Key Takeaways
- The U.S. Air Force created the Cyber Resiliency Office for Control Systems (CROCS) in 2024 to address operational‑technology (OT) cybersecurity gaps that other services have yet to close.
- OT systems—power, water, HVAC, access‑control, fuel‑depot controls—are low‑profile but essential; any mission fails without reliable electricity or water.
- Early efforts struggled with funding and staffing; CROCS succeeded by embedding OT‑security costs into the Department of Defense’s five‑year Program Objective Memorandum (POM) budget process.
- CROCS does not execute the technical work itself; it ensures contracts, skilled personnel, budget allocation, and prioritized mitigation plans are in place.
- The office works to break down reporting silos between OT owners, the Air Force CIO, and U.S. Cyber Command, improving visibility and coordination for cyber defense.
- Training pipelines and a defined cyber‑workforce role (DCWF Code 462 – Control Systems Security Specialist) are being established to create a sustainable OT‑security career path.
- Even air‑gapped OT devices require periodic connections for updates, challenging the notion of perfect isolation and prompting debate over continuous monitoring versus periodic checks under the DOD zero‑trust framework.
Background: The Growing Threat to Military OT Assets
For years, U.S. officials have warned that adversaries view the power and water supplies supporting domestic and overseas bases as attractive asymmetric targets. Disrupting these utilities can cripple military readiness far more easily than attacking front‑line combat systems. The 2015 Russian cyberattack on Ukraine’s power grid demonstrated that OT infrastructure is a viable vector, and subsequent incidents—including Iranian intrusions on U.S. water utilities and Chinese attempts to gain footholds in Guam’s power and water networks—have reinforced the perception that OT is now a frontline battleground.
Air Force Leadership in OT Cybersecurity
Recognizing the gap, the Air Force adopted an OT security strategy in May 2021, pledging to create a dedicated office to oversee policy, execution, and oversight. After two years of documentation and advocacy, the Cyber Resiliency Office for Control Systems (CROCS) reached initial operating capability in 2024, as announced by Department of the Air Force Principal Cyber Advisor Wanda Jones‑Heath. Modeled after the earlier Cyber Resiliency Office for Weapon Systems, CROCS was intended to serve as the “front door” for all OT‑related cybersecurity matters within the Air and Space Forces.
Overcoming Resource and Staffing Challenges
Initially, CROCS operated with only a handful of staff, reflecting the broader difficulty of securing funding for low‑visibility OT systems. Director Daryl Haegley highlighted a pivotal achievement: getting OT‑security costs incorporated into the Department of Defense’s Program Objective Memorandum (POM) process. By lining up assessments, mitigation, and training expenses within the five‑year budget plan used for major programs like the F‑35, the office transformed OT security from an unfunded mandate into a funded line item. Haegley emphasized that simply asking overstretched OT engineering teams to “find scraps” for cyberdefense was ineffective; systematic budgeting was essential.
CROCS’ Role: Coordination, Not Direct Execution
Haegley clarified that CROCS does not perform the technical security work itself. Instead, the office ensures that appropriate contracts are in place, qualified personnel are hired or made available, budget flows to the right initiatives, and a prioritized list of required actions is maintained. This orchestration model allows CROCS to act as a governance hub, aligning disparate OT owners under a common security framework while leveraging existing service and contractor capabilities for hands‑on implementation.
Breaking Down Silos and Improving Visibility
A core objective of CROCS is to eliminate the “stove pipes” that have historically separated OT reporting from the Air Force CIO’s domain. Although OT system owners used the same risk‑management framework as IT, their monitoring and reporting existed in isolated channels, depriving the CIO of the visibility needed to defend networks holistically. CROCS was created to bring those streams together, giving the CIO the insight necessary to ensure that OT assets linked to service networks are properly defended. The office also liaises with U.S. Cyber Command, feeding it OT‑specific threat data so that the unified command can extend its cyber‑defense remit to include control‑system assets.
Training, Workforce Development, and the DCWF Role
To sustain OT security beyond temporary projects, CROCS partnered with the DOD CIO office to develop a cyber‑workforce role within the Defense Cyber Workforce Framework (DCWF). DCWF Code 462—Control Systems Security Specialist—covers device‑level configuration, ongoing security operations, and incident response for control systems. By formalizing this role, the Air Force creates a clear career path for OT‑cyber professionals, distinguishing them from pure IT cyber engineers while still requiring a solid grasp of adversary patterns and technical fundamentals.
The Myth of the Air Gap and Zero‑Trust Debate
Haegley noted that even in highly classified environments, the assumption of a perfect air gap is flawed. OT devices still need periodic firmware, software, or hardware updates, which require a temporary connection—whether via a contractor’s laptop in the civilian sector or a DOD “clean machine” secure laptop in the Air Force. This reality complicates defensive strategies. Under the DOD’s emerging zero‑trust standards, two schools of thought exist: one advocates connecting OT devices to enable continuous, real‑time monitoring; the other insists on keeping them isolated and performing scheduled, manual checks. CROCS is currently facilitating industry dialogue to determine which approach offers better risk mitigation under various operational contexts.
Strategic Importance: Why Power and Water Matter
Summarizing the stakes, Haegley bluntly stated, “We’ve yet to find any mission that can work without power or water.” This simple observation underscores why OT security cannot be relegated to an afterthought. Adversaries recognize that disabling utilities can impede troop movements, hinder communications, degrade logistics, and blunt the effectiveness of high‑end weapon systems—effectively neutralizing the technological advantage the U.S. military enjoys elsewhere. Consequently, securing OT is not merely an IT issue; it is a foundational component of national defense readiness.
Conclusion: A Model for the Joint Force
The Air Force’s establishment of CROCS illustrates how a dedicated OT‑security office can overcome bureaucratic inertia, secure sustainable funding, and create the governance structures needed to protect essential infrastructure. While challenges remain—particularly around balancing connectivity with security and developing a skilled OT‑cyber workforce—the framework being built at CROCS offers a template that the other services, and indeed civilian critical‑infrastructure sectors, can adapt to fortify their own operational‑technology defenses against evolving threats.