Randy Resnick, senior advisor of the Zero Trust Portfolio Management Office in the DOD, said Wednesday that the department is developing those guidance documents as expansions and variations of the 91 baseline “target-level” zero-trust activities it has already released for industry models to meet.

The new IoT and OT guidance are expected sometime in September, Resnick said at the GDIT Emerge: Edge Forward event, produced by FedScoop.

DOD uses what it refers to as “fan charts,” Resnick said, to lay out the various security controls vendors must build into their zero-trust solutions to meet the baseline for military services and defense agencies. In total, there are 152 controls — 91 at the target level and 61 at the advanced level, which “offer the highest level of protection,” the department said in guidance from 2024.

Resnick said that the fan chart for operational technology is “different” than that of the 91 activities needed to meet target-level compliance, though “there’s a lot of overlap.”

“The number of activities to hit target-level OT is different,” he explained.

For securing IoT systems with zero trust, Resnick said it’s essentially the same 91 target-level activities, plus two additional controls.

Explaining why it was necessary to build out additional overlays for OT and IoT systems, he said the way you respond to an incident is quite different, especially for operational technology.

With OT, Resnick said, “You want to have it fail open, or you want to have it fail in a way that doesn’t disturb or cause more mischief or harm than you want.”

Once those pieces of guidance arrive in September, just one more such directive remains for the DOD to issue: zero-trust overlays for weapons systems, said Resnick.

With the 2027 deadline looming, Resnick said he feels like “we’re in good shape,” especially after his office was spared in recent DOGE cuts, he said.

He explained that the department continues to experience successful pilots with industry that meet target or advanced levels of zero trust. And with more of those solutions taking shape, it’s getting closer to the point where DOD organizations will be able to “just buy it, implement it, install it, and pretty much get there before the end of [2027],” Resnick said.

The hard part will then be installing the solutions, he explained.

“We’re talking professional services and a whole army of people that are probably going to be required,” Resnick said. “We’re talking about full swap-outs and new infrastructures. This is not a small problem … I certainly hope that industry is thinking like that.”

The post Pentagon zero trust guidance for IoT and OT coming in September appeared first on DefenseScoop.

On a panel moderated by DefenseScoop Tuesday at a Scoop News Group-produced GDIT event, two Defense Department officials and two defense industry executives shared their latest insights on contemporary, real-world threats they’re tracking — at this convergence of IT systems, like computers and servers, with OT systems, like vehicles and medical devices — and how their teams are moving swiftly to adapt and respond.

“When we think about it, installations are our critical power projection platforms. They’re foundational to allow us to launch our critical missions, to ensure readiness, and really do power projection for the United States Air Force and for the DOD in general,” the Department of the Air Force’s acting Deputy Principal Cyber Advisor Lt. Col. Andrew Wonpat said.

“And when we think about cybersecurity, one of the big initiatives across the [DOD] and the U.S. government is zero trust. And that is transformative if we’re going to look at how we do that for operation technology,” he added.

Wonpat and the other panelists reflected on the broad landscape of global, existing and emerging OT vulnerabilities they’re monitoring and moving to mitigate.

Pointing to recent publicly reported numbers he pulled, Wonpat said that “China has approximately 100,000 cyber operators.” Noting that number could be an inflated estimation, he argued it’s best to assume that the real number could be much lower.  

“So, if we just extrapolate that, if China only has half of that — 50,000, that’s about the number of people in a [specific] town or a city within the United States — so that is significant for us from a military perspective, and the Department of Air Force to really grapple with,” Wonpat said.

Dwindling that down further, assuming only 10% of those personnel would be explicitly focused on OT efforts, it would still be about 5,000 people, which in his view is a lot for the service to contend with.

“So, how do we contend with those threats? One thing we did — one of the big initiatives — is [the Air Force established a new] organization called CROCS, or the Cyber Resiliency Office for Control Systems. They’re really responsible for coordinating and overseeing the cybersecurity of our control systems and operation technology, as well as defending critical infrastructure,” Wonpat explained. “And there’s a lot that goes into that.”

He confirmed that early lines of effort for the CROCS team include workforce, governance, visibility and prioritization activities, and transforming OT defense and response.

“I’m really excited about the CROCS organization … It’s the first time I’ve seen something like this in the department and we really need it,” Tony Robertiello, GDIT’s senior program director for Air Force enterprise IT programs, said.

For the Air Force and civil engineering community, GDIT provides cybersecurity and associated protection services for about 600 facility-related control systems across the globe in multiple forms. 

Spotlighting recent analysis the company has captured, Robertiello noted that the convergence between OT and IT across the internet protocol or IP space is currently considered to be an intensifying threat.

“We have inventory data for those 600 systems — 30,000 devices are IP-based. And these are devices that you don’t put certificates on them, but they could scan the network and could be attacked or could be a point of attack,” he explained.

The GDIT team is working in partnership with the 16th Air Force, an information warfare hub with OT data that Robertiello said they’ve never had access to before. 

“What’s no surprise now is that the top 10 systems in the Air Force of all the systems that they track data on — the most vulnerable systems, that top 10 — it’s OT systems. These are legacy systems. So, the threat is real out there against these types of systems,” Robertiello said.

He and other panelists also discussed Volt Typhoon and similar recent OT attacks aligned with what is reportedly China-backed advanced persistent threat (APT) groups, targeting critical infrastructure.

“One observation I will make is that if you look at what’s publicly reported, the Typhoon family is not doing the ransomware phishing attacks. They’re chaining vulnerabilities together and developing some legitimately sophisticated ways of intruding in the systems. The good news about that is that it means the sort of traditional stuff is less effective. So, some of the things that we’ve been doing for years — trying to secure systems and teach people about phishing — some of that is having an effect,” said Terry Kalka, director of the defense industrial base collaborative information-sharing environment at DOD’s Cyber Crime Center (DC3).

Officials inside DC3 are executing on what he referred to as defensive missions on DOD networks, as well as for the defense industrial base.

“One of the things we’ve had a lot of success in is vulnerability disclosure, where we work with white hat open-source or crowd-sourced researchers to look for vulnerabilities on public infrastructure,” Kafka said.

In the eight years since that program launched, around 50,000 vulnerability reports have been submitted, and heaps of patches have been made in response. More recently, the DC3 opted to build on that momentum by setting up a defense industrial base vulnerable disclosure program. 

“Now there’s an IBM report that estimates the cost of a data breach each year. This year, they say a data breach costs, on average, $4.8 million. I’m not going to try to do the math onstage. But if we have so far, in the DIBVDP, mitigated 59 vulnerabilities in six months … that’s about $288 million that we’ve saved industry and therefore saved the taxpayer. That’s a nice statistic if you have to go ask for cybersecurity money. And secondly, it’s a real, tangible effect in terms of what’s publicly available and how can we close that off as a way of entry,” Kalka said.

Autonomous endpoint management is another increasingly powerful solution the panelists highlighted. 

Sam Kinch, who previously worked at U.S. Cyber Command and is now an executive client advisor at Tanium, brought up a recent statistic that 70 percent of successful breaches start at the end point, which he said further reflects the growing need for organizations to capture IT and OT assets under one single umbrella of real-time visibility.

“One of the other stats that came out of DOD recently, if you look at the IT estate across their enterprise, it’s about 4 million endpoints they project right now. And they don’t know, but they’re projecting 15 to 18 million endpoints when you include the OT side of the house,” he noted.

“How is that for a target surface in a vulnerability state? Autonomous endpoint management is going to be essential. And what that means to us is really, how do you incorporate autonomy and automation into the process flows so you can reduce risk and drive down the mistakes that get made from mundane tasks nobody wants to do?” Kinch said.

The post How the Pentagon is moving to counter converging IT and OT threats appeared first on DefenseScoop.