IoT security risks within the U.S. Defense Industrial Base

The following is a research report I developed as part of my graduate studies. I analyze the cybersecurity risks presented by the Internet of Things (IoT) with special interest in its impact on the Defense Industrial Base.

Introduction

The Internet of Things, or “IoT”, refers to the network of traditionally non-Internet-connected devices which, over time, have connected to and are now exchanging data over the Internet [1]. There are many reasons why the Internet of Things has emerged into what it is now in 2022, with the primary reason being a pursuit for convenience. Consumers enjoy the functionality offered by IoT, as their formerly “dumb” devices have now become “smart”, and they provide unique and practical benefits. However, the emergence of the IoT has also brought about a new wave of cybersecurity risks. Not only are more devices connecting to the Internet, but also more types of devices, drastically increasing the scope of what must be secured as to prevent potential compromise. While this is presenting concerns across all sectors that utilize IoT devices, one sector that is of particular interest in this matter is the Defense Industrial Base (DIB). Given that the DIB is the supply chain of approximately 300,000 contractors and subcontractors (“DIB members”) that supports the U.S. Department of Defense (DoD), its members must be aware of the implications of IoT as it looks to provide goods and services to the U.S. Government [2]. Failure to construct a secure IoT within the Defense Industrial Base will drastically harm both the digital and physical security of the United States.

Security Implications of the Internet of Things

IoT devices are both manufactured and used widely across the Defense Industrial Base. While typical examples of IoT devices found in DIB IT environments include security cameras, door locks, and fire systems, the DIB is also producing more diverse and advanced IoT devices including combat suits, weapon systems, weather systems, drones, surveillance equipment, and other tactical gear [3]. Upon manufacturing these devices, they are then sold to the U.S. Government and used for national defense purposes. Given this, there are significant security implications of the Internet of Things which, if exploited, could have drastic military and national defense consequences, both on the combat field and off. These security implications include both threats as well as vulnerabilities that DIB members must be conscious of as they manufacture and utilize IoT devices.

The first emerging threat that relates to IoT devices within the DIB includes unauthorized remote access. While devices such as combat suits, weapon systems, and drones are in use in the field, they communicate wirelessly over the Internet to a base of operations, where other military personnel are controlling and/or monitoring the devices. If an adversary were to compromise one of these channels, they may be able to eavesdrop on the session, including sniffing logs and network traffic. Using this information, they can then launch a more sophisticated attack against the IoT device, including gaining full remote access. A similar example of this was first seen in 2011, when Iranian forces captured a U.S. spy drone it detected in its airspace. A short time later, it was revealed that the drone was captured because Iran’s cyberwarfare team carried out a successful GPS spoofing attack against the drone, whereby integrity was violated when fake GPS signals tricked the drone into landing on Iranian soil when it thought it had returned to its home base in Afghanistan [4]. Following its capture, Iran began reproducing the drone, and now uses it for its own purposes. This attack laid the blueprint for what remote access attacks against military IoT devices could look like, and it highlighted a potential vulnerability across military IoT devices that use GPS receivers. It also demonstrated the impact that a compromise of an IoT device can have on U.S. military competitive advantage. Had the DIB manufacturers of this drone discovered and remedied the GPS spoofing vulnerability, this incident could have been avoided.

The second emerging threat to IoT devices within the DIB includes credential attacks. A common vulnerability among many IoT devices today, especially those used off the battlefield in day-to-day DIB member operations, is that their administrative web interfaces are configured with default, easily guessable credentials [5]. While these credentials are meant to be changed upon receiving the device, many end users fail to do this [6]. When an adversary discovers an IoT device, whether through a network scan or through other means, they may conduct a password attack against the interface to see if it is still accepting default credentials. Should the attack succeed, the adversary will have gained administrative control over the device. Not only would this allow the adversary to make significant changes to the device, but it would also give them a potential doorway into the network that the device sits on. This could lead to more damaging attacks such as ransomware, where malware is implanted on a network that then encrypts sensitive data and holds it for ransom. In this case, the IoT devices become the DIB member’s “weakest link” in their environment, and adversaries target these devices, knowing that it gives them the greatest potential for compromise. As seen here, a simple authentication vulnerability can amount to a costly violation of confidentiality, integrity, and availability.

Another vulnerability that is a cause for concern with IoT devices manufactured and utilized by DIB members is insecure network services. Because these devices need to be able to communicate over the Internet, they are designed with many of the same ports and protocols as a standard computer, including Hypertext Transfer Protocol (HTTP) over port 80 or Telnet over port 23 [8]. Not all ports and protocols are bad; in fact, many are necessary for use. The issue, however, is that unless the IoT device has been appropriately hardened, some unnecessary ports and protocols are left open when they should not be. This opens the door to threats such as malware, which can take advantage of the open ports to spread to other devices within reach. This is a particularly difficult vulnerability for DIB members to address because the needs of the IoT device may change according to who is purchasing it and for what use. It will likely be up to U.S. military systems administrators, not the DIB members, to ensure that the system hardening is applied correctly. While the DIB member can take steps to ensure high-level vulnerable ports and protocols are disabled, they may not be able to predict the exact needs of the consumer, and will likely leave the choice, and administration, to them.

Insecure Hardware/Software Implications of the Internet of Things

These threats and vulnerabilities highlight the greatest concerns and weaknesses within IoT hardware and software created and used by the DIB. While necessary to identify, imperfections within the market in which these IoT devices operate make correcting them a greater challenge. Failing to successfully remediate these vulnerabilities will negatively impact the security posture of not only the devices, but also the users and organizations that utilize them.

One way in which market imperfections make building a secure IoT more challenging for DIB members is through limitations of testing. Some IoT devices that the DIB manufactures are components of larger weapons or other tactical systems. Because DIB members do not have the larger systems available to them, nor would they be allowed to use them under non-military circumstances, it is difficult to fully test the capabilities of the IoT device in a military situation. For instance, a DIB member may be able to conduct a vulnerability scan on a smart sensor it has created, but not on the entire weapon system that the smart sensor is connected to. Given this limitation, DIB members are forced to simulate real-world scenarios and identify and remediate potential defects as best they can. In some cases, such as what happened during the U.S. drone capture, a defect may not be made known until it has been exploited.

This is a difficult situation to resolve, as the primary goal of the DIB is to meet the expectations of its customer, the DoD. On the other hand, the DoD expects that security is being built in to the IoT devices it is purchasing [9]. Whether or not the behavior of the DoD and the DIB can be considered rational ultimately comes down to the level of risk that the DoD is willing to accept. If it views the limitations of IoT device testing for its contractors in order to preserve privacy as an acceptable level of risk, then it’s unlikely that any action will be taken. However, if the DoD wants greater measures taken to secure its IoT, it is going to need to rethink its approach to supply chain security and how contractors collaborate in this process.

While making a risk-based decision on this matter falls upon the responsibility of the DoD, there is no reason why the DIB cannot continually look for ways to build security in to its IoT devices. Traditionally, before more rigid cybersecurity requirements were passed down to the DIB, many contractors followed a “penetrate and patch” approach to cybersecurity, where they rushed their product to the market and corrected errors once they were discovered [10]. This approach would not suffice in today’s threat landscape, as a compromise of a single IoT device could lead to entire networks being taken offline, keeping legitimate users from accessing necessary resources and preventing organizations from conducting normal business operations. Given that the consequences of failing to build security in are now more severe than ever, more strict measures must be taken.

Potential Solutions

Understanding the threats, vulnerabilities, and challenges that exist within the industry, there are steps that both DIB members and the DoD can take to together facilitate a secure IoT and reduce the risk of compromise. First, there must be an increased focus on supply chain security. Because DIB members typically are building IoT devices as components of larger IoT systems, there must be increased communication and collaboration between different contractors, and the DoD ought to facilitate this. Contractors should work together to ensure that their IoT products not only have undergone adequate security hardening and subsequent vulnerability scanning, but also conduct a risk analysis on the larger IoT system to ensure that it is ready to enter production. Additionally, given that there are currently no cybersecurity requirements in place in the DIB that focus specifically on supply chain security [11], the DoD should work with industry partners to develop such a model and flow it down to the DIB. This model should address how contractors can work together to develop secure IoT hardware and software for the DoD. Additionally, the model should identify ways for the DIB to ensure that any IoT hardware and software components they procure are from only DoD-trusted sources. The DoD must make it clear to the DIB which sources, likely other nations, are not trusted providers of IoT hardware and software components.

Second, DIB members must be diligent to incorporate security across all of their manufacturing processes. If the IoT component built by the contractor involves creation of software, then the contractor should look to build security in across all six phases of the Software Development Life Cycle (SDLC) and avoid following a “penetration and patch” strategy [12], which makes security an afterthought in the development process. Doing this will ensure that security remains a continuous concern within the software, and that critical vulnerabilities are remediated long before the software enters production. However, the DIB member must also ensure that, once the software enters production, patches are being developed and released on a routine basis. If the software being developed relies on a particular operating system to function, the DIB member may even consider implementing a secure baseline configuration to ensure that the IoT device software is as hardened as reasonably possible [13].

Finally, DIB members must ensure that their own IT environments are adequately protected from IoT device insecurity, should they have these devices on their corporate network. The SolarWinds cybersecurity incident in 2020 painted a grim picture for organizations that make efforts to secure their products but not their own environments [14]. Given that DIB members handle sensitive DoD information including Classified and Controlled Unclassified Information, they are key targets of adversaries similar to those responsible for the SolarWinds breach. To avoid making this same mistake, DIB members that want to utilize IoT devices can take simple steps to reduce the risk of compromise. For example, they can segment their network so that all IoT devices are relegated to their own logically isolated subnetwork. Additionally, they can implement a Security Incident & Event Management (SIEM) tool, where upon configuring all their network devices to forward logs and network traffic to the tool, it will monitor for suspicious activity and promptly alert company personnel when anomalies are discovered. In the event that suspicious activity is detected within one of the IoT devices, because network segmentation is in place, the organization can simply take the network segment offline until the incident is under control. These two security controls, along with the aforementioned routine patching, vulnerability scanning, and system hardening, results in a robust defense-in-depth cybersecurity program that has adequately managed the risk presented by IoT devices.

Conclusion

The Defense Industrial Base has an incredibly important responsibility in helping fulfill the mission of the Department of Defense. Part of this responsibility is to help develop cutting-edge IoT devices that can then be used for greater military purposes. Given that the Internet of Things is continually evolving and presenting new and unique challenges, the DoD and its supply chain must keep up to ensure that confidentiality, integrity, and availability of critical systems are preserved. Failing to do so will result in widespread IoT compromise and likely threaten the United States’ long-term military competitive advantage as well as its digital and physical security. This begins with identifying the greatest threats to IoT devices in the DIB, as well as the underlying vulnerabilities that allow these threats to succeed. Upon doing this, the DIB must work with the DoD to prioritize IoT security. This includes improving supply chain security in addition to developing new frameworks for secure IoT device creation and usage. DIB members that prioritize IoT security in their manufacturing processes, as well as their day-to-day operations, take a necessary step in protecting the nation’s most vital supply chain in an increasingly connected world.

References:

1. Oracle. “What is IoT?”, https://www.oracle.com/internet-of-things/what-is-iot/. Accessed December 4th, 2022.

2. Cybersecurity & Infrastructure Security Agency. “Defense Industrial Base Sector”, https://www.cisa.gov/defense-industrial-base-sector. Accessed December 6th, 2022.

3. Deepali. “Applications of Internet of Things (IoT) in Defense and Military”, https://www.naukri.com/learning/articles/applications-of-internet-of-things-iot-in-defence-and-military/. Accessed December 6th, 2022.

4. Peterson, Scott. “Exclusive: Iran hijacked US drone, says Iranian engineer”, The Christian Science Monitor. https://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer. Accessed December 6th, 2022.

5. Yang, Elvina. “15% of IoT devices use default passwords: Research”, https://www.asmag.com/showpost/26498.aspx. Accessed December 6th, 2022.

6. Goldman, Jeff. “20 Percent of Organizations Fail to Change Default Passwords on Privileged Accounts”, https://www.esecurityplanet.com/networks/organizations-fail-to-change-default-passwords-on-privileged-accounts/. Accessed December 6th, 2022.

7. Imperva. “Social Engineering”, https://www.imperva.com/learn/application-security/social-engineering-attack/. Accessed December 6th, 2022.

8. Nabto. “A Complete Guide to IoT Protocols & Standards in 2022”, https://www.nabto.com/guide-iot-protocols-standards/. Accessed December 6th, 2022.

9. United States Government Accountability Office. “Internet of Things”, https://www.gao.gov/assets/690/686203.pdf. Accessed December 6th, 2022.

10. InformIT. “Building Secure Software: How to Avoid Security Problems the Right Way”, https://www.informit.com/articles/article.aspx?p=23950&seqNum=7. Accessed December 6th, 2022.

11. United States Department of Defense. “Securing Defense-Critical Supply Chains”, https://media.defense.gov/2022/Feb/24/2002944158/-1/-1/1/DOD-EO-14017-REPORT-SECURING-DEFENSE-CRITICAL-SUPPLY-CHAINS.PDF. Accessed December 6th, 2022.

12. Synopsys. “Software Development Life Cycle (SDLC)”, https://www.synopsys.com/glossary/what-is-sdlc.html. Accessed December 6th, 2022.

13. Microsoft. “Security baselines”, https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines. Accessed December 6th, 2022.

14. Insider. “The US is readying sanctions against Russia over the SolarWinds cyber attack. Here’s a simple explanation of how the massive hack happened and why it’s such a big deal”, https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12. Accessed December 6th, 2022.