Why this is now the time to invest in security
Some of the more startling revelations were:
- A program to systematically penetrate and map air-gapped systems;
- Malware operating at the firmware level that enabled discovery of encryption keys, cracking encryption algorithms and that could remain in place through an operating system reinstall;
- Malware that replaced hard-drive firmware to create a secret storage area on a hard disk that would survive drive reformatting;
- Some of this malware has existed since around 2001 and has gone undetected until now.
What is new in this report is the extent to which these tools were aimed at non-IT assets. Much of the report details efforts to penetrate air-gapped systems and other industrial control and critical infrastructure systems.
These findings raise some interesting, and troubling questions for the CyberSecurity industry, and specifically for those of us developing the systems used in industrial automation, factory control and other critical operations. Chief among them is; what are we doing to protect our systems?
Cyber warfare: a harsh reality
Even if we accept the implication that the malware discovered by Kaspersky Labs was created by the NSA that does not imply that the critical infrastructure systems within the US and our ally nations are safe from attack. There is little doubt that China, Russia, and Iran have large, dedicated and active cyberwarfare groups. If the US has developed sophisticated cyberware technology there is little doubt that other countries either already have or soon will develop comparable technology.
Much of the technology described in the report from Kaspersky Labs is more than a decade old. Even if other countries are a decade behind the US, which is unlikely, then they would now have equivalent technology to infiltrate air-gapped systems, discover encryption keys, and remain undetected by standard security technologies.
Anyone building industrial control systems, or critical infrastructure devices must take a new look at security.
Air-gaps are a myth. Not only did the Kaspersky report detailed methods to compromise them, many customers fail to maintain a strict air-gap. Additionally, insider threats must be considered. Hardware enabled secure boot is a requirement. Security by obscurity must be abandoned as the relic that it is. The investment must be made to build security into the foundations of every device being utilized within critical infrastructure.
Cybersecurity investment: a neglected requirement
Recently, President Barack Obama held a cybersecurity summit in Silicon Valley to push for greater awareness and investment in cybersecurity. At this conference, venture capitalist Venky Ganesan, the managing director of Menlo Ventures, a major investor in cybersecurity, warned that not enough was being done to protect systems from hackers, despite recent high-profile attacks.
"We still are not spending the right amount of time and resources and money on the cybersecurity problem. It’s much bigger than people think," said Ganesan. In fact, Ganesan said that only 5 percent of corporate information technology budgets are spent on security. "That’s the equivalent of protecting a Tiffany’s with a deadbolt. We need to make sure that we spend the right amount of money because this is an existential threat to our society," he said.
All too often, companies are looking at cybersecurity and asking "What is the ROI for investing in security". That is simply the wrong question to ask. Given the threat, cybersecurity should be considered a critical requirement, just as safety has been. The critical infrastructure, manufacturing, automotive and other industries have invested billions into safety
Despite the growing risk, government initiatives and a growing awareness, companies are still, by-and-large, failing to invest in cybersecurity.
Security Challenges for Critical Infrastructure Devices
The IoT and IIoT (Industrial Internet of Things) are comprised of a wildly diverse range of device types- from small to large, from simple to complex – from consumer gadgets to sophisticated systems found in DoD, utility and industrial/manufacturing systems.
Part of the expanding web connected network, embedded devices are very different from standard PCs or other consumer devices. These industrial operational assets are commonly fixed function devices that have been designed specifically to perform a specialized task.
Many of them use a specialized operating system such as VxWorks, Nucleus, INTEGRITY or MQX, or a stripped down version of Linux. In many cases, installing new software on the system in the field either requires a specialized upgrade process or is simply not supported. In most, these devices are optimized to minimize processing cycles and memory usage and do not have extra processing resources available to support traditional security mechanisms.
As a result, standard PC security solutions won’t solve the challenges of embedded devices. In fact, given the specialized nature of embedded systems, PC security solutions won’t even run on most embedded devices.
Use of multiple layers of protection is the driving principle for enterprise security. This includes implementing firewalls, authentication/encryption, security protocols and intrusion detection/intrusion prevention systems.
These are well established and proven security principles. Despite this industry awareness, firewalls are virtually absent in embedded systems, which instead mostly rely on simple password authentication and security protocols.
This cavalier attitude towards security is based on assumptions that embedded devices are not attractive targets to hackers, embedded devices are not vulnerable to attacks or that authentication and encryption can provide adequate protection for embedded devices. These old assumptions are no longer valid; the number and sophistication of attacks against embedded devices continues to rise and greater security measures are needed.
For over 25 years, cybersecurity has been a critical focus for large enterprises, whereas it has only recently become a focus for most engineers building embedded computing devices.
“Experience is the best teacher, but the tuition is high”, or so goes the saying. Rather than learn all the lessons by experience, embedded engineers can take a page from the enterprise security playbook. To ensure a device is secure, the following capabilities need to be included:
- Harden the device (Secure boot, authentication, anti-tamper);
- Secure the communication (security protocols, embedded firewall);
- Enable device visibility (remote command audit, event reporting);
- Enable security management (remote policy management, integration with security management systems).
These capabilities provide the foundation for building secure embedded devices.
Building security into the device
Building protection into the device itself provides a critical security layer – the devices are no longer dependent on the corporate firewall as their sole layer of security. In addition, the security can be customized to the needs of the device.
A security solution for embedded devices must ensure the device firmware has not been tampered with. It must secure the data stored by the device, secure the communications in and out of the device, and it must protect the device from cyber-attacks. This can only be achieved by including security in the early stages of design.
Security controls must be applied even during the manufacturing of the device or component. Integrating a hacked device into a “secure” system could doom the entire project or network to failure.
While there is no one one-size fits all security solution for embedded devices, solutions are available that provide a framework for OEMs. Icon Labs Floodgate Security framework provides OEMs with the core security capabilities required for securing their devices. This provides the flexibility needed to customize the solution to the specific requirements of their device, while ensuring that critical security capabilities are included.
Figure 1: A comprehensive security framework can provide critical security capabilities for embedded devices.
Implementing security within the device
Not only must a security solution for embedded devices ensure the device firmware has not been tampered with, it also needs to secure the data stored by the device, secure the communication between the device and the network, and it protect the device from cyber-attacks. This can only be achieved by including security in the early stages of design.
Unfortunately, there is no one one-size fits all security solution for embedded devices. Security requirements must take into consideration the cost of a security failure (economic, environmental, social, etc.), the risk of attack, available attack vectors, and the cost of implementing a security solution.
Any security framework should provide the security features as shown in table 1 below.
Kaspersky Labs’ report highlights the extent of today’s cyber threats. It is naïve to assume that the US and its allies have a monopoly on such technology. Everyone involved in the development of technology for critical infrastructure needs to recognize the threats and begin investing today in security solutions that provide the highest level of protection possible.
Today’s modern embedded devices and systems are complex connected devices charged with performing critical functions. Including security in these devices is a critical design task.
Security features must be considered early in the design process to ensure the device is protected from the advanced cyber-threats they will be facing now as well as attacks that will be created in the future. These are the steps required to make your things secure and help create the Internet of Secure Things.
About the author:
Alan Grau is the President and cofounder of Icon Labs – www.iconlabs.com.