With the increased use of “internet of things” devices, sensors, remote technologies, data analytics and artificial intelligence, the boundaries of Department of Defense and intelligence agency networks have increased exponentially. This opens the door to a new level of communication synergy, as well as new and serious security risks. There are two big challenges when it comes to battlefield communication devices:
- Internet of things device security – As of now, there isn’t even a standard operating system being used for these devices on the battlefield.
- The large scale of internet of things devices – Properly monitoring and governing the pure volume of internet of things devices and sensors being deployed.
To overcome these, DoD agencies should reexamine their IT infrastructure and consider what will deliver a secure IoT solution: visibility, secure access, segmentation and proactively integrated services.
Visibility is critical to monitoring user activities and identifying the devices involved. Managers also need new network insights to continuously evolve and maintain performance. What devices are connecting, how are they connecting, where are they connecting from, what is the device’s status, and who is the user associated with each device or sensor? DoD network managers need end-to-end visibility to capture this information and use it to inform decision-making.
For example, a new soldier won’t just have a radio. They will have a voice data radio, display, bio sensors, other types of sensors, kinds of actuators, a plethora of device types associated with that soldier specifically. To improve visibility of devices and sensors, agencies should utilize a tactical network, which uses a specific architecture that supports complex communication security segmentation, creating branches of networks that all connect to a hub, forming a tree-like architecture. This way the DoD knows soldiers are safe because their devices and sensors are always visible on the network.
Ensuring secure access for internet of things devices on the battlefield is an enormous challenge. To do so, network managers should establish individual identities and use a grid to assign security policy and functionality across wired, wireless, or remotely accessed devices over VPN. A recent DoD mandate called for contractors to utilize this type of access under NIST special publication 800-171 and establish a security posture for each device on the network to track each device’s mission-critical role.
For a soldier, each device and sensor needs to be accessed when the soldier’s mission begins and then removed from the network when the mission is over in order to keep the soldier safe. The DoD network must be able to identify each device and sensor as it enters the network, using micro segmentation to allow access to some devices and block others based on their security profile. If the network isn’t capable of properly managing devices and sensors, it puts each mission and soldier at risk.
DoD networks need to maximize the internet of things device functionality, while simultaneously maintaining a high-level of security. Segmentation is an important part of securing classified data and preventing unauthorized user access. The influx of internet of things devices creates increasingly complex DoD network environments. As such, agencies need a solution to simplify management and build segmentation directly into the network. Policy-driven segmentation based on device and user identity will simplify provisioning of network access and help enforce segmentation policies centrally.
Thinking back to our soldier, those devices and connected sensors must have segmented user security and access so the wrong person doesn’t gain access the soldier’s radio, GPS, or bio sensor data. Only users with specific security profiles can utilize the soldier’s device and sensor data.
Proactively integrated services
To harden DoD networks and protect internet of things devices, security protocols and device functionality need to be available before the device reaches the network. The system needs to be preconfigured before deployment with security protocols already in place; then as the mission changes, it’s easier to dynamically configure and modify the deployment of devices on the fly. If the network can’t preconfigure devices and security protocols, or can’t make the adjustments, then the process is not real-world viable.
Let’s say our soldier example includes flying assets with visibility into that soldier’s operation. If the security protocols and device functionality are available before the operation is deployed, then security services can be extended even further into the soldier’s tactical space. That tactical infrastructure could need to function long term as those flying assets gather information about the mission, but as soon as the mission changes, security protocols must be modified so all devices, and ultimately the soldier, stay secure.
With these key concepts in mind, agencies can set their IT architecture up for internet of things success. Devices and sensors will stay secure and well managed because each device, sensor and user will have a specific security and mission posture that identifies all network endpoints, determines how those endpoints are accessed, defines how data is segmented, and preconfigures all devices and security protocols to better support a mission. This comprehensive approach will allow the DoD to embrace internet of things potential on the battlefield, while simultaneously ensuring communication is secure.
Will Ash is senior director of security for U.S. public sector at Cisco. Matthew Galligan is manager of DoD cybersecurity for U.S. public sector at Cisco.