Navy looks to add zero-trust controls into weapon systems, platforms

As the Defense Department continues implementing zero-trust cybersecurity practices across its networks, some of the military services have begun parsing out how to use the same framework to protect their operational technology from cyber threats.

Since the Pentagon released its zero trust strategy in 2022, organizations across the DOD have worked to upgrade their IT infrastructure so that it operates under zero trust — a cybersecurity concept that assumes networks are already compromised by adversaries and requires continuous monitoring and authentication of users and devices. The department’s goal is for all components to achieve “target levels” of zero trust by the end of fiscal 2027.

While efforts have focused on transitioning the Pentagon’s networks and IT infrastructure, some of the services have already begun assessing how they can integrate zero trust and enabling technologies into physical systems.

“It’s not just networks. Our operational technology is critical as well. So our weapons systems, our platforms, our facilities have to fall within this zero-trust umbrella as well,” Anne Marie Schumann, principal cyber advisor at the Department of Navy, said Wednesday during a panel at the Zero Trust Summit hosted by Scoop News Group.

Schumann noted that the Pentagon has been tracking cyber threats to operational technology and is currently developing a zero-trust implementation plan for those systems. But advancements in adversary cyber threats — such as from the Chinese-linked group known as Volt Typhoon — have put pressure on the department to move faster.

“I think one of the changes is that urgency is now being met with more mature capabilities from industry and a more mature approach from the DOD, because we can draw on what we’ve done with zero trust for it, and we know what that roadmap looks like to get there. We just need to start implementing that,” she said.

The Department of the Navy has largely led the way for other components in executing the Pentagon’s zero-trust goals. Its cloud-based Microsoft Office 365 platform known as Flank Speed has already met all 152 zero-trust requirements set by DOD and is continuing to improve cybersecurity on other networks, Schumann noted.

To get after cybersecurity for physical systems, the DON is preparing a set of standards for its implementation of zero trust for operational technology, slated to publish “in the next month or so,” Schumann said. The standards are part of a larger Navy effort known as More Situational Awareness for Industrial Control Systems (MOSAICS) that broadly aims to develop and demonstrate cyber defense capabilities for its facilities.

The upcoming standards will outline how to achieve zero trust at a “basic level” that covers minimum cybersecurity requirements, as well as a “block 2 advanced level” that denotes achievement of all requirements, according to Schumann. The strategy mirrors the Defense Department’s own delineation between what it considers “target levels” and “advanced levels” of zero trust, detailed in the 2022 strategy.

“I think that would be a really useful level-set for both us and our industry partners to know how we’re measuring capabilities,” Schumann said.

Wanda Jones-Heath, principal cyber advisor for the Department of the Air Force, also said during the panel that her office is looking at how it should invest to implement zero-trust frameworks for operational technology. For its zero-trust efforts, the DAF has released its own strategy and implementation plan, which has been updated to include capabilities beyond networks and IT infrastructure and is pending signature from the new presidential administration, she noted.

“The Navy is certainly leading the way, and we are following very closely,” Jones-Heath said.