Beyond Zero Trust: OT Security in Focus Amid Shutdown

Cybersecurity experts caution that a prolonged government shutdown could weaken oversight of zero-trust architecture across federal agencies, heightening the need for stronger identity management in operational technology (OT) environments. The lapse could also delay critical cybersecurity measures, including device patches and system updates, according to former Interior Department CISO and zero-trust program manager Lou Eichenbaum.

“I’m very happy to see a greater push on protecting our OT environments and incorporating zero trust principles into them,” said Eichenbaum, who is now federal CTO at ColorTokens after leaving Interior in September.

Amid the shutdown, government is focusing on identity management in OT, Eichenbaum added.

“A lot of talk around greater focus on securing our OT environments because that’s some of our most critical infrastructure, and some of our most critical [internet of things] devices,” said Eichenbaum. “That’s where there’s also a lot of refocus.”

Zero trust has been a cornerstone of government’s latest cybersecurity priorities. Mandated by Office of Management and Budget (OMB) memorandum 22-09, agencies are required to meet specific zero-trust milestones, but Eichenbaum said that layoffs and the voluntary deferred resignation program have shifted zero trust work at agencies.

“[OMB is] talking about resilience, building resilience into networks, which means zero trust,” Eichenbaum said. “I think [Acting OMB CISO] Mike [Duffy] has a great plan and for what he wants to do for zero trust moving forward.”

Last month, Duffy said OMB is evolving its zero-trust implementation plan for agencies.

“How can we make sure that we are building out infrastructure in a smart way [to implement] zero trust?” Duffy said during the Intelligence and National Security Summit in September. “These are important topics as we’re having conversations with industry, with partners, on what aspects of the shared responsibility matrix we are working through.”

A War Department official told GovCIO Media & Research that Pentagon entities have been moving forward with zero-trust deadlines, but the ability to adjust has always been critical given the changing nature of threats.

“We had to be flexible in developing zero-trust plans” before the shutdown, the official said, adding that zero-trust plans are moving forward. The official added that agencies are facing “fewer people and more work” during the shutdown.

The shutdown and recent staff changes make zero-trust implementation harder for agency CISOs, Eichenbaum said. “It’s impossible for agencies to execute right now because they’ve lost so many people,” he added.

A DHS spokesperson said that Cybersecurity and Infrastructure Security Agency (CISA) is continuing to protect networks and work with partners to buttress defenses.

“We’re doing cybersecurity work still on a daily basis,” the spokesperson said in a statement.

Acting CISA Director Madhu Gottumukkala reaffirmed the agency’s commitment to core defensive operations, even while two-thirds of the workforce have been furloughed, and the agency experiences reductions in force.

“Despite the government shutdown and the lapse of the Cybersecurity Information Sharing Act of 2015, CISA remains steadfast in its commitment to protect our federal networks from nation-state adversaries, ” Gottumukkala wrote in a statement last week.