The Pentagon’s New Rule: If Hackers Can See Your OT, You’re Already Non-Compliant

For years, I’ve been saying it, my partners in the OT Zero Trust Alliance (OTZTA) have been saying it. My friends and colleagues in the OT/ICS community are tired of hearing it. Frankly, every plant manager I’ve ever met has been screaming it: Operational Technology is not IT.

You cannot just take a firewall designed for an email server, slap it in front of a 30-year-old PLC running a water treatment plant, and call it secure. You’ll either break the process, or you’ll leave the door wide open because you’re too afraid to turn on the active scanning.

That is why the release of the Department of War’s new Zero Trust for Operational Technology guidance is such a watershed moment.

With this document, the DoW has officially recognized that the copy-paste approach from Enterprise IT to the tactical edge doesn’t work. They have codified what we’ve known all along: that availability and safety are paramount, and that achieving Zero Trust in these environments requires a different architectural approach: one focused on visibility, segmentation, and what we at BlastWave call "network cloaking."

Validating the Mission at Spangdahlem Air Base

I am incredibly proud to say that the OTZTA didn’t just watch this happen from the sidelines. We were in the trenches. Specifically, the work we did at Spangdahlem Air Base in Germany became a crucible for proving these concepts. When BlastWave deployed there (bringing Nozomi and Darktrace with us), we weren't just installing software; we were stress-testing the very idea of Zero Trust in a live, mission-critical defense environment. And this wasn’t just a random environment. It was one that we all depend on - protecting drinking water - which is a theatre that has been under siege by malicious actors in the past few years. 

At Spangdahlem, we faced the classic DoW challenge: critical infrastructure (like water and wastewater systems) that needed to be secured against sophisticated nation-state actors, but ran on legacy equipment that couldn't be patched or scanned in traditional ways.

By implementing our software-defined perimeter, we were able to "cloak" those critical assets, making them invisible to unauthorized users while maintaining operational continuity. We proved that you could meet the rigorous demands of Executive Order 14028 and the targeted Zero Trust activities without ripping and replacing the infrastructure that keeps the jets flying.

That deployment helped illuminate a critical lesson for the DoW: The requirements for OT are distinct. You need passive visibility (like that from our partners at Nozomi and DarkTrace) combined with active, deterministic enforcement that doesn't rely on constant cloud connectivity or heavy agents.

A Victory for the Alliance

This guidance validates the vision of the Operational Technology Zero Trust Alliance. When I founded the OTZTA, it was born out of a realization that no single vendor solves the entire problem, a point Randy Resnick, who runs the DoW Zero Trust Portfolio Management Office, explicitly made to me. The DoW doesn't need a "BlastWave solution" or a "Dragos solution", they need a mission solution.

The new guidance breaks down silos, requiring a stack that spans from the Device Pillar (inventory and health) to the Network Pillar (segmentation and encryption). It’s a roadmap that requires the exact kind of interoperability we’ve built between BlastWave’s enforcement layer and the visibility and analytics provided by our alliance partners.

The Road Ahead

To our partners in the DoW and the Warfighting community: this document is your green light. It’s permission to stop forcing square IT pegs into round OT holes. It’s a mandate to secure your control systems in a manner that respects the process's physics.

Both BlastWave and the Alliance will be releasing several supporting documents and activities to help DoW accelerate their path to Zero Trust. The first one explores how BlastWave helps DoW comply with the toughest Zero Trust challenges of segmentation and network cloaking, and the next will be a more comprehensive OTZTA view on compliance.

Here is the BlastWave white paper, Invisible OT: How to Hit DoW’s Zero Trust for OT Timeline Without Touching a Single PLC, and if you are a DoW partner or customer and are interested in seeing this live in action, contact us today.

Let’s get to work.

‍

— Tom Sego, CEO of BlastWave and Founder of the OT Zero Trust Alliance

‍