Zero trust for weapons systems will be a ‘heavy lift’ for DoD

While the mandate for the military services and defense agencies to achieve the target zero trust architecture by 2027 doesn’t include weapon systems such as tanks or aircraft, senior officials believe that IT systems supporting weapon platforms should be subject to zero trust requirements.

“There are a good number of support systems that support those weapon systems and are essentially IT systems just like our normal networks and computers. We do believe that those should be covered because they’re part of the NIPR and SIPR landscape,” David McKeown, DoD’s chief information security officer, said during the DoD Zero Trust Symposium Wednesday.

“The actual weapon system platform — we’re going to continue to work on how we might employ that. But all the support systems related to weapon systems —which are also sometimes referred to as part of the weapon system or weapon system themselves, if they are network-based, application-based — yes, they should get covered by the mandate.”

Retrofitting zero trust into some weapon systems that have already been built is nearly impossible, but the Defense Department’s chief information officer’s office will work to get the IT infrastructure for functions such as command and control or logistics and maintenance to the zero trust target level by 2027.

“As we go forward, we’re going to keep looking at other areas too. Zero trust on weapons systems is going to be a heavy lift. We’re going have to figure out how to do that. It’s one thing to do this on networks — another thing is to do it on a weapons system or weapon platform, operational technology and so on,” DoD CIO John Sherman said.

In 2018, the Government Accountability Office reported that the DoD was “routinely” finding cyber vulnerabilities in its weapons systems late in the development process. The department made some progress by 2021, but it was failing to incorporate cybersecurity requirements into contracts. The watchdog agency said some contracts didn’t have language for cybersecurity requirements at all.

Including OT, weapons systems cybersecurity from the beginning

Daryl Haegley, Air Force technical director of control systems cyber resilience, said it’s critical that the DoD includes operational technology into all the planning processes as it moves forward with zero trust implementation.

“Just one of the biggest things I’d really like to see is including OT in all those planning processes to ensure that as we talk about how we’re going to integrate a solution — that we’re considering the full gamut from the OT to the IT. We still have yet to find an IT system that can operate without OT. Yet, we still continue to not apply cyber to OT,” Haegley said.

Last year, Haegley’s team conducted a zero trust pilot at Spangdahlem Air Base located in Germany. The team sent to the base was able to target 38 out of 91 activities to protect five water systems and two wastewater systems.

The Zero-Trust Portfolio Management Office funded the pilot, which became operational in December. While the project showed promising results when it comes to securing OT using zero trust principles, gaps in coordination, among other challenges, persist amid DoD’s efforts to apply zero trust not only to networks but operational technology systems as well.

“It was great to see that there’s a lot of innovation out there and vendors have [zero trust] solutions that can be applied to OT. What we learned from that process, though there just wasn’t that coordination with the rest of the Department of the Air Force,” Haegley said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.