A Security Framework for Military IoT Devices and Weapons Systems

There’s perhaps no domain in which robust cybersecurity is more important than in connected defense products. Military contractors working on IoT products need to adhere to an iron-clad framework: correctly categorize the system, adjust security controls to requirements, convert security controls into national/international standards, then verify and test rigorously.

A camouflage background with locks and the text
Illustration: © IoT For All

When it comes to the cybersecurity standards of connected weapons systems and IoT devices used in military, it’s imperative to be able to verify their security robustness. Unfortunately, that’s not always easy, as different countries have various ways of acquiring and managing their weapons systems. It makes it very challenging to have a unified cybersecurity standard for IoT in this field.

Still, cybersecurity experts need to work on solving this issue and providing alternatives to the current system. To sufficiently raise cybersecurity standards and protect the systems, we must come to a point where every country takes the same approach and uses the same evaluation framework. One of the solutions proposed by Hindawi takes those efforts a step closer to the final answer.

An image of military weapons.
Image credit: CMDR Shane on Unsplash

Categorizing the System

The first step is relatively straightforward, and it involves identifying the risks for the system that’s going to be acquired. In this phase, experts calculate the provisional impact value for each risk and then decide on the cybersecurity requirements necessary to handle it.

This results in a security profile. This phase of evaluation uses real data to calculate the risks. In case the risk level isn’t acceptable according to the security profile, the provider needs to inform the acquirer.

Adjusting Security Controls to Requirements

Once we define the necessary cybersecurity requirements in the security profile and their associated risks, it’s time to select precisely which security controls are going to be used to protect the system. If any adjustments are required to ensure the standard security controls meet the requirements, that happens in this stage.

Converting Security Controls into National/International Standards

The next step is taking care of the national or international cybersecurity certification standards (e.g., SOG-IS,ISO/IEC 15408 (products), ISO/IEC 27001(infrastructure), etc.) and ensuring that the selected security controls can meet them. This conformity step is critical so the systems provider can fully understand and trust the security controls of the acquirer. This step is one of the most problematic to apply in practice, depending on how big of a difference in standard security controls there is between the acquirer and the provider. A security profile is a cost-efficient way of helping in completing such mapping.

Verifying Functional Requirements

After these processes are complete, the systems undergo further testing to determine whether they can operate as it’s proposed. This validates the described requirements and checks whether the cybersecurity standards implement properly.

Testing and Security Evaluating

The final operational test and security evaluation is the last step in the framework, which is when the devices are tested as part of the entire system. After the integration, single products are evaluated based on their operational environment and functionality. By the end of this stage, a certification with a security assurance level is granted to each device based on its security profile.

Key Takeaways

When it comes to acquiring and evaluating connected weapons systems and IoT devices to ensure military resilience against cybersecurity attacks, it’s essential to build a universal IoT security assurance framework with security profiles specific to the connected products in the field to guarantee the level of security assurance that’s required. To do that, we need cost-efficient and extensive testing and solid security controls, and we have to ensure that every country sticks to the proposed framework.

Roland Atoui
Roland Atoui is an expert in cybersecurity and the Internet of Things (IoT) having recognized achievements working for companies such as Gemalto and Oracle with a background in both research and industry. From smart cards to smartphones to IoT technologies. Roland is a new technology enthusiast with a current mission to bring trust to the IoT. After following an Executive MBA education at EDHEC business school in France he founded Red Alert Labs – an IoT security firm addressing both technical and commercial cybersecurity challenges in IoT.