The Pentagon has released its first comprehensive Zero Trust guidance specifically for Operational Technology (OT), recognizing that industrial control systems, facility systems, and other mission-critical OT assets cannot be secured the same way as traditional IT. The new Zero Trust for Operational Technology – Activities and Outcomes framework outlines clear requirements for user access, device identity, workload integrity, network segmentation, analytics, and automated decision-making. These requirements where designed with the understanding of OT’s unique constraints such as critical operations, legacy devices, limited ability to patch etc.
The Pentagon’s new OT Zero Trust guidance lays out a pragmatic, OT-aware security model that rejects the assumption that IT Zero Trust patterns can simply be lifted and shifted into industrial environments. Instead, it emphasizes that OT systems operate under strict uptime and safety constraints, run on specialized protocols, rely on legacy devices that often cannot be patched, and are maintained by teams with limited cybersecurity depth, conditions that make traditional IT controls insufficient or even dangerous. To bridge this gap, the DoD introduces OT-specific Activities and Outcomes distributed across the seven Zero Trust pillars (Users, Devices, Workloads, Data, Network, Visibility, and Automation), creating a structured roadmap that acknowledges both operational limitations and mission-critical risk.
The guidance also frames OT security through a simplified three-layer model, Enterprise, Operational, and Process Control, that complements rather than replaces Purdue and IEC 62443. This abstraction helps clarify how identity services, engineering workstations, firewalls, PLCs, field devices, and safety systems each inherit different Zero Trust controls. Notably, the document moves beyond vague principles and defines testable, measurable requirements: centralized inventories of users and devices; strict RBAC and least-privilege enforcement; PAM solutions that actually work in OT; MFA applied where possible; lifecycle tracking for noncompliant legacy assets; OT-tuned UEBA; robust segmentation with deny-by-default baselines; and automated, evidence-based risk decisions. Together, these elements reflect the DoD’s expectation that all components progress toward Target Level Zero Trust—an achievable standard only if Zero Trust is adapted thoughtfully to the realities of industrial operations rather than forced upon them.
A standout requirement from the guidance is its emphasis on verifying every device and workload before it is trusted. This includes maintaining an accurate inventory of all OT systems, assessing their vulnerabilities, configuring permissions, and enforcing Role-Based Access Control. The document also contrasts modern IT solutions, such as user and entity behavior analytics, and stresses the need for modern security techniques in OT systems.
ObjectSecurity’s technologies directly address these needs. BinLens™ provides deep binary and firmware analysis for OT devices, enabling organizations to uncover vulnerabilities, hidden components, and risky behaviors, all without the need for source code. This supports Zero Trust requirements such as device inventory, risk scoring and supply-chain validation. BinLens can operate with no network access and is ideally suited for secure environments.
Our other product, FortiLayer™, analyzes the AI and analytics components that Zero Trust increasingly depends on. FortiLayer detects vulnerabilities in machine-learning models, identifies adversarial weaknesses, and automates robustness testing. BinLens and FortiLayer give organizations the software assurance and AI integrity needed to confidently implement the Pentagon’s Zero Trust vision for securing OT systems.
