IoT will revolutionize smart city, energy, manufacturing and transportation systems by providing the real-time situational awareness information necessary for artificial intelligence (AI)/machine learning (ML)-driven control systems to better assist with mission operations. However, with the advantages of IoT-based smart infrastructure comes increased cybersecurity risks, from unauthorized surveillance to data tampering to hijacking management systems. Protecting data generated by an IoT system must be integral to the design of the IoT system. False situational awareness information can seriously impact threat assessment and response for IoT-monitored bases and battlefields. Large-scale IoT systems are complicated to protect, as the need for standards for provisioning virtual private network connections for a smart city or mobile smart transportation system makes protecting IoT systems more complicated. Fortunately, zero trust data (ZTD) provides a more elegant data protection solution for large IoT and small-scale deployments. This zero-trust IoT data protection is essential in protecting critical infrastructure and military systems.

In smart city operations, the use of IoT solutions is becoming prevalent in protecting critical civilian utility infrastructure. Recent intel on Chinese hacking activities has identified civilian utility infrastructures as primary targets for disrupting military actions protecting our national interests. Furthermore, advances in automation to operate these civilian utility infrastructures make them less likely to have rapid human issue detection and more likely to depend on IoT solutions to play initial notification and first automated response roles.

IoT systems, networks of interconnected devices, sensors and software enabling them to connect, collect and exchange data over internet protocol (IP)-based networks, can be expansive (simultaneously monitoring a large land area) or mobile solutions (e.g., drones that monitor a small, focused area). This network of interconnected devices amasses large volumes of data that must be rapidly processed and made available to human operators. Mobile IoT solutions are often remotely monitored, controlled and automated. This automation increases efficiency, convenience and safety. However, battlefield reliance on these remote solutions makes them prime targets for network attacks, and their compromise can degrade situational awareness enough to hamper mission effectiveness.

Another security challenge is rooted in the purpose of the U.S. Department of Defense (DoD) IP network connectivity. This may seem like common sense, but it must be stated. The simplified goal of a DoD network is to move data securely and rapidly. In an automated environment, sensors generate data aggregated and analyzed by AI/ML at the edge, in data centers or the cloud. Regardless of the location of the analysis, the data will spend time at rest, in transit, and will likely traverse multiple IP networks. Since IoT solutions are increasingly used as initial notification and first response components of a battle management scenario, ensuring IoT data is not accessed or tampered with is highly mission critical.

Network and data management automation, which automatically collects, processes, aggregates and manages huge volumes of data with accuracy and speed that would be impossible for human operators, involves AI algorithms and ML software to aggregate and accelerate data handling throughout its life cycle. Data’s value exponentially increases when it can be aggregated and condensed to human consumable form, trusted and shared with others to create new insights. Usability, trust and data portability are core enablers to extract value from IoT-rich environments (e.g., monitoring activity with the battlefield theater).

Zero Trust Data Design Concepts

ZTD is a new security architecture where every data object (e.g., data from every sensor) is encrypted using a different key. More importantly, access to the keys is controlled by a policy server. Some of the essential design concepts include:

• Verifying Identity: Users and devices must authenticate themselves before access to each data packet.
• Limiting Access: ZTD operates on the principle of least privilege, granting users only the minimum level of access required to perform their task per packet.
• Logging Traffic: Network traffic is continuously monitored and inspected. Organizations can detect and mitigate threats in real time by scrutinizing data packets for signs of malicious activity.
• Policy Enforcement: ZTD relies on centralized policy management to ensure consistent enforcement of security controls.
• Assuming Breach: ZTD conducts continuous monitoring; if a packet is compromised, its blast radius is “1” data packet, which has no value.
• Data Volume and Frequency Masking: If we assume enemy agents can see the data streams, we must introduce noise, so no correlation exists between enemy actions and the data characteristics.
• Maintaining Performance: ZTD must not be implemented in a way that it won’t degrade sensor output, network and data access performance to the degree that IoT mission value is maintained and neutralized.

Zero Trust Data Benefits to IoT

Let’s apply ZTD to automating critical infrastructure, where information (extracted from aggregated and analyzed data) has become the new currency, and trust and protection are table stakes. ZTD is a change in how organizations think about cybersecurity by recognizing that protecting the data enables more capabilities than just protecting the network. Remember that usable, trusted and portable data increases data value. ZTD complements traditional zero-trust architectures, focusing on the network architecture and applying the “never trust, always verify” principle at the data packet level. ZTD applies encryption to each assigned data packet. ZTD leverages the concept of microsegmentation (applied to each data object), granting access privileges based on user credentials, like device ID, location and other contextual information, to authorize access to each data object (e.g., sensor). This technique requires the intruder to decrypt each data object in a data stream to make sense of the information, which is complex and highly unlikely.

Some of the benefits of using ZTD for IoT include:

• Data Portability: ZTD enables the movement of data to other people or networks for transportation and analysis. Data policies are enforced remotely via geofencing or enterprise reader identification.
• Data Residency: Globally, situations exist where IoT systems must adhere to data privacy laws regarding data collected on local citizens. These laws often restrict where data about a nation’s citizens or residents is retained, processed and stored inside the country. Data policies are geofenced to ensure adherence to local laws.
• Data Providence: Data providence is the lineage of data that includes the data origin, what happens to it and where it moves over time. Data lineage gives visibility while greatly simplifying the ability to trace errors back to the root cause in a data analytics process. ZTD logging enables chain of custody of each data packet through its life cycle by documenting each person and organization who handles it, the date and time it was collected or transferred, and the purpose of the transfer.
• Tamper Resistance: An adversarial attack attempts to manipulate operational and training data sets to create an incorrect outcome. ZTD encrypts each data packet at the sensor, allowing for chain of custody to ensure AI/ML has accurate inputs.
• Improved Compliance: ZTD aligns closely with regulatory requirements such as Cybersecurity Maturity Model Certification 2.0, General Data Protection Regulation and the Health Insurance Portability and Accountability Act, making it easier for organizations to demonstrate compliance.
• Greater Flexibility: ZTD allows organizations to adapt quickly to business requirements, organizational changes and technological advancements. This flexibility enables seamless integration with cloud-based services, remote work environments and third-party applications. It also provides a centralized point from which data access can be quickly realigned in the face of organizational change in the data consumer theater.
• Enhanced User Experience: ZTD can boost productivity and user experience by providing frictionless access to authorized resources.
• Cost Savings: ZTD is a software solution that protects data regardless of IP network and will enable greater monetization of data sets with ecosystem partners.
• Legacy Data Protection: Software implementation lends itself to ease of implementation on legacy systems at a low cost with immediate protection.

Conclusion

We are beginning the path of unprecedented economic growth in IoT solutions due to the introduction of IoT in military and civilian smart city, energy, manufacturing and transportation arenas. It’s no longer sufficient to protect just the networks; we must protect the data and make it intelligent. ZTD offers a proactive and holistic approach to cybersecurity, empowering organizations to protect their data and apply policies and logging capabilities to control and leverage the value of their data assets. By embracing the principles of ZTD, organizations can build a robust security posture that protects against existing vulnerabilities while improving the efficiency and business model of smart systems.

Randolph Clark is a member of AFCEA International’s Technology Committee. He is a wireless communication consultant and board adviser for several critical infrastructure emerging technology companies. Clark has more than 30 years of wireless experience, from serving as a Marine Corps communicator to business development for mobile network operators and advisory roles at USD (R&E) & HQ AF/A4. Clark’s strategic insights are valued for their practical approach to mission achievement.

Junaid Islam is also a member of AFCEA International’s Technology Committee. He has 35 years of experience in secure communications and has developed network protocols that have been adopted by the Department of Defense. Islam made major contributions to MLPP buffer management for weapons systems, MPLS priority queuing for global communications, Mobile IPv6 for netcentric warfare and is the inventor of Software Defined Perimeter, used as a zero-trust network access solution by the U.S. intelligence community. Currently, Islam is focused on zero-trust data solutions and supports NASA’s Interference Aware Routing program.