for enhanced OT security in stark operational terms. He highlighted that adversaries do not need to breach a network to disrupt Air Force operations. Interruptions to utilities or support systems at bases can effectively cripple mission planning and execution. “OT systems are typically not connected, so you can’t see them every day,” Bishop explained. “They’re typically proprietary, and you also have the lifecycle problem where the system has been there for 10 years. You expect to get 20 more years out of it for your capital cost, but now it’s outdated.”
The unique challenges posed by long system lifecycles, vendor-specific hardware, and limited visibility complicate the application of any security framework, particularly the granular, identity- and data-centric model that zero trust embodies.
Building Resilience from the Ground Up
For Bishop, the ultimate goal is not merely to meet compliance standards but to create a resilient infrastructure that remains functional even under active cyber attack. This approach goes beyond redundancy and recovery processes. Instead, zero trust aims to ensure that systems operate securely without succumbing to adversaries during cyber incidents. This presents a significant challenge, given the diverse range of supervisory control and data acquisition systems present in the OT landscape.
To guide the implementation of zero trust in OT, the Department of Defense’s Chief Information Officer office is developing an OT “fan chart.” This visual roadmap will outline the necessary capabilities and their timelines for implementation. Bishop cautioned that the work involved in establishing this framework will require time and ongoing iteration.
He emphasized the importance of including OT in the zero trust initiative, particularly as adversaries increasingly target any connected system that can influence operations. “Zero trust is never done,” Bishop asserted. “You can always find new ways to protect yourself within yourself.”
As the Air Force prepares to navigate these challenges, the development of a coherent strategy for OT will be vital in securing its critical infrastructure against evolving cyber threats.