Air Force Hardens Base Infrastructure with Zero Trust for OT Security

The U.S. Air Force is taking a tailored approach to applying zero trust cybersecurity principles to the operational technology systems that manage base infrastructure and support critical military operations. Unlike the Pentagon’s information technology mandate requiring 91 compliance targets by fiscal year 2027, a specialized framework for operational technology (OT) environments is being developed to account for fundamental differences in how industrial control systems operate.

At the Alamo ACE conference in San Antonio, Department of the Air Force Chief Information Security Officer Aaron Bishop outlined why a one-size-fits-all approach to zero trust cannot work across both IT and OT domains. “You cannot apply 100 percent identically what you did with your laptop to a PLC,” Bishop explained, referencing programmable logic controllers that form the backbone of many OT environments. Programmable logic controllers and similar industrial systems operate through different interfaces and connection protocols than traditional computing equipment, requiring security frameworks that account for these fundamental architectural differences.

The Pentagon’s Defense Information Systems Agency is developing an OT “fan chart”—a visual roadmap showing what zero trust capabilities must be implemented and on what timeline. This tool is expected to provide clearer compliance targets for the military services, with OT compliance expectations extending to the end of the decade, significantly later than the 2027 IT deadline.

Bishop framed the operational technology security challenge in mission-critical terms. Modern adversaries recognize that disrupting base infrastructure—including power supplies, utilities, and support systems—can be as effective as network infiltration at preventing military operations. An attack on external power infrastructure that supplies a base, for example, could ground aircraft and disrupt mission planning without ever compromising internal networks.

Operational technology systems present unique security challenges beyond those affecting traditional IT networks. These systems often operate with limited visibility, rely on proprietary hardware and software from specific vendors, and have extended lifecycle expectations of 15-20 years. A system installed a decade ago may now be outdated from a cybersecurity perspective, yet replacing it conflicts with capital planning assumptions. This combination of long operational lifecycles, vendor lock-in, and visibility gaps creates substantial barriers to implementing zero trust’s granular, identity-centric security model.

Bishop emphasized that the ultimate goal extends beyond achieving compliance checkboxes. The Air Force is designing infrastructure that remains operational and secure even under active cyber attack. This requires transposing secure-by-design engineering principles from IT systems into the operational technology domain, fundamentally changing how base infrastructure is architected and maintained.

The work ahead will require time and continuous iteration, Bishop cautioned. However, leaving operational technology outside zero trust security efforts is not viable in an environment where adversaries actively target any connected system affecting military operations. As Bishop concluded: “Zero trust is never done. You can always find new ways to protect yourself within yourself.”

Source ID: SRCE-2025-1764914686244-1167