New US Air Force Office Will Focus on OT Cybersecurity

Governance & Risk Management , Government , Industry Specific New US Air Force Office Will Focus on OT Cybersecurity 'We've Yet to Find Any Mission That Can Work Without Power or Water' Shaun Waterman • April 15, 2026     Credit Eligible Get Permission Personnel at U.S. Army Fort Knox in Kentucky monitor power grid connectivity in a photo dated Oct. 24, 2018. (Image: Eric Pilgrim/U.S. Army) Like the other military services, it took the U.S. Air Force a long time to come to grips with the issue of operational technology cybersecurity. See Also: New Trend in Federal Cybersecurity: Streamlining Efficiency with a Holistic IT Approach eBook U.S. officials have warned for years that critical OT systems such as water and power supplies to U.S. military bases at home and abroad are a target of adversaries seeking an asymmetric advantage over the nation's massively powerful military. Knock out the power grid, and an enemy can effectively hamper military readiness. The Air Force is the first, and so far only, American military service to have an office dedicated to OT cybersecurity, blazing a path other services should follow, according to officials and industry observers. But the struggle to get the office set up also demonstrates the bureaucratic and institutional barriers that have to be overcome. The Air Force adopted an OT security strategy in May 2021, including a commitment to set up an office to track the issue and oversee policy and execution. It wasn't until 2024 that the Cyber Resiliency Office for Control Systems finally reached initial operating capability, Department of the Air Force Principal Cyber Advisor Wanda Jones-Heath told an industry conference last year. "It took two years of work, two years of documenting why that's important," she said. CROCS will be a one-stop shop for OT security issues, she said, modeled after the Air Force's Cyber Resiliency Office for Weapon Systems, set up in 2017. "This office will be what I call the front door," she said of CROCS. Resources were a challenge, according to CROCS Director Daryl Haegley. The office had just a handful of staff until this year. A key achievement of the new office, Haegley told Information Security Media Group in his only media interview so far this year, was getting OT security costs included in the Department of Defense's long-term budget-setting process, under which every service and agency issues a five-year plan called a program objective memorandum. Being added to the POM means that the costs of OT security assessments, mitigation and training can be included in the budget for a program of record, like the F-35. Haegley credited defense cyber leaders like Jones-Heath with making the change happen. Simply adding cybersecurity as an unfunded mandate to overstretched OT engineering teams doesn't work, Haegley said. "We've got people just trying to get scraps to pay for cyber for their infrastructure," he told a DOD zero trust symposium last year, showing a slide of a man burrowing into couch cushions for change. "There has been an unrealistic expectation," he told ISMG, and even more resources are needed to get the work of securing OT done. "Appealing to the [DOD] cyber community and working with them … has been a successful way of getting funds. And now we'll begin this year to do the assessments, the mitigation and the training." CROCS "won't be doing the work ourselves," Haegley explained. "But what we do is we ensure that the contracts are in place, the skilled people are in place, the budget goes where it needs to go, and the prioritized list of what needs to happen. Part of the funding problem is that OT systems are low profile and taken for granted. Building entry swipe card readers, HVAC equipment, and fuel depot management systems. And don't forget that U.S. military bases are in effect small towns, reliant on local utilities' OT systems for power and water. But despite their lack of sex appeal, these are systems without which the United States can't go to war. "We've yet to find any mission that can work without power or water," Haegley said. Those systems are the target of U.S. adversaries seeking an advantage over the nation's massively powerful military, said Jenn Sovada, a retired Air Force colonel who is now the general manager for public sector at Claroty, an OT security vendor. Ever since the Russian cyberattack that briefly took down the power grid in part of Ukraine in 2015, it's been clear that OT is a potential target. Ample evidence has accumulated over the last few years that attackers have stepped up attacks against industrial systems, including Chinese nation-state hackers trying to get a clandestine foothold in power and water suppliers in Guam, attacks on U.S. water utilities by Iranian hackers. "We know that the water systems have been attacked multiple times," Sovada said. "If we think about President Trump's declaration about turning off the lights in Venezuela, more than likely an OT attack, because it went after the power grid. So as you look at where the threats are, [the vulnerability of OT systems has] become more and more prevalent and more and more to the forefront of people's minds." She added that it "makes sense that the Air Force would be in the lead," in establishing an office to deal with the OT security issue. "As we've historically seen, the Air Force is traditionally more focused on technology and how technology impacts how we go to war," she said. A key objective of the new office, Haegley said, is breaking down reporting stove pipes and other silos, so that the Department of the Air Force CIO - who manages networks used by the Air and Space Forces - has the visibility they need to ensure they're properly defended. The CIO office has authority over hardware and software brought onto service networks, Haegley explained, but "the OT side was not really reporting up into them." Although OT system owners used the same risk management framework employed for IT systems, "they had these stove pipes of monitoring and reporting." CROCS was created in part to "bring all those together," he said. The office also coordinates with U.S. Cyber Command, whose unified command plan gives it the responsibility for cyber defense of digital defense assets. "We need to be able to inform them and give them insight into that, and we need to be able to have that kind of awareness of those systems that we have not yet established on par with IT," he said. Just like in the civilian world, Haegley said, it took a long time for cyber defenders in the U.S. military to recognize the vulnerabilities of OT systems. "Each of the services has its cyber defenders or cyber forces, and they have absolutely been focused for the last 12 years on developing a ready response force to deal with information technology and communications. … What we still need to develop is a similar capability for these OT systems. That's where CROCS comes in, Haegley said. Building a training pipeline that can produce qualified OT cyber defenders. Getting systems in place to report OT security data to Air and Space Force cyber defenders. "CROCS works with Air Force Cyber Command to bring forth what processes, tools and accountability they need," he said. There are unexpected similarities between military and civilian OT cybersecurity, Haegley said. Even in an organization like DOD, which maintains separate networks at different levels of classification - some even employing their own fiber - it turns out that the air gap is just as mythological as at any large civilian enterprise. "There are very definitely systems that are not connected to any network," Haegley said. "Where you lose a little credibility in saying that the air gap is 100% is that those systems still require updates to their hardware, software, and firmware from the manufacturer," which means they have, at least periodically, to be connected to something. In the civilian world, that's typically a contractor or vendor laptop that's also used for email and internet browsing. In the Air Force, special "clean machine" secure laptops are used. "The vendor puts their update on that laptop, and then we walk it in" to the secure space to connect it to the air-gapped system," Haegley said. But the DOD's new zero trust standards require continuous monitoring, pointed out Haegley, adding that there are two schools of thought about how to handle this. "One camp says we should just connect it and make it secure, because then I have real-time monitoring, and I know whether an adversary is trying to get in there." But others argue, "No, absolutely make sure it's disconnected, and we'll check it routinely." CROCS was currently "going back and forth" between the two camps. "We have a call out to industry to help us understand those two risk postures and under which conditions one might be better than the other," he said. CROCS worked with the DOD CIO office on an OT security work role in the department's Defense Cyber Workforce Framework, Haegley said. DCWF Code 462, Control Systems Security Specialist, is "responsible for device, equipment, and system-level cybersecurity configuration and day-to-day security operations of control systems. By ensuring that OT cyber expertise is recognized in the DCWF, the work role creates a career path, said Haegley, "we're not expecting the cyber engineer to be the cyber defender. We're still leaning on someone who understands ones and zeros and patterns of adversary capability. But we do need to have those people, cyber people, to understand those engineering systems."