Such access, Sovada adds, could also affect distribution control systems that oversee quality assurance, or supervisory control and data acquisition (SCADA) systems that manage utilities, power, and environmental controls. “It’s broader than just an IT vulnerability,” she says.

The Kansas City incident highlights a systemic problem across the federal enterprise: the disconnect between IT and OT security practices. While the federal government has advanced its zero-trust roadmap for traditional IT networks, similar frameworks for operational environments have lagged, although recent developments point to progress on that front.

“There’s an IT fan chart that maps all of the controls for zero trust, segmentation, authentication, and identity management,” Sovada says. “But there’s also an OT fan chart being developed by the Department of Defense that will define comparable controls for zero trust in operational technology. The goal is to marry the two, so that zero trust becomes comprehensive across all network types.”