Internet of Things (IoT) devices—small form-factor, sensor-based, task-specific hardware—have proliferated across military operations over the past several years. They are used in everything from weapons systems to warfighter wearables to base defense and building operations. The global Military IoT, or MioT, market is wirth $41 Billion and it is anticipated to reach $109 billion by 2030.
MIOT devices are used to support situational awareness, cyber security and communications, to name a few. Adoption of the devices has been amplified mainly through procurement processes that value price over security. In many cases, lowest price technically acceptable procurements are the reason that many military enterprises have persistent cyber-attack vulnerabilities.
Yet with billions of devices already deployed and many more coming, MIoT remains a large, relatively unprotected attack surface area for adversaries looking to compromise our defense operations. These devices present unique security hurdles due to their diverse, unstandardized ecosystems, varied protocols, updating and patching challenges and lack of compute power, storage space and/or battery power to execute common commercial security defenses. That puts them at odds with the paradigm that is driving much of federal and defense cybersecurity strategy — zero trust.
In the past five years, there’s been a lot of ink spilled about zero trust as both a “goal” and as a set of tools and practices for security professionals. The goal of zero trust is to safeguard government agencies and companies from both inside and outside threats. zero trust strategies promote tools, devices, and specific ways of doing things to constantly check and make sure everything and everyone accessing the organization’s data is legitimate and authorized.
The zero trust security framework, which includes tools, hardware and procedures, relies on continuous verification and focuses on software-centric data protection and managing user access. However, a zero trust model does not specifically address hardware devices – like MioT – within the enterprise.
In an ideal state, these devices would rely on onboard hardware encryption, the absence of which can introduce limitations or challenges in an ideal zero trust implementation. That significant gap, largely omitted in the volumes of current literature, solutions, and practices, overlooks what to do with the physical devices that collect, process, store, and transmit all of an agency’s data—and which comprise much of the digital attack surface. This weakest link leaves adversaries with a sizeable sandbox to play in, even when zero trust technology is utilized.
Many vendors will point to the data coming to and from an MIoT device as being encrypted and therefore safe. Users also often conflate “hardware encryption of the data collected and transmitted” by a device with the actual encryption and hardening of the device itself. Hardware encryption does in fact provide an additional layer of protection, without which sensitive data may be more vulnerable to theft or compromise if other security measures fail.
However, the assumption that “secure data is good data” is a recipe for disaster. It ignores the gaping hole in a zero trust solution where an adversary is already inside a defense network sending corrupted but encrypted data out to network consumers. Compromising the network can originate through myriad tactics, techniques and procedures used by threat actors, including breaching MIoT devices. Perhaps surprisingly, it is even possible for these devices to be breached through both close network access and physical access.
Consequently, even secured data gets compromised before transmission or storage. Think of it like corrupting medication at the factory before the tamper seal is put on. Imagine the myriad adverse consequences that could result from data corruption that was accomplished by breaching just one or a few seemingly minor MioT devices connected to a weapons system, a warfighter’s person, or a data center.
Broadening the model
To be sure, hardware encryption, while critical, is not a substitute for the other necessary layers of a comprehensive zero trust security strategy: identity and access management, micro-segmentation, continuous monitoring, strong authentication and more. Defense organizations can still achieve robust security for devices within a zero trust framework even if the devices do support onboard hardware encryption, but they must carefully consider and address the limitations by implementing alternative security measures and best practices.
As mandated by the 2022 DoD Zero Trust Strategy, zero trust is clearly essential to future defense network security. The concept of integrating MIoT into a zero trust strategy is gaining traction as a critical defensive construct, and is increasingly recognized as beneficial for comprehensive cybersecurity. However, there is still a lack of both guidance and proper tools and practices to bring MIoT into a true zero trust Framework.
Since the zero trust ethos of “never trust, always verify” has centered around people and data, the vendors and consulting companies that endlessly promote the promise of zero trust have created a false sense of security for defense organizations that now rely on a staggering number of inherently vulnerable devices. Until a concerted effort is undertaken to harden and reduce the vulnerabilities embedded in those MIoT devices, zero trust will at best be a limited promise instead of a true, comprehensive “solution” available to our military and integral to our national defense.
Paul Maguire is CEO and co-founder of Knowmadics, a Herndon, Va.-based supplier of risk management products and services to government and industry.