When it comes to the cybersecurity standards of connected weapons systems and IoT device used in Military, it’s imperative to be able to verify their security robustness. Unfortunately, that is not always easy, as different countries have various ways of acquiring and managing their weapons systems. It makes it very challenging to have a unified cybersecurity standard for IoT in this field.
Still, cybersecurity experts need to work on solving this issue and providing alternatives to the current system. To sufficiently raise cybersecurity standards and protect the systems, we must come to a point where every country takes the same approach and uses the same evaluation framework. One of the solutions proposed by Hindawi takes those efforts a step closer to the final answer.
Categorizing the System
The first step is relatively straightforward, and it involves identifying the risks for the system that is going to be acquired. In this phase, experts calculate the provisional impact value for each risk and then decide on the cybersecurity requirements necessary to handle it.
This results in a Security Profile. This phase of evaluation uses real data to calculate the risks. In case the risk level isn’t acceptable according to the Security Profile, the provider needs to inform the acquirer.
Adjusting Security Controls to Requirements
Once we define the necessary cybersecurity requirements in the Security Profile and their associated risks, it’s time to select precisely which security controls are going to be used to protect the system. If any adjustments are required to ensure the standard security controls meet the requirements, that happens in this stage.
Converting Security Controls into National/International Standards
The next step is taking care of the national or international cybersecurity certification standards (e.g. SOG-IS,ISO/IEC 15408 (products), ISO/IEC 27001(infrastructure), etc.) and ensuring that the selected security controls can meet them. This conformity step is critical so that the systems provider can fully understand and trust the security controls of the acquirer. This step is one of the most problematic to apply in practice, depending on how big of a difference in standard security controls there is between the acquirer and the provider. A Security Profile is a cost-efficient way helping in completing such mapping.
Verifying Functional Requirements
After these processes are complete, the systems undergo further testing to determine whether they can operate as it’s proposed. It validates the described requirements and checks whether the cybersecurity standards implement properly.
Testing and Security Evaluating
The final operational test and security evaluation is the last step in the framework, which is when the devices are tested as part of the entire system. After the integration, single products are evaluated based on their operational environment and functionality. By the end of this stage a Certification with a Security Assurance Level is granted to each device based on its Security Profile.
Key Takeaways
When it comes to acquiring and evaluating connected weapons systems and IoT devices to ensure military resilience against cybersecurity attacks, it’s essential to build a universal IoT Security Assurance Framework with Security Profiles specific to the connected products in the field to guarantee the level of security assurance that is required. To do that, we need cost-efficient and extensive testing, solid security controls, and we have to ensure that every country sticks to the proposed framework.