Enable breadcrumbs token at /includes/pageheader.html.twig

Academia Assists in Propelling the Zero-Trust Space Forward

Researchers at Carnegie Mellon University’s Software Engineering Institute complete the first step in raising awareness for zero trust and its applicability to weapon systems.

The zero-trust environment consists of two major aspects: Identity, Credential and Access Management and the Policy Decision Point. Credit: Jah_CK-stock.adobe.com generated with AI

To combat the ever-changing and increasingly frequent and complex threats launched by adversaries across the world, researchers at Carnegie Mellon University’s (CMU’s) Software Engineering Institute (SEI) are launching new measures to raise awareness within the private and public sectors for zero trust and its applicability to weapon systems.

The SEI researchers are considering the various customers they are collaborating with and their specific requirements regarding advancements within the zero-trust (ZT) space, according to Tim Morrow, SEI’s situational awareness technical manager, and Christopher Alberts, principal cybersecurity analyst and principal investigator of the software institute’s ZT-for-weapon-systems study. For instance, some are partnering with the U.S. Army to better ensure that its work is relevant to the modern battlefield and applicable to present and future missions.

“[The Army] is going to change the way that they do operations out in the field, and so they want to move more towards cloud deployment [and being able to work in multiple clouds]; being able to work in the denied, degraded, intermittent and low-bandwidth environment,” Morrow said. “That’s a big constraint.”

Cybersecurity poses a greater challenge in the field. “If I’m sitting on the enterprise, that sounds really good,” Morrow added. “I have all the bandwidth and everything I need to do that. But if I’m out in the field and I’m relying on Wi-Fi or satellite or things like that, what’s reasonable to apply for zero trust? You’re going to have to accept the risk for doing that, and I think that is some of the work that we want.”

Additionally, SEI researchers seek to team up with individuals from other Federally Funded Research and Development Centers and University Affiliated Research Centers to leverage their knowledge and expertise, which ideally will give Morrow, Alberts and their team more insight into the space and a better understanding of what reasonable expectations are in the realm, particularly regarding zero trust and cloud native services.

“I think that’s an interesting area that we’re looking to get at, and so we work with different programs, different types, whether it be the Army or a ship, plane, different things like that, but those are the types of considerations that we’re trying to think about,” Morrow said.

The zero-trust environment consists of two major aspects: Identity, Credential and Access Management and the Policy Decision Point, and the latter aspect is becoming a major focal point amongst CMU researchers. The Policy Decision Point can dynamically assess and analyze a data point and determine whether it is emitting from a human or nonhuman source, its potential to complete an operation and its ability to access data. This development calls for a change in mindset, Morrow asserted.

“[Policies] need to be developed out there [in the field], so that you can start to do analysis and make trade-offs to make risk decisions and [determine] whether some action should occur. This person who’s standing at this place in this country at this time of the day with these types of credentials, should you allow that or not?”

“That’s part of the research we’re doing,” Morrow added. “It’s not my team directly, but there’s another team here who is out focusing on different types of algorithms to address that, and that’s where we talk with commercial organizations about doing that, so a lot of that work is initially focused on a world-based [algorithm], not focused on different types of algorithms, and starting to consider the performance impact. That’s some of the research that we’re doing, and I think that’s pretty exciting.”

Additionally, team members will educate their customers on what their risks and trade-offs are and what risks and trade-offs they need to consider when building a weapon system. To accomplish this, they are striving to release an instrument or a questionnaire to help their customers better understand this space, Alberts said.

Other avenues the team will pursue to close the zero-trust guidance gap include writing blogs and papers, specifically in the operational technology and weapon systems areas, according to Morrow.

This comes after the team recently conducted a study analyzing the applicability of zero trust and security principles to weapon systems, the first step in the journey to raise awareness in this space. To evaluate thoroughly, team members researched, spoke with subject matter experts and gathered troves of data.

“We wanted to get a set of principles that covered a more holistic approach, so we looked at principles and started mapping them in terms of risk strategies,” Alberts said. “What kind of coverage would they address? Are they focused more on protecting a system, or is it detecting or monitoring? And then looking all the way out to things like adaptive strategies as well, in addition to responding and recovering. So, protect, detect, respond, recover and adapt are what we’re looking at.”

A cyber soldier monitors the digital frontlines. Credit: 0Riya-stock.adobe.com generated with AI

He added that the team picked multiple principles related to zero trust to provide a complete set to explore from a risk perspective. “So, we started then analyzing each principle based on the data that we gathered and looking for how that principle might be instantiated in the system, and then looking at what are some of the risks and trade-offs that you would look at. Then, we documented that in the final report.”

The study brought to light four major areas of importance: mission context, system attributes, threat environment and trade-off space. Researchers found that identifying personnel who can work in all four of those spaces is difficult, so teaching and directing individuals to think in those four categories is key.

The study will culminate in three major goals for SEI personnel. Firstly, team members ultimately strive to provide defense officials with a zero-trust acquisition framework. This achievement would give Department of War personnel the ability to seek out zero-trust capabilities in a cost-effective way, Morrow said.

Secondly, they want to bring to light the importance of good engineering within missions, software and systems with the intention that these efforts lead to developers building more effective, secure and resilient technologies for soldiers. Lastly, SEI researchers want to move from continuous authority-to-operate (cATOs) tests toward zero-trust assessments. The capabilities in this space can accomplish the goals of a cATO more efficiently.

“They [would] try to use [cATOs] for a system, and a lot of times they would do an evaluation that would happen once a year, maybe every five years, something like that,” Morrow said. “Well, I think that using zero trust, we can get to the point where that’s something that goes on and it’s not real time; it’s near real time.”

Morrow expressed optimism that the work will ultimately improve cybersecurity. “There are things that we can do to make these systems more secure and be able to tell that in near real time, and I think that’s where we want to go with our work too. I think we can do that type of stuff, which would make a big difference in improving the security of the systems.”