As DOD formally extends Zero Trust principles into operational technology environments, agencies must secure machines, sensors and industrial systems without compromising availability or safety.
In July 2025, the Department of Defense issued Directive-Type Memorandum 25-003, formally advancing implementation of the DOD Zero Trust Strategy across the enterprise. The directive makes clear that Zero Trust is not limited to enterprise IT networks. It must be incorporated into acquisition strategies, sustainment planning and defense critical infrastructure, including operational technology environments.
This is not a future aspiration. DOD Components are required to achieve, at minimum, target level Zero Trust across unclassified and classified systems by the end of fiscal year 2030. That requirement extends into systems that operate factories, energy systems, logistics hubs, airfields and other mission-critical environments.
Zero Trust has entered the world of operational technology. And that changes the conversation.
Operational Technology Is Not Enterprise IT
Operational technology, or OT, includes the sensors, controllers, robotics and industrial systems that monitor and manage physical processes. These systems often support mission-critical functions where availability and safety take precedence over other priorities.
DOD’s Zero Trust guidance for OT acknowledges that applying standard IT security approaches to OT environments can be ineffective and potentially dangerous. OT environments commonly rely on legacy equipment, specialized industrial protocols such as OPCUA, EthernetIP, DNP3, Modbus, BACnet and PROFINET, as well as engineering workflows that differ significantly from enterprise IT operations.
In many OT environments, strict safety requirements and mission criticality mean that availability is prioritized over confidentiality and integrity. Shutting down a network segment for patching or aggressively scanning devices may be routine in IT. But in OT, those actions can disrupt operations or introduce unacceptable risk.
As such, Zero Trust in OT cannot simply replicate enterprise IT playbooks.
Why Traditional Zero Trust Approaches Fall Short in OT
Enterprise Zero Trust models often focus on user authentication, endpoint detection, micro-segmentation and continuous monitoring across corporate networks. Those controls remain important, but OT environments impose additional constraints.
Low-level process controllers may have limited computing capacity and are closed environments that cannot be modified. Latency introduced by security layers can interfere with time-sensitive operations. Some industrial protocols lack native support for modern security controls.
Workforce skill sets also differ. OT environments rely on engineers and operators whose primary responsibility is maintaining safe and reliable operations.
Implementation requires careful risk mitigation, testing in simulated or controlled environments and modifications to traditional Zero Trust activities to account for OT constraints.
In short, Zero Trust in OT must be retrofitted and engineered, not imposed.
Identity for Machines: A Practical Path Forward
If traditional IT-centric controls are insufficient, what does effective Zero Trust in OT look like?
At its core, Zero Trust is about enforcing trust decisions based on verified identity, not network location. In OT environments, that principle increasingly applies not only to users but importantly to machines.
Devices, applications and services that interact across operational networks must be able to prove what they are before exchanging data. That includes sensors, controllers, HMIs, engineering workstations, robotic systems, cloud-connected workloads, even AI agents.
This is where machine-to-machine identity becomes critical.
Corsha, a leader in machine identity and operational technology security, has focused specifically on bridging the OT-IT divide. Its platform enables devices and workloads to authenticate to one another using dynamic identities, enforcing least-privilege access without introducing disruptive overhead.
“The pressure to connect and make data-driven decisions is forcing industrial environments away from flat networks where OT is air-gapped and disconnected from IT networks. In that new environment, the mandates around Zero Trust provide a perfect framework and a fantastic opportunity to reimagine and rebuild the foundation for a smart, secure and connected industrial infrastructure,” said Anusha Iyer, founder and CEO of Corsha.
Corsha’s approach aligns with DOD priorities around credentialing, role-based access, privileged access management and strong authentication mechanisms in OT environments. By anchoring trust in machine identity security rather than network assumptions, agencies can strengthen security without forcing wholesale architectural changes that jeopardize availability.
“Frameworks from NIST, DOD and global regulators are now moving from concept to deployment,” Iyer said. “And now, in 2026, organizations must adopt practical playbooks centered on identity-first verification, segmentation and authenticated communication. Zero Trust for OT is now a measurable, enforceable discipline.”
Corsha has already achieved an Authority to Operate within federal environments, a significant milestone that reflects both technical maturity and alignment with federal security requirements. For agencies seeking to operationalize Zero Trust in OT, identity-driven platforms such as Corsha are becoming essential as machine-driven infrastructure accelerates across sectors.
“Machine-to-machine activity over networks is exploding. In fact, automated communications are more than 100 times more abundant than human-initiated communications, and continues to grow every day,” Iyer notes. “That is forcing security teams to rethink their old authentication, telemetry and operational models that were built for human users, not the hyper-connected, fast-moving environments that are becoming foundational today.”
For more information about Corsha and its innovative approach to securing machine identities, you can visit their web pages at https://corsha.com.
Securing the Operational Systems That Run the Real World
As operational systems connect to enterprise networks and cloud platforms, the boundary between IT and OT continues to narrow. Data from industrial systems feeds analytics platforms. Cloud applications manage physical assets. Third-party software vendors integrate into operational environments.
That connectivity creates enormous opportunity. It also increases risk.
DOD has made it clear that Zero Trust principles must be embedded into acquisition strategies and supply chain risk management. But this challenge does not stop at federal installations. The same dynamics are playing out in oil and gas, utilities, manufacturing, transportation and companies building autonomous systems and electric vehicle infrastructure.
When operational systems control pipelines, cooling systems, power grids, production lines or vehicle fleets, failure is not theoretical. It can halt energy distribution, disrupt supply chains or endanger public safety.
Popular culture imagines worst-case scenarios like Skynet or The Matrix, where autonomous systems spiral beyond human control. While those examples are fictional, the underlying concern is not. As machine-to-machine communication scales and operational environments become more automated, security controls must evolve just as quickly.
Identity-based Zero Trust in OT is not about fear. It’s about discipline. It ensures that every device, workload and system interaction is authenticated, authorized and continuously validated before trust is granted. That is how organizations prevent cascading failures, lateral movement and unintended system manipulation.
From Mandate to Measurable Protection
Policy direction and technical capability must translate into execution.
Implementing Zero Trust in OT requires coordination between cybersecurity teams, engineers, acquisition professionals and mission owners. It requires solutions that respect safety and availability while still meeting DOD mandates.
That is where a partner like SD3IT makes the difference.
As a solution aggregator, SD3IT aligns policy, engineering and acquisition. We integrate platforms such as Corsha into broader architectures that are practical, compliant and sustainable. We help agencies and critical infrastructure operators move from directives to deployment without disrupting the systems they depend on.
That’s because Zero Trust in OT is not a product purchase. It is an architectural commitment, and one that we know how to safely and successfully implement.
Organizations that act now, before mandates tighten further and machine-to-machine activity accelerates yet again, will be better positioned to protect their most important assets. The alternative is waiting until a breach, disruption or new regulations drive change under pressure.
Critical infrastructure must be protected in a way that secures machine communication without disrupting the systems that they support. At its core, Zero Trust in OT is not just about securing networks. It is about ensuring that autonomy never outruns accountability in the systems that power the real world.
To explore more insights on innovation, technology trends and issues shaping the IT landscape today, visit the Inside the Mission with SD3IT blog pages where we regularly share practical perspectives from the field. As these challenges grow more complex and timelines continue to tighten, organizations should take time to reassess and prioritize their most mission-critical needs. To learn more about SD3IT and how we help organizations plan and act decisively in uncertain conditions, visit our website or reach out and contact us to start the conversation.
