“This is the world we all know and love. But there is a darker side to it all . . .”
This opening line is from “The Cynja: Volume 1,” a graphic novel about the risks of our digital world. FreeWave sat down with its author, Dr. Chase Cunningham. When not writing fiction, the retired U.S. Navy Chief helps organizations adopt both a zero-trust policy and mindset to author a brighter, safer future. Fortune 500 companies, small businesses, startups, the media, and the U.S. government rely on Cunningham to win the war on cyber.
Because while zombies, worms, and botnets may be the work of fiction, the truth, as Mark Twain once said, is far stranger.
The Edge is Exposed
Cunningham would like to be out of a job. That would mean the world is safe, devices are designed battle-ready, and people are invincible to cyber threats. This is not likely to happen in the near future.
“Do you have a statistic to show how at risk we are?” we asked.
“I can do you one better, I’ll show you.” That’s when Cunningham tap, tap, tapped on his keyboard, pulling up examples of vulnerabilities in under 30 seconds.
It got real, real fast.
His black screen lights up with cascading white lines of IP addresses like a scene from an Ironman movie. “These are IT/OT devices. I could breach these folks,” he says casually. “I’m looking at about 206 fuel tank control systems that have gas in the tank.” Travel centers in Dallas, Texas, and New Haven, Connecticut, are on the list. There are gas stations in Georgetown, Virginia. “Those are things that should be fixed and should be isolated. But they’re literally talking to the internet.”
Except, they shouldn’t be talking to the internet.
Devices and equipment at the edge include wind turbines, water systems, airline systems, and fuel stations. Each, he points out, is a path to corporate, a path to data access, a path to cyber risk. A regional airline booking system is connected to a larger enterprise. Gas stations are connected to global oil and gas companies. The edge is an entry point to a much larger landscape.
“Do you really understand how vulnerable we are?” he asks. “. . . an OT/IT, IoT device, people bring them in and plug them in. Who’s holding the bag? If you’re on the internet, it’s an issue for you.”
The Case for Zero Trust at the Edge
Cunningham has long held a front row seat via senior security and analyst roles at NSA, CIA, FBI, and other government agencies. At Forrester, he pioneered the firm’s Zero Trust eXtended framework. He holds six patents and is the international best-selling author of “Cyber Warfare – Truth, Tactics, and Strategies.” According to a LinkedIn post in early 2025, his podcast The Dr.ZeroTrust Show hit 250,000 listeners on Spotify.
At FreeWave, we know zero trust keeps the industrial edge safe. That’s why we’ve introduced Zentry™, a disruptive new technology for industrial operations in the field.
Our customers have operated on the edge – from acres of oil fields to water treatment plants to remote agricultural regions – for more than 30 years. During that time, the attack surface has grown alongside the rise of IoT devices. Edge vulnerabilities are sometimes overshadowed by operational stability and legacy equipment not originally designed for modern security concerns.
Bringing zero trust to the edge means applying the core zero-trust principle to edge devices and equipment: “never trust, always verify.”
While seemingly straightforward, Cunningham says that if you asked 100 people in a room to define zero trust, 99 would take different approaches.
Who better, then, to define zero trust than the doctor himself? “In the context of zero trust, there are things in my network or things in my infrastructure that have got default (settings) and are able to do things because they came from the manufacturer that way, especially OT.” He says it’s not a good idea to just turn things on, cross your fingers, and hope that everything goes the way that it’s supposed to. The core of zero trust for operational leaders is to remove trust inside the network.
Since OT/IoT devices on the edge are designed for specific functions, they are well-suited for zero-trust security models.
“OT, IoT, all these kinds of smart technology things that are coming online now, they’re supposed to be kind of binary in nature, right?” Think of a home thermostat. Its job is to relay temperature much like a sensor monitoring extreme temperature during oil drilling.
Neither device should be sending packets of data elsewhere or inviting dark actors in. “If there’s any one area I think you can apply zero trust to, carte blanche, it is OT,” says Cunningham.
Zero Trust and Control
Zero-trust principles such as segmentation and isolation make it simpler to define what behaviors are expected and quickly spot anomalies. In the OT space, controls limit what these devices can do and who or what they can communicate with, reducing the risk of lateral movement by attackers and limiting the blast radius if a breach does occur.
He says that managing OT and IoT environments with policy engines and automation, rather than relying on manual processes, further strengthens security and makes zero trust both practical and valuable.
The goal: no dark corners, nothing unexpected, and no empowering the bad guy.
Cunningham offers up an example that underscores the complexity and interconnectedness of modern OT/IoT environments and the importance of having policy controls for all connected assets.
On one floor of a small factory, machines move things around. Others create products. The machines are on-site with standard infrastructure controls around them. However, another building outside is run by a third-party that produces specific parts for the manufacturing line. Those operational processes must be networked together.
The scenario is familiar to anyone in operations. “So how do I have command and control of that asset, that infrastructure, because it’s touching my network without a policy control that I can push out to that resource?” he challenges.
Security at the Edge is a Solvable Problem
“Plan for the worst case scenario,” says Cunningham. “In the regular business world, everything is fine until it isn’t. ” He adds, “These are solvable problems.”
In our next blog, we’ll explore how offense strategy matters, three questions industrial users on the edge should ask in 2026, and why technology alone is not enough to stay safe. In the meantime, head over to the FreeWave Zentry Challenge Workshop and see where your vulnerabilities might be hiding in plane sight.
