Key Takeaways
- The Defense Department is deliberately linking Operational Technology (OT) systems to its Information Technology (IT) networks to gain situational awareness and remote management, but this convergence expands the cyber‑attack surface.
- In late 2025 the DoD issued Zero Trust for Operational Technology Activities and Outcomes guidance, separating zero‑trust standards for IT from those tailored to OT environments such as power, water, energy infrastructure and modern weapons systems.
- Traditional software‑centric zero‑trust controls are difficult—or impossible—to apply to many legacy OT devices because of real‑time uptime requirements, limited processing power, and lack of native security features.
- The guidance therefore expands the zero‑trust model to include physical security measures (perimeter surveillance, environmental monitors, access‑card readers, motion sensors) alongside cyber controls, ensuring protection extends beyond the network boundary.
- OT networks are conceptualized in two layers—an operational layer (gateway to external/IT networks) and a process‑control layer (legacy controllers and sensors). Hardware‑enforced devices such as data diodes placed at the operational layer enforce one‑way data flow, blocking inbound adversarial traffic while allowing outbound telemetry.
- Micro‑segmentation, enabled by these hardware controls, creates isolated zones that restrict lateral movement between OT and IT networks yet still permits essential data collection for performance monitoring.
- Effective segmentation requires a detailed inventory of all workflows, data flows, and user interactions; only then can appropriate trust algorithms and isolation policies be defined.
- The DoD’s approach builds on proven practices from commercial critical‑infrastructure sectors (e.g., nuclear energy) and existing government rules for air‑gapped classified networks, recognizing that hardware‑enforced, policy‑driven boundaries are the most reliable zero‑trust mechanisms for OT.
- For the defense industrial base to fulfill its mission, it must adopt this expanded zero‑trust framework—combining cyber, physical, and architectural controls—to guarantee that every system warfighters depend on remains secure, resilient, and trustworthy.
Background: OT‑IT Convergence in the Defense Enterprise
The Defense Department is increasingly connecting operational technology (OT) systems—such as power generators, water treatment plants, energy distribution networks, and the sensors and actuators embedded in modern weapons platforms—to its information technology (IT) networks. This integration is driven by the need for real‑time facility situational awareness, remote diagnostics, and centralized performance analytics. While these benefits improve efficiency and enable data‑driven decision‑making, they also dismantle the historical air‑gap that once shielded legacy OT equipment from cyber threats. Consequently, OT assets that were previously isolated now reside on a shared attack surface, exposing them to the same adversaries that target corporate IT infrastructures.
DoD’s 2025 Zero‑Trust Guidance for OT
Recognizing the heightened risk, the Pentagon released in late 2025 the document Zero Trust for Operational Technology Activities and Outcomes. The guidance deliberately separates zero‑trust requirements for conventional IT (edge devices, cloud services, endpoints) from those appropriate for OT environments. OT‑specific standards address the unique characteristics of systems that control physical processes, ranging from utility grids to battlefield‑mounted unmanned aerial vehicles. By creating distinct but complementary frameworks, the DoD aims to ensure that security measures respect the operational realities of OT while still delivering the core zero‑trust principle: never trust, always verify.
Why Traditional Zero Trust Falters in OT
Zero trust, as originally conceived for IT, relies on continuous authentication, least‑privilege access, and micro‑perimeter enforcement via software‑based controls such as identity providers, endpoint detection, and secure web gateways. Many legacy OT devices—programmable logic controllers (PLCs), older SCADA radios, and even some newer Internet‑of‑Things (IoT) sensors—lack the computational resources to run modern security agents, support multi‑factor authentication, or enforce dynamic trust algorithms. Moreover, OT processes often demand deterministic latency and near‑100 % uptime; inserting latency‑inducing security inspections or frequent re‑authentication cycles can jeopardize safety and mission effectiveness. Consequently, a pure software‑centric zero‑trust approach is either infeasible or overly disruptive in many OT settings.
Integrating Physical Security into the Zero‑Trust Model
To overcome these limitations, the DoD guidance expands the zero‑trust paradigm beyond purely cyber defenses. It mandates that operators supplement software controls with traditional physical security measures: perimeter surveillance cameras, environmental monitors (temperature, humidity, vibration), access‑card readers, biometric scanners, and motion detectors. These controls are treated as integral components of a unified security strategy, ensuring that zero trust does not stop at the network boundary but extends to the physical realm where OT hardware can be accessed, tampered with, or sabotaged. By coupling cyber verification with physical verification, the department creates defense‑in‑depth that addresses both digital intrusion and hands‑on manipulation.
Architectural Layering: Operational vs. Process‑Control Layers
The guidance simplifies OT network topology into two logical layers to facilitate targeted protections. The operational layer sits at the periphery of the OT environment, interfacing with external or IT networks. This is where traffic entering or leaving the OT zone is inspected and filtered. The process‑control layer houses the legacy controllers, sensors, and actuators that directly manage physical processes; it is intentionally kept as isolated as possible. By concentrating security enforcement at the operational layer, the DoD allows minimal disruption to the real‑time, deterministic functions of the process‑control layer while still guarding against inbound threats.
Hardware‑Enforced Controls: Data Diodes and One‑Way Flow
A cornerstone of the recommended architecture is the use of hardware‑enforced security devices, most notably data diodes, deployed at the operational layer. A data diode permits data to travel in only one direction—typically outbound from OT to IT—while physically blocking any inbound flow. This unidirectional gate ensures that even if an adversary compromises an IT asset, they cannot inject malicious commands or malware into the OT network. Outbound telemetry (performance metrics, health status, audit logs) can still flow freely, preserving visibility for commanders and analysts without exposing the OT core to inbound risk.
Micro‑Segmentation as the Core Strategy
Building on hardware‑enforced boundaries, the DoD advocates micro‑segmentation as the primary means of isolating critical assets. By inserting firewalls, unidirectional gateways, or VLAN‑based partitions between logical zones—such as separating the power‑generation subsystem from the water‑treatment subsystem—organizations prevent lateral movement of threats. Should an attacker breach one segment, the segmentation walls contain the breach, limiting its impact. Essential monitoring and audit data can still traverse segments, but only via the approved, hardware‑enforced one‑way paths, guaranteeing that the data remains trustworthy and unaltered in transit.
Implementation Challenges: Mapping Workflows and Trust Algorithms
Realizing effective micro‑segmentation is not a plug‑and‑play exercise. It requires a meticulous inventory of every workflow, data flow, user role, and device interaction within the OT environment. Engineers must document where data is generated, how it is transformed, who (or what) can access it, and what actions are permitted after access is granted. Only with this granular map can appropriate trust algorithms—rules that decide whether a request is allowed based on identity, context, and behavior—be defined and enforced. The process is labor‑intensive, especially for large, geographically dispersed installations, but it is indispensable for creating segmentation policies that do not inadvertently block legitimate operational traffic.
Leveraging Established Standards and Practices
The DoD’s OT zero‑trust framework does not invent security from scratch; it builds on decades‑long best practices from sectors that already manage high‑consequence OT, such as nuclear power generation, chemical processing, and offshore oil platforms. Those industries have long relied on physical barriers, unidirectional gateways, and strict change‑control procedures to protect safety‑critical systems. Additionally, the guidance aligns with existing government directives for safeguarding air‑gapped classified networks, recognizing that the same principles of isolation, hardware enforcement, and rigorous access control apply whether the asset is a weapons system or a strategic communications node.
Call to Action for the Defense Industrial Base
As the DoD formalizes and disseminates its OT zero‑trust guidance, the responsibility extends across the defense industrial base—contractors, suppliers, and maintainers—to adopt the same expanded mindset. Vendors must design new OT hardware with built‑in security hooks (e.g., tamper‑evident enclosures, secure boot, hardware roots of trust) while legacy‑system integrators should retrofit existing equipment with data diodes, enforcers, and segmentation appliances. Sustained investment in training, threat‑modeling exercises, and continuous monitoring will be essential to ensure that the zero‑trust posture evolves alongside emerging threats.
Conclusion: Toward a Resilient, Trustworthy Defense Enterprise
The convergence of OT and IT networks offers undeniable operational advantages, but it also introduces significant cyber‑physical risk. The DoD’s 2025 Zero Trust for Operational Technology Activities and Outcomes guidance acknowledges that legacy OT constraints prevent a wholesale adoption of classic software‑centric zero trust. By augmenting cyber controls with mandatory physical security, layering the network into operational and process‑control zones, enforcing hardware‑based unidirectional flow, and implementing rigorous micro‑segmentation, the department provides a pragmatic, defense‑in‑depth roadmap. For the defense industrial base, embracing this expanded zero‑trust approach is not merely a compliance exercise; it is a strategic imperative to guarantee that every system upon which warfighters depend remains secure, reliable, and mission‑ready.