Topics:
The Department of War has issued comprehensive guidance requiring all organizational units to implement zero-trust security principles across operational technology (OT) systems, marking a fundamental shift in how the military secures critical infrastructure from power grids to manufacturing control systems.
Released late November, the Zero Trust for Operational Technology Activities and Outcomes document establishes 105 distinct security activities—84 designated as mandatory "target level" requirements and 21 as "advanced level" objectives—organized across seven pillars: users, devices, applications and workloads, data, networks and environments, automation and orchestration, and visibility and analytics.
The guidance follows DTM 25-003 (Directive-Type Memorandum 25-003, "Implementing the DoD Zero Trust Strategy), issued in July 2025, which directed DoD components to achieve minimum Target Level Zero Trust across all unclassified and classified systems, including control systems and operational technology (OT). However, the new document acknowledges that "applying standard IT security approaches to OT environments can be ineffective and potentially dangerous," necessitating specialized requirements tailored to industrial systems.
The DoD guidance fundamentally simplifies the traditional Purdue Model's five-layer architecture into a more flexible two-layer abstraction for applying zero trust principles. The new framework collapses the Purdue Model's layers 4 and 5 into an "Operational Layer" that encompasses application services, control center workstations, HMI, controllers, and wireless gateways, while consolidating layers 0-2 into a "Process Control Layer" comprising field control devices, sensors, actuators, and motors.
This generalized approach eliminates the need to specify how zero-trust solutions will be deployed across specific Purdue Model levels, allowing greater flexibility in implementation based on particular system configurations. The document emphasizes that this simplified description "does not replace the standard reference architectures" such as the Purdue Model, IEC 62443, and UFC 4-010-06, which remain authoritative frameworks for classifying OT systems within the DoD. Instead, the two-layer model provides "a flexible and adaptable description of an OT environment when describing ZT principles and solutions," accommodating future OT environments and alternative security reference architectures without being overly prescriptive by assigning specific componentry, devices, and users to rigid architecture levels.
Andrew Clopton, senior OT security engineer at GuidePoint Security, noted that the traditional Purdue Model established six hierarchical layers with strict boundaries between IT and OT networks, creating multiple security checkpoints that limited operational agility.
"The DoD's new simplified model flattens this into just two distinct layers: operational and process control. Removing intermediate boundaries enables more direct communication and leverages identity-based controls and micro-segmentation, rather than physical network separation, to maintain security," he says.
Clopton explains that those organizations that previously designed their OT environments on the Purdue model, the transition to the DoD's new guidance presents three critical requirements:
Reimagining network boundaries beyond physical separation toward identity-based controls that verify every access request, regardless of origin.
Implementing micro-segmentation at the network, application, and device levels. In practice, this creates multiple layers of verification that prevent lateral movement and contain threats, even if one layer is compromised.
Adopting a zero-trust network architecture (ZTNA) with “deny by default” policies that enforce contextual access decisions. ZTNA replaces implicit trust based on network location with a system that verifies every access attempt based on who is requesting it, what device they're using, and current conditions.
"Regarding IIoT cloud connectivity, this shift does effectively enable more direct-to-cloud connections, but requires robust security measures, such as certificate-based device authentication, data protection with encryption, and continuous monitoring with security information and event management [systems] (SIEMs)," Clopton says.
The mandate applies to DoD-owned operational technology up to the point of demarcation with weapon systems and defense-critical infrastructure, encompassing facility-related control systems, power grids, water treatment facilities, security and life safety systems, energy management systems, transportation networks, logistics handling, and manufacturing control systems. And these systems regularly operate in environments with "a significant need for continuous and reliable operations," making their reliability and security paramount to national security and economic stability.
The guidance, the DoD contends, is necessary because of the fundamental differences between IT and OT environments. That's because OT systems prioritize operational availability over confidentiality and integrity, use legacy equipment and diverse industrial protocols such as DNP3, Modbus, BACnet, and PROFINET, face strict safety requirements, and require specialized engineering expertise. "While the core principles of ZT—data protection, strong authentication, network segmentation, and threat monitoring—apply to OT, their implementation and deployment timescales require careful consideration of OT-specific constraints and priorities," the document states. Consequently, zero-trust implementation requires thorough risk mitigation before any product deployment, often through testing in simulated, testbed, or real-world scenarios.
The guidance establishes a two-layer abstraction: the Operational Layer and the Process Control Layer. The Operational Layer encompasses application services, control center workstations, HMI, controllers, and wireless gateways. At the same time, the Process Control Layer comprises field-control devices that enable local operation of sensors, actuators, motors, and mechanical equipment.
This simplified model provides "flexibility to adapt to a wide variety of future OT environments and to accommodate alternative security reference architectures," eliminating the need to specify how zero-trust solutions will be deployed across specific layers, the document states.
"Target Level" represents "the minimum set of ZT capability outcomes and activities necessary to secure and protect the department's data, applications, assets, and services to manage risks from currently known threats." Advanced Level activities "enable adaptive responses to cybersecurity risk and threats and offer the highest level of protection," but will not be held to the Target timeline.
For identity and access management, DoD components must establish user inventories within OT environments, implement authorized credentialing services with multifactor authentication or approved alternatives, and enable role-based access controls before granting access or establishing connections. Remote and third-party access must be limited to the minimum required to perform work.
Components must implement OT privileged access management solutions that support all critical use cases and develop documented identity life-cycle management processes for all users who access, connect to, and operate in OT environments.
For device management, the guidance requires centralized inventories for non-person entities utilizing existing inventories through manual and passive discovery-based automated solutions. Components must utilize Public Key Infrastructure solutions to deploy X.509 certificates to all supported NPEs, with those incapable of certificate support marked for retirement or excepted using a risk-based approach.
"The DoD's emphasis on Non-Person Entity (NPE) credentialing creates a challenge for legacy OT," Clopton says. "Many OT devices in DoD facilities were designed before modern authentication standards existed and simply lack the processing power to run security agents or encryption algorithms, Clopton says.
GuidePoint recommends that organizations meet DTM 25-003's Target Level requirements without replacing these critical assets to use a combination of compensating controls, such as network-based access proxies that extend identity verification to legacy systems, behavioral monitoring to detect unusual activity, protocol-specific monitoring for industrial communications, policy enforcement gateways that apply zero trust at network boundaries, configuration integrity checks, and network-level micro-segmentation to limit lateral movement.
"The key is shifting zero trust enforcement to points in the architecture where modern security can be implemented, while using advanced monitoring to compensate for limitations in the legacy devices themselves. Clopton said.
Network security mandates include implementing granular access rules and policies, plane segmentation, and micro-segmentation of communication pathways. Components must establish logging capabilities for session establishment, conduct, and termination, and encrypt traffic flows for control systems using secure OT protocols where technically feasible.
The guidance emphasizes that robust physical security measures directly enable a successful OT zero-trust implementation. While focusing primarily on technical cybersecurity measures, it acknowledges that "if an adversary gains physical access, the cybersecurity controls outlined in this framework may be insufficient to prevent compromise."
The document recommends leveraging physical controls, including biometric access control, proximity card readers, perimeter fencing, CCTV surveillance, intrusion detection systems, and environmental monitoring to complement digital security measures.
Critically, the guidance emphasizes flexibility. Only those with authority over an OT environment, in close collaboration with OT operators and security professionals, should evaluate each activity in their specific environment. For some systems, certain activities may be deemed inapplicable—for example, standalone systems unable to ingest threat streams.
In such cases, assessors should document and report justification, removing the activity from Target Level requirements for that specific system. "Implementation designs may be highly diverse in OT environments, but the essential ZT principles are followed, and outcomes of the ZT for OT guidance shall be achieved."
Questions on the guidance should be raised to the DoD CIO Zero Trust Portfolio Management Office. Separate guidance will be developed for weapon systems and defense-critical infrastructure.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
