The U.S. Air Force has announced the start of applying zero-trust cybersecurity principles to the industrial control systems that operate its bases and infrastructure. A senior official, however, warned that operational technology (OT) environments cannot simply adopt the same IT requirements currently imposed on computers and networks. These IT requirements include around 91 target-level goals that must be met across the entire Department of Defense by the end of fiscal year 2027.
Speaking at the Alamo ACE conference in San Antonio, Department of the Air Force Chief Information Security Officer Aaron Bishop said the Pentagon’s 2027 zero-trust mandate for IT is only the first step in protecting assets from cyberattacks.
He added that a dedicated framework for OT systems is now under development—one that acknowledges that systems such as runway landing lights and elevators may function differently from email servers but still represent potential cyberattack vectors.
“You cannot apply the same measures to a PLC as you would to your laptop,” Bishop said. “These systems don’t operate the same way, they don’t connect the same way, and they don’t interact the same way. So, the same 92 IT-focused objectives cannot be applied to OT.”
He noted that OT systems and weapons platforms will follow a slower compliance track, with zero-trust targets expected to stretch toward the end of the decade.
Meanwhile, the department’s CIO office is working on an OT “fan chart,” a visual roadmap detailing required zero-trust capabilities and timelines, expected to be released before the end of the year.
Bishop emphasized that OT systems represent a mission-critical attack surface. Adversaries can disrupt missions without hacking networks directly—simply by targeting base utilities or external power supplies. “OT systems are often not continuously connected, they are typically proprietary, and they involve long lifecycles. A system may have been installed ten years ago, expected to run for twenty years, but is now outdated from both IT and OT perspectives,” he said.
He stressed that the goal of zero trust is not just compliance but building infrastructure capable of operating even while under active cyberattack. This includes applying secure-by-design engineering principles typically used in IT to the diverse world of OT systems, ensuring continuous functionality without downtime or adversary takeover.
Bishop added that achieving this will require time and iterative development, underscoring that excluding OT from zero-trust efforts is not an option in an environment where adversaries target any connected system that can affect operations. “Zero trust is never done,” he said. “You can always find new ways to protect yourself from within.”
