The Pentagon’s Operational Technology Problem

Secretary Pete Hegseth has consistently said that his defining priority is to ensure the lethality of America’s warfighters. This obviously depends on their having the most advanced and effective tanks, drones, missiles, and warships. The military doesn’t produce these things itself. Instead, it relies on private contractors to supply the tools of war. Faced with massive dysfunctionality in the procurement process, Hegseth recently directed a major reform of military acquisitions, “to accelerate fielding of urgently needed capabilities to our warriors” and “maximize their combat readiness.”

Lethality, however, also depends on some pretty mundane things, like electricity, oil and gas, water, telecommunications, and rail transit. An interruption in any one of them could disrupt and delay force projection.

For almost all of these critical services, military installations in the U.S. are dependent on private contractors. That’s because most critical infrastructure in the United States is owned and operated by the private sector. (Much of what isn’t owned privately is owned by municipalities, counties, and rural cooperatives, which also contract with the Pentagon.) Those contractors are, in turn, dependent on operational technology (OT): sensors, regulators, switches, valves, and other devices that monitor and control physical processes. That OT—like the information technology (IT) that has long been the focus of national cybersecurity policy—is vulnerable to cyberattack. The evidence is clear: Foreign adversaries have targeted, and have succeeded in gaining access to, the OT of critical infrastructure. 

The U.S.’s regulatory framework for the cybersecurity of this critical infrastructure is fragmented and full of gaps. Directives on gas pipelines do not apply to the last mile that delivers product to military bases. Federal regulations for the bulk electric system do not extend to the distribution lines bringing power to many installations. Water—vital for life and industry—is effectively unregulated for cybersecurity. (The Environmental Protection Agency floated a draft cybersecurity rule in 2023 but withdrew it after state attorneys general and the water industry sued.)

It is unlikely that a system of laws and regulations for OT cybersecurity will be stitched together to cover these holes anytime soon. Therefore, the Pentagon should use the lever that, for all of its limitations, may be the most flexible and most impactful: the power to set standards for the services it purchases. Currently, however, the U.S. military lacks contract language defining cybersecurity controls for OT. The procurement mandates that do exist focus on IT, not OT.

Over the past two years, we have conducted research on this issue with support from the Army Cyber Institute at West Point. We recently published our findings in the Cyber Defense Review, which we highlight below.

Forget the Myth of the Air Gap 

In the past, OT was considered secure from cyber compromise because it was assumed to be separated from IT systems and the internet—a form of protection known as “air-gapping.” However, in our research we consistently heard that air-gapping is a myth, and has been for some time. OT is often digital. To take advantage of considerable new functionality, OT is increasingly connected to the internet. Worse yet, U.S. officials have found that some China-made infrastructure devices have unexpected connection capabilities.

For this reason, the Pentagon’s major effort to “island-off” military installations from public networks by building on-base capabilities may be to no avail. Inside-the-fence assets may be connected to the IT systems of the contractors that build them or have other paths to the internet. Inside-the-fence assets also often use the same vulnerable OT devices found outside-the-fence. Indeed, building on-base utilities may actually bring cyber vulnerabilities inside the fence, as the Marine Corps learned when it realized its contractor for an on-base energy grid had installed China-made batteries with internet capability.

Inventory Devices and Connections, and Define Contractual Requirements 

The Pentagon can use its procurement power to address OT cybersecurity in utilities critical to its warfighting mission. It should begin, as all cybersecurity should begin, with an inventory of assets, inside and outside the fence. Conveniently, in August, the Cybersecurity and Infrastructure Security Agency issued guidance outlining a process for OT owners and operators to create an asset inventory. The assessment should identify pathways between OT systems and the internet as well as vulnerable equipment, including not only China-made devices but also products made outside of China that contain known vulnerabilities. Maybe we’re wrong, and the utilities serving U.S. military installations are uniquely air-gapped and have little or no China-made products—but right now, no one knows for certain. 

Assuming such an inventory reveals the vulnerabilities we suspect it will, it could inform immediate mitigation efforts. It could also spur the Pentagon to develop prioritized and measurable controls for OT that can be required of critical infrastructure contractors inside and outside the fence, discussed in more detail below. The trend is only going to be toward more internet-capable OT. The time to start insisting that it be protected against foreign adversaries is now.

It may come as a surprise that the U.S. military has no contract requirements for how its outside-the-fence contractors operate OT, especially since the Pentagon is currently implementing a major program aimed at hardening the IT of its contractors against cyberattack. Known as Cybersecurity Maturity Model Certification (CMMC), the program springs from the fact that the military provides its contractors with a great deal of sensitive information. Although this information is unclassified, it could still be of value to an adversary. Consequently, for almost a decade most Pentagon contracts have included a clause requiring contractors to implement a set of cybersecurity controls defined by the National Institute of Standards and Technology. Now, with the CMMC, the department is moving forward with a certification system intended to better ensure that contractors and subcontractors actually implement the IT controls required in their contracts.

The electric utility contracts for U.S. military installations we looked at contained the clause requiring cybersecurity controls on the contractors’ corporate IT networks. But there is no contract clause for OT. To be sure, the military does have some OT criteria documents for on-base construction, but the controls in them were not designed specifically for OT and we could find no evidence that there is ever any scrutiny of compliance with them. 

The Pentagon should accelerate the development of specific, prioritized OT cybersecurity requirements to be incorporated in contracts for inside-the-fence and outside-the-fence utility services. This should include attention to the sensors, actuators, and other devices collecting physical-world data at the very foundation of OT systems. A good starting point would be the controls in a suite of standards adopted by the International Society of Automation specifically for industrial automation and control systems. The National Security Agency has recently built on these controls with recommendations for OT in systems under its purview. Implementation of OT security requirements for utilities serving military installations should assume that on-base and off-base OT systems will not be air-gapped and will include China-made devices, so the focus should be explicitly on resistance to compromise in systems that are connected and use China-made devices. 

Several times a week, the Cybersecurity and Infrastructure Security Agency issues alerts describing newly discovered vulnerabilities in OT devices widely used in critical infrastructure. With Chinese, Russian, and Iranian hackers already observed in U.S. critical infrastructure, reforms to accelerate procurement of more lethal weapons would be wasted if there is not also reform aimed at the basic utilities that support the readiness and deployment of those very weapons.