Five stages to secure military operational technology using zero trust and risk operations centers

Despite investments in cyber-physical system (CPS) security, recent research indicates that more than two-thirds of government operational technology (OT) leaders expect a disruptive cyber incident within the next year.

Realizing these risks, energy leaders recently called for stronger information technology (IT) and OT integration to secure the nation’s power grid at the 2025 Billington CyberSecurity Summit. The Pentagon responded in November 2025 by issuing authoritative guidance for OT, titled “Zero Trust for Operational Technology Activities and Outcomes,” detailing 84 minimum and 21 advanced OT-specific zero trust activities. The goal is to protect critical systems like industrial controls and building automation, bridging the gap between legacy OT and the broader Defense Department zero trust strategy.

The guidance, or OT fan chart, provides a revised set of activities and outcomes to facilitate current and future adoption of zero trust principles in OT environments. The fan chart is a visual roadmap that highlights the specific cybersecurity capabilities and activities needed to secure OT environments. It acknowledges the distinct differences between IT and OT practices described by the Pentagon.

The zero trust for OT guidance aligns with the zero trust for enterprise IT activities and outcomes to facilitate interoperability and alignment between the two. However, unlike IT systems, OT networks demand a strategy that minimizes disruption while protecting against adversaries. This strategy is where an OT-specific zero trust framework becomes critical, providing agencies with a practical roadmap to close visibility gaps, reduce cyber risk and strengthen resilience of our mission-critical infrastructure. With this foundation, agencies can take the steps necessary to operationalize zero trust in OT.

Five steps to operationalize zero trust in operational technology

1. Establish comprehensive asset visibility and risk assessment

Before implementing security controls, defense agencies must gain a deep understanding of their OT environment. This includes mapping all OT assets, understanding roles and assessing risk levels. The adoption of a risk operations center (ROC) can help. A ROC enhances OT security by providing continuous, integrated monitoring and rapid response to risks across OT and IT environments. This allows agencies to run risk assessments, manage asset discovery and visibility, and prioritize vulnerabilities with a risk-based approach. Additionally, the ROC fosters collaboration between IT and OT security teams for a holistic view of an agency’s risk posture.

2. Adopt network segmentation

Once assets and their risks are identified, defense agencies should divide the OT network into logical segments based on criticality and function. This approach limits the lateral movement of attackers and contains a breach. For instance, a breach in the building management system must not allow an attacker to access electrical grid controls.

1. Implement the zero trust fan chart

The Pentagon’s OT-specific fan chart will guide the implementation of zero trust. For instance, unlike IT networks, OT systems control physical processes, such as manufacturing, weapons systems and utility grids. Active scanning, which involves probing and sometimes directly interacting with network assets, can interfere with or even damage delicate legacy systems. In this case, the OT fan chart emphasizes a passive approach, where data is collected by observing network traffic without interacting with devices to minimize risk while providing visibility for security monitoring.

1. Incorporate continuous monitoring and analytics

Effective zero trust relies on continuous monitoring and data analytics to detect and respond to threats in real time. For OT, teams analyze data for anomalies, unauthorized access or other signs of compromise. Data may be collected passively and over time, but analysis must be rapid to address emerging threats. In this case, a ROC would serve as the operational hub for continuous monitoring and analytics needed for zero trust.

1.  Apply context-aware AI and automation

The surge in the volume and sophistication of cyber threats requires advanced AI to automate tasks and analyze data more accurately and faster than humans. OT environments encompass various devices, from low-resource Internet of Things (IoT) sensors, such as thermostats, to high-resource industrial controllers and distributed control systems. Agentic AI, which includes self-orchestrating AI agents, can transform data into actionable insights, prioritizing and remediating risks in real-time. This approach enables government security teams to prioritize risks by business and mission impact.

Ushering in a new era of operational technology security

As adversaries continue targeting critical U.S. infrastructure, DoD officials must continue to drive a proactive approach to zero trust and OT security. The Pentagon’s development of a tailored fan chart for OT will provide this much-needed roadmap.

Lastly, by embracing these principles along with visibility into all assets, continuous monitoring, network segmentation and automation via a ROC, agencies can build a path towards true cyber resilience.

Jonathan Trull is chief information security officer and executive vice president for risk management at Qualys.

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.