The Lawfare Podcast Summary: The Military’s Operational Technology Cyber Vulnerabilities

Date: January 27, 2026
Host: Justin Sherman (Lawfare)
Guests: Andy Grotto (Stanford Program on Geopolitics Technology and Governance), Jim Dempsey (UC Berkeley Law School)

Overview

This episode discusses the cyber vulnerabilities in U.S. military operational technology (OT) systems, especially those critical to domestic military installations. Drawing on a major recent study (“Ensuring the Cyber Resilience of Critical Infrastructure Serving Domestic Military Installations”), the conversation explores the dependence on civilian infrastructure, the unique risks posed by OT, known adversary activity (focusing on the Chinese PLA and others), systemic regulatory gaps, and challenges/opportunities in procurement and future policy. The episode offers actionable recommendations and an inside view into the cyber risk landscape confronting military and national security decision-makers.

Key Discussion Points and Insights

1. Motivation and Scope of the Study

• Andy Grotto shares his longstanding concern about adversaries surveilling and penetrating American critical infrastructure, noting increased OT complexity versus IT:

  “OT operational technology presents a different set of challenges than IT...applying all the insights and lessons from IT to OT directly isn’t as straightforward.” (03:51)

• The study partnered with Army Cyber Institute at West Point, pre-dating major public revelations about Volt Typhoon Chinese PLA intrusions on critical infrastructure.
• Key research question: How do local Army installations and their critical infrastructure providers understand and manage risk? (03:48)

2. How Vulnerabilities Are Mapped

• Research used only open-source methods to identify critical dependencies (electricity, water, rail, etc.) at two Army installations.
  • Findings:
    • Significant public data is available via government contracts, press releases, environmental reports, and federal databases.
    • A detailed infrastructure map (30 hours/investigation) is possible without proprietary access.

    “There’s a lot of information out there. And as Andy said, we’re not even talking about what an adversary could obtain by illegal means. We were just talking 100% open source.” — Jim Dempsey (08:25)

3. Military Installations’ Dependence on Civilian Infrastructure

• “US military installations...are dependent on civilian critical infrastructure almost without exception...” — Andy Grotto (09:33)
• Even on-base generation is often built, owned, and/or operated by contractors, compounding vulnerability to OT flaws. (10:48)

4. Adversary Activity and Threat Landscape

• Multiple years of unambiguous government warnings: Russian, Iranian, and Chinese state actors—plus “unsophisticated,” activist, or proxy groups—are already in U.S. infrastructure.

  “These reports are not hypotheticals…they are reports of finding the bad guys in our network.” — Jim Dempsey (15:21)

• OT attacks are escalatory and fundamentally different from espionage:

  "There is no real intelligence value to breaking into those networks...It’s the ability to then or in the future hold that asset at risk for disruptive purposes." — Andy Grotto (20:54)

• Integration of IT and OT means even conventional IT ransomware can force operational shutdowns (e.g., Asahi Brewing, Jaguar Land Rover). (21:27)

5. Core OT Vulnerabilities

• Vulnerabilities are widespread, fundamental, and cross-sectoral:
  • Default/no passwords
  • Unencrypted communications between sensors/controllers
  • Software flaws like buffer overflow
  • Known vulnerabilities in widespread products (e.g., Siemens, Schneider Electric, Rockwell Automation)
• Human factors: Installers/users often disable or override built-in security. (29:06)
• Nearly 80% of industrial network devices tracked by Microsoft in 2023 had known vulnerabilities. (29:03)

6. The ‘Air Gap’ Myth

• Simply disconnecting OT from the Internet is rarely true in practice.

  “The benefits of internet connectivity...are so great that it’s unavoidable…Devices get connected. And we cannot assume...that the device is not accessible by the Internet.” — Jim Dempsey (34:19)

• Trend toward increased OT interconnectivity, especially with AI and optimized operations. Risk management becomes optimizing risk vs. benefit. (35:42)

7. Regulatory Gaps: Inside vs. Outside the Fence

• Inside the Fence:
  • The Department of Defense (DoD) is spending billions to build “islanded” (self-sustaining) infrastructure, but often imports same vulnerabilities via contractors.
  • Case: Camp Lejeune used internet-connected Chinese-made batteries installed by a civilian provider; the intended security is undercut. (39:33)
• Outside the Fence:
  • Regulatory landscape is a “patchwork,” with some sectors unregulated (water, last-mile pipelines), others covered by self/co-regulation (bulk power).
  • OT is generally not included in procurement standards (unlike IT, which now enforces CMMC controls). (43:42)

8. Procurement as a Policy Lever

• Government could, but (so far) largely does not, use procurement contracts to mandate OT security standards.
  • First step: Inventory what’s already on bases (“Right now, no one really knows how many China made products are on US military bases in critical infrastructure.” — Jim Dempsey (44:06))
  • Recommend: Develop and incorporate OT security language akin to existing NIST IT procurement requirements.

  “We need...criteria for contractors on the OT side similar to what we have on the IT side.” — Jim Dempsey (47:56)

• Success depends on providing resources to providers that operate on thin margins (e.g., water).

  “If the government, Congress, the executive branch were willing to pay...I think that’s a completely different conversation.” — Andy Grotto (50:19)

9. The Road Ahead: What’s Next?

• The CMMC program (currently IT-focused) may eventually inform OT requirements as experience accumulates.
• Both guests are cautiously optimistic: Pentagon leadership is aware, threat urgency is high, and the first step—an actual inventory—may unearth shocks that provoke real change.
• Major roadblock: Who pays for improved resilience—the government or private utilities? (51:54)

Notable Quotes & Memorable Moments

• Addressing the “security myth” of disconnection:

  "Forget it, that the benefits of Internet connectivity, the benefits by the way of connecting your IT network and your OT network are so great that it’s unavoidable. And even though you may have a policy or a guideline, don't connect...devices get connected." — Jim Dempsey (34:19)

• On the regulatory patchwork:

  “Jim has used this great phrase about critical infrastructure cyber regulation in the United States as kind of this patchwork quilt.” — Andy Grotto (36:43)

• On why adversaries target OT:

  “Attacks on OT are escalatory in a way that espionage is not.” — Andy Grotto (20:41)

• On the need for procurement reform and inventory:

  “First we need and what we recommend in the paper is first we need an inventory. The start of any cybersecurity program is inventory. What's on your network, what's connected to your network?” — Jim Dempsey (45:08)

Timestamps for Important Segments

• Framing the Study, Motivations & Approach: 03:48 – 06:16
• Findings from Open-Source Dependency Mapping: 06:16 – 09:33
• Military’s Civilian Infrastructure Reliance & Vulnerabilities: 09:33 – 11:56
• Survey of Adversary Intrusions and Policy Blindspots: 15:21 – 20:11
• Nature and Prevalence of OT Vulnerabilities: 23:50 – 29:31
• The Air Gap Myth and Interconnectivity Realities: 33:45 – 35:42
• “Inside the Fence” and “Outside the Fence” Security Programs: 38:43 – 43:42
• Procurement Power and Policy Recommendations: 44:06 – 48:13
• Future Outlook: Will, Obstacles, and Urgency: 51:18 – 53:40

Final Takeaways

This episode underscores a critical national security concern: U.S. military and national defense rely on a civilian-run, vulnerable, and poorly regulated patchwork of operational technology systems. Adversaries are already present in domestic critical infrastructure, regulatory controls lag behind current technological and threat realities, and current solutions are incomplete or import new risks (as with connected Chinese-made components). Concrete, urgent steps—like comprehensive inventory, targeted procurement standards, and funding for improved resilience—are needed to address what the guests view as a pervasive, well-understood, but insufficiently prioritized set of risks.