Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Disruptive By Design: Mission Critical: Protecting Operational Technology on Military Bases

By Kam Chumley-Soltani
The military must protect its operational technology. Credit: Phichitpon-stock.adobe.com generated with AI
The military must protect its operational technology. Credit: Phichitpon-stock.adobe.com generated with AI

While cybersecurity initiatives supporting the military have traditionally focused on protecting the Pentagon’s information technology (IT) assets, there has recently been broad recognition within the Department of Defense/War that modern military bases rely on far more than IT to successfully conduct missions. The military increasingly relies on an operational technology (OT) ecosystem to support daily operations and mission readiness and to enable secure mission-critical functions. While these systems often operate in the background, their reliability and security are foundational to a base’s ability to function. 

For example, OT on military installations supports water treatment and distribution systems that provide potable water and fire suppression capabilities. Without power generation and transmission systems to supply electricity to command centers and communications infrastructure, basic operations would be impossible. OT is also essential to safe flight operations, supply chain and logistics support (such as fuel storage and delivery systems) and physical security infrastructure, just to name a few mission-critical functions.

Many military bases also operate industrial and manufacturing environments. These may include ammunition production, component fabrication or maintenance and repair facilities that rely on industrial control systems to maintain precision, safety and output. In every case, these technologies support mission execution either directly or through critical dependencies, such as power, water and physical security.

Ownership and operation of these systems are often shared, with the military itself holding responsibility for some and others owned and operated by external utility service providers or contractors. But either way, they typically reside on dedicated control networks where they can be monitored and maintained, and data can be exchanged. This improves efficiency but also expands the attack surface.

Organizations cannot protect what they cannot see. To secure these environments, military cybersecurity professionals need comprehensive visibility and control across the entire architecture as well as continuous monitoring, vulnerability management, network segmentation and secure remote access. Segmentation can be particularly essential because flat networks give attackers opportunities to move laterally across the network, pivoting from less protected systems to more mission-critical ones. Organizations must also configure fire walls with strict, intentional rules to prevent overly permissive communications and unnecessary direct internet access.

 

 

 

 

 

 

These risks are not theoretical. Across industries, OT devices have been discovered exposed on public IP addresses and indexed by open-source intelligence tools, such as Shodan. Systems that were never designed to be internet-facing become vulnerable to reconnaissance, exploitation and disruption when left exposed.

Recent government assessments focused on both U.S. defense and civilian federal agencies have highlighted the urgent need for stronger coordination as these organizations modernize systems and address supply chain risks. On the defense side, this coordination effort must include contractors and suppliers to span the entire defense ecosystem. The Pentagon has begun addressing this through initiatives such as the Cybersecurity Maturity Model Certification (CMMC), which establishes baseline cybersecurity expectations for the defense industrial base.

This brings us back to the need to extend our focus beyond IT and place greater emphasis on OT. CMMC has often been associated with protecting sensitive IT systems, but its scope and implications increasingly extend to OT, particularly where those systems interact with mission-critical enterprise networks, handle controlled unclassified information, and functions are managed by contractors. Consequently, OT security has become inseparable from broader defense cybersecurity expectations.

Along similar lines, the Pentagon has also expanded its zero-trust cybersecurity efforts to explicitly include both IT and OT environments. This ero-trust approach focuses on protecting organizations’ digital assets through strong identity verification, least-privilege access, microsegmentation, continuous monitoring and several other security domains. Programs such as Comply-to-Connect further reinforce this direction by ensuring that devices meet security requirements before gaining access to military networks.

While meaningful progress has been made, gaps remain. Defense organizations must be able to assess and secure their environments anytime and anywhere, including in austere, contested or disconnected conditions. Cybersecurity teams need capabilities that allow them to operate effectively across IT and OT networks, whether supporting permanent installations or dynamic operational environments.

As military bases continue to modernize, securing OT is no longer optional. It is fundamental to maintaining readiness, resilience and mission success.

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA