The Defense Department is increasingly connecting operational technology (OT) systems to its information technology (IT) networks. This effort is needed to improve facility situational awareness and provide remote management. But it also exposes legacy OT systems to cyber threats from which they were previously isolated.

To counter threats that OT systems were not designed to endure, in late 2025 the DoD released new guidance on Zero Trust for Operational Technology Activities and Outcomes. In it, the Pentagon separates zero trust standards for IT like edge devices and cloud computing from those for OT like power, water and energy infrastructure and extending to modern weapons systems like tanks and unmanned aerial vehicles.

This guidance underscores a critical distinction in the two domains. OT environments regularly use legacy equipment and diverse process standards requiring specialized engineering expertise that prioritizes uptime. These qualities are quite different from IT security. Historically, it was sufficient to only consider the physical security of OT systems that are separated or air-gapped from IT. But convergence is becoming the norm as the department looks to simplify management of widely-distributed systems and mine data about OT performance, utilization, efficiency and more. Unfortunately, that connection increases the cyber attack surface.

Read on Federal News Network »