The US Department of War (DoW) has extended its Zero Trust (ZT) strategy from enterprise IT into operational technology (OT) and control-system environments. New guidance has been provided by the Chief Information Officer of the DoW in the latest publication “Zero Trust for Operational Technology Activities and Outcomes” (Nov. 18, 2025). This guidance complements existing cybersecurity mandates (e.g., DoDI 8500-series, DoD Cybersecurity Reference Architecture) rather than replacing them.
It applies to DoW-owned OT/control systems, such as facilities, utilities, building automation, and logistics/manufacturing control up to a defined line of demarcation. Internal systems of weapons platforms and defense-critical infrastructure (DCI) remain outside this scope for now with separate guidance in development.
Why the limitation?
It reflects bureaucratic realities: DoW can only enforce ZT where it has clear authority within enterprise networks and specific OT installations. Weapon systems and DCI fall under separate funding lines and program executive offices (PEOs), creating boundaries that the guidance mirrors. In other words, the DoW can secure the ‘neighborhood’ (common areas) but not the ‘individual homes’ which remain under separate ownership and budgets.
The Line of Demarcation: A Strategic Gap
While the guidance delivers architectural direction, itcreates an organizational (not technical) boundary ,that leaves critical mission systems exposed. Adversaries do not respect demarcation lines. If ZT stops at the installation boundary, our warfighters’ readiness remains vulnerable. Forescout along with our partners at the OT Cyber Coalition , are committed to partnering with the DoW to erase the line of demarcation with a sense of urgency that the department’s 2027 deadline requires
While secure protocols exist, such as BaCnet/SC and OPA UA (with integrated security), but adoption is limited and most field devices still operate on legacy protocols that were not designed to withstand modern digital threats.. Challenges with physical security legacy protocols (Modbus, OPC Classic, BACnet) include a lack of built-in security. Updating or replacing equipment can disrupt operations or safety. Digital controls complement, but cannot substitute for physical access controls which remain foundation in safety critical OT environments.. Card readers, biometric gates, CCTV, and visitor logging continue to serve as primary safeguards for controlled spaces.
Coordination challenges persist between cybersecurity, safety, risk management, and field operators despite the government mandates. We are making progress, but it is slow-moving and requires cross-functional governance to effectively justify investments and shape behavior at scale. Effective ZT OT implementation requires coordination between cybersecurity, OT, and physical security teams.
Mind the Gap with C2C
In OT environments, Comply to Connect (C2C) goes beyond conditional access, serving as the visibility and enforcement fabric for Zero Trust (ZT). OT devices, such as HMIs and SCADA servers at the operational level, often lack agents or user identity, leaving them vulnerable to spoofing. C2C addresses this gap by delivering DoW ZT Pillar 1 (visibility and control) through passive device discovery, behavioral insight, and network-level segmentation. By specifying and managing these critical OT devices, organizations can ensure robust network enforcement which will reduce spoofing. Without C2C, ZT remains largely theoretical in OT environments.
Zero Trust Principles Are the Key to Resilient OT Operations
Applying IT-centric security controls to OT environments can be ineffective, even dangerous. OT systems often run on legacy hardware and industrial protocols that lack native security,they prioritize safety and continuous availability over confidentiality. Moreover, OT operations are typically managed by engineering teams, not IT security staff; different teams with different skill sets sometimes deal with competing priorities.
This is why Zero Trust in OT environments is critical as it prevents lateral movement of malware and minimizes the impact of breaches, including those originating from the IT side. Beyond cybersecurity, Zero Trust helps protect critical infrastructure from a safety perspective, ensuring systems fail-safe during an attack, reducing production downtime.
The ZT for OT framework offers a tailored path to incorporate Zero Trust principles while respecting these operational constraints. It organizes OT environments into two conceptual layers:
- Operational Layer: Workstations, process-control servers, HMIs, local management services, network switches/firewalls as network infrastructure often sits between levels 2-4 depending on the architecture.
- Process Control Layer: Field controllers, sensors, actuators, safety instrumented systems (SIS).
This abstraction corresponds to portions of the Purdue Model (Levels 0-3, as a reference), but neither Purdue nor ISA/IEA 62443 fully address the cybersecurity limitations with securing filed devices and transmitters. This model simply provides a practical way to frame ZT discussions while acknowledging the gaps to be resolved.Difficulty Levels: What’s Hard Vs. What’s Easy?
Not all Zero Trust (ZT) tasks in OT environments are equal. The easiest gains come from activities that don’t disrupt operations: inventorying accounts and devices, documenting trust boundaries, tightening access paths into the environment, and improving basic logging. Mid-level efforts include enforcing least privilege, segmenting networks along functional lines, and eliminating shared accounts; changes that require coordination across engineering and security teams but can still be introduced without touching the process layer.
The most complex outcomes involve adaptive controls, continuous authorization, and deep telemetry because these depend on legacy constraints, vendor heterogeneity, and the risk of interfering with systems that must run continuously. Even more challenging is applying ZT principles to field controllers and safety systems where uptime, determinism, and certification requirements sharply limit what may be changed. The most difficult applications blend physical and digital identity correlation, real-time risk evaluation, and automated enforcement. This combination is where Zero Trust becomes powerful but also where OT environments demand the most caution.
For legacy devices that will never meet Zero Trust requirements, segmentation and zoning offer an alternative mitigation strategy. Early implementation should prioritize segmentation planning, anomaly containment, and continuous monitoring to deliver measurable risk reduction and inform future modernization.
Activities and Outcomes
Zero Trust in OT is not a copy-and-paste of IT controls. Activities (what must be done) and Outcomes (the condition you must achieve) reflect the physical, safety-critical, legacy-heavy realities of OT systems. The idea, to modernize OT security without disrupting operations, has two implementation tiers:
- Target : Minimum capabilities to secure OT systems against known threats—feasible in most OT environments. Includes identity and credential management, access control, segmentation, and monitoring.
- Advanced : Aspirational capabilities for adaptive responses and deeper ZT functionality—technically challenging and not required within baseline timelines.
Importantly, outcomes are goal-based, not tool-specific. For example: “identified and documented inventory of OT accounts.” System owners must assess applicability based on operational constraints, documenting any justified exceptions (e.g., air-gapped controllers).
Turning Guidance into Action
Zero Trust in OT is ongoing, not a one-time project. For practitioners, this means balancing security with operational availability and safety, integrating physical and digital controls, and documenting every deviation. It also means working with technology partners and solutions with real-world experience in blended IT/OT environments that understand the unique challenges of the bureaucratic war machine.