The United States Air Force is set to implement zero trust cybersecurity principles for its operational technology (OT) systems that manage bases and critical infrastructure. This move, announced by senior Air Force official Aaron Bishop during the recent Alamo ACE conference in San Antonio, reflects a growing recognition of OT as a vital component of national security.
Bishop emphasized that the requirements established by the Pentagon for information technology (IT) systems, such as laptops and networks, cannot be directly applied to OT environments. The Defense Department has outlined a minimum of 91 target-level goals that IT systems must meet by the end of fiscal 2027. However, he cautioned that OT systems, which include programmable logic controllers (PLCs), operate under different conditions and risks.
“You cannot apply 100 percent identically what you did with your laptop to a PLC,” Bishop stated. He highlighted that while both IT and OT systems are susceptible to cyber threats, they function differently, requiring a tailored approach to security. The Air Force is currently developing a specific framework for OT that acknowledges the unique challenges posed by systems such as airport runway landing lights and elevators.
Tailored Approach for Unique Systems
The Pentagon’s push for zero trust compliance in IT serves as a foundation, but the application to OT systems will be more gradual. Bishop noted that compliance targets for OT and weapons systems are expected to extend into the end of the decade. In response, the Department of Defense (DoD) Chief Information Officer’s office is creating an OT “fan chart,” a visual roadmap detailing the implementation of zero trust activities over time. This chart aims to provide realistic targets for compliance and enhance the security posture of OT environments.
As the Air Force reassesses its cybersecurity strategy, it recognizes that an adversary does not need to penetrate a network to disrupt operations. Disabling utilities or support systems at a base can have significant operational impacts. Bishop pointed out the necessity of addressing vulnerabilities in OT systems, which often lack visibility and are based on proprietary technologies. “They’re typically not connected, so you can’t see them every day,” he explained.
The long lifecycle of many OT systems complicates the cybersecurity landscape. Many installations have been in use for a decade or longer, yet the technology may be outdated from both IT and OT perspectives. This challenge necessitates an update to security frameworks that can adequately protect these systems.
Building Resilience Against Cyber Threats
Bishop’s vision extends beyond mere compliance; he aims for an infrastructure capable of withstanding active cyber attacks. He underscored that the goal of zero trust is to ensure systems remain operational even when under threat. This approach requires a shift from traditional redundancy and recovery processes to an emphasis on resilience from the outset.
The integration of secure-by-design engineering principles from IT into the OT realm is essential for building this resilience. The upcoming OT fan chart will serve as a reference for the Air Force’s progress towards achieving a comprehensive zero trust framework that encompasses all aspects of its operations.
Bishop concluded with a strong message: “Zero trust is never done. You can always find new ways to protect yourself within yourself.” The Air Force’s commitment to refining its cybersecurity approach reflects a proactive stance against evolving cyber threats, ensuring that both IT and OT systems are fortified against potential disruptions.
