As adversaries attack, Pentagon’s zero trust office shifts focus to protecting ‘operational technology’

WASHINGTON — The Pentagon’s zero trust office has “pivoted” from a focus on shoring up the Defense Department’s information technology to better securing what’s known as “operational technology” (OT) and weapon systems from foreign hackers, the office’s director said Tuesday.

“For OT and weapon systems, we are coming out with initial zero trust guidance. Why? Because the adversary is attacking,” Randy Resnick, the director of the Zero Trust Office within the department’s Chief Information Office, told Breaking Defense Tuesday. “The adversary wants to get into weapon systems to prevent their launch, or mess with the GPS coordinates, so the DoD is looking to initially secure these things beyond what they are today.”

Resnick, who spoke to Breaking Defense on the sidelines of an event put on by the tech firm Red Hat, said in public remarks that his office has “pivoted” over the last six months to “thinking about OT.” He said defense critical infrastructure, including weapon systems, will follow. 

“OT also has vulnerabilities that we are concerned about,” he said.

Unlike IT that primarily deals with software and data, OT generally refers to systems and devices that control physical processes, like thermostats, water tanks and machinery on a factory floor. They’re key components in critical infrastructure for civilians, but also in the sprawling defense ecosystem of facilities and systems. Defense critical infrastructure, meanwhile, is more related to weapons systems, Resnik said.

Resnick said that language in the 2022 National Defense Authorization Act mandated that the Pentagon focus on zero trust for IT, OT and DCI. As a result, Resnick’s office stood up the plan to transition to a zero-trust cybersecurity framework by the end of fiscal year 2027, which plans to have zero trust fully implemented into IT by that time. 

Given adversarial threats and the department’s progress in implementing zero trust into IT, Resnick said the next step is to create guidance for implementing zero trust in OT and then eventually DCI. 

“At the end of [2027] we’re going to have a number of successes that achieve [our 2027] target, if not [advancing it],” he said of the IT zero trust strategy during the panel.  

“We are going to be coming out with guidance for OT, and that’ll probably come out at the end of summer [2025] and we’ll have a date beyond 2027 where we start establishing ZT [zero trust] into OT. “Then, of course, we’re also concerned about defense critical infrastructure, so that’s another thing,” he added. 

The Costs Of An OT Attack

If adversaries are able to hack into the DoD’s OT like machinery in factories, it could lead to catastrophic results, Resnick warned. 

“The DoD leases and owns factories, the communication between every single piece of equipment is not IT. So it’s OT, okay, the whole factory runs on OT,” he told Breaking Defense. “If they coordinated across 10 to 15 things simultaneously, it means a tremendous amount.”

“It could shut the factory down for a period of time until they’ve recovered. DoD could be put out for a month. I hope not, but that’s the worst case scenario. It’s a point of vulnerability, it’s a point of attack. The whole point of zero trust is to prevent these attacks in a modern day sense,” he added. 

Resnick explained that vulnerabilities in OT can lead to threat actors hacking into IT as well because OT is often connected to IT or the internet because that’s how the OT systems communicate with each other — think the Internet of Things.

“This creates a back door to get to IT, so I could break into OT, and it’s called ‘swim upstream.’ I want to prevent that,” he said.