While the mandate for military and defense agencies to achieve a targeted Zero Trust architecture by 2027 does not include weapons systems such as tanks or aircraft, senior officials say IT systems supporting weapons platforms are subject to Zero Trust requirements. I think it should be targeted.
“There are a number of support systems that support these weapon systems, which are essentially IT systems that are similar to regular networks and computers. They are part of NIPR and SIPR, so we We believe it should be covered,” David McCune, the Pentagon's chief information security officer, said Wednesday at the Pentagon Zero Trust Symposium.
“A real weapon system platform — we're going to continue to work on how we can adopt that. sometimes referred to as parts of or the weapons systems themselves, but yes, they should be subject to obligations.”
While it's nearly impossible to retrofit Zero Trust into some weapons systems that are already built, the Department of Defense's Office of the Chief Information Officer is considering implementing IT infrastructure for functions such as command and control, logistics, and maintenance. We are working to reach our zero trust target level by 2027. .
“We're going to continue to look at other areas. Zero trust for weapons systems is going to be a huge undertaking. We have to figure out how to make it happen. It's one thing to do it with weapons systems, weapons platforms, operational technology, etc.,” said Pentagon CIO John Sherman.
In 2018, the Government Accountability Office reported that the Department of Defense “regularly” discovers cyber vulnerabilities in weapons systems late in the development process. Although the department made some progress through 2021, it failed to incorporate cybersecurity requirements into contracts. The watchdog said some contracts contained no language regarding cybersecurity requirements at all.
OT, including weapon system cybersecurity from the beginning
Darryl Hegley, the Air Force's technical director for control systems cyber resiliency, said it's important for the Department of Defense to incorporate operational technology into all planning processes as it moves toward zero trust.
“One of the things I really want to do is bring OT into every planning process to make sure we're considering the full scope of OT when discussing how solutions are integrated. “Including IT. We haven't yet found an IT system that can operate without OT. But we still haven't applied cyber to OT,” Hegley said.
Last year, Hegley's team conducted a Zero Trust pilot at Spangdahlem Air Base in Germany. The team dispatched to the base was able to target 38 out of 91 operations to protect five water systems and his two sewage systems.
The Zero Trust Portfolio Management Office funded the pilot, which began operations in December. This project has shown promising results regarding the security of his OT using Zero Trust principles, but among other things in the Department of Defense's efforts to apply Zero Trust not only to networks but also to operational technology systems Gaps in coordination remain.
“There is a lot of innovation in the world, and vendors [zero trust] Solutions applicable to OT. What we learned from that process was just a lack of coordination with other parts of the Department of the Air Force,” Hegley said.
Copyright © 2024 Federal News Network. All rights reserved. This website is not directed to users within the European Economic Area.
