When we think of cybersecurity our mind automatically goes to powerful software protecting “soft” assets i.e. data that could range from massive enterprise-grade datastores to tiny files that contain sensitive data about someone.
By Neil Okikiolu, Founder/CEO of Simius Technologies Inc.
These “soft” assets have been given priority in the cybersecurity industry. However, hardware is surging in popularity, things like autonomous vehicles and robots are on the horizon. Knowing this, hardware companies and the cybersecurity industry will need to come together and come up with effective strategies to protect the devices they sell and deploy.
Hardware is Eating the World
A famous software entrepreneur once said “software is eating the world” but in recent years, hardware is biting back in a big way. The GSM Association estimates that by 2025 there will be almost 25 billion IoT devices deployed in the world. That is approximately 3 devices for every human being on the planet.
It is no surprise why. The ability to automate tasks that require a physical activity to be performed is something that business leaders have dreamed of since they had workers. This physical automation is very desirable especially in cases where the work is either extremely repetitive or very dangerous for humans to undertake.
Even for the general consumer too, there are large benefits such as being able to save money when it comes to energy consumption by using smart thermostats or being able to monitor the state of their entire house through their smartphone.
However, with this rush towards the future, some things have been forgotten. The most important of these is device cybersecurity.
The Stakes are Increased with Hardware
So why is device cybersecurity so important? There are many reasons but we will describe the two most important ones.
Firstly, hardware is tangible when compared to software. What does this mean? Well, say for example someone were to target your company’s website. The hacker was able to send commands to drop the main database. Seeing as how you are an astute CIO/CISO, you have data backup policies in place that allow your organization to restore its database with minimal downtime.
However in the case of hardware, due to the nature of how software is run on it. A hacker can cause permanent damage to the device. Which is very costly for the entity that operates said device.
The second reason is hardware control. Future IoT is not passive, we are going to have active systems. Which means devices that can alter the state of their physical environment. An example is an autonomous robot that performs agriculture tasks.
The implication is that if someone were to take over an active device, they could have the power to negatively impact the environment they are in. To continue with the robot example, if someone were to take it over, they could drive it to another location where the robot could be taken away and sold for parts.
Strategies for the Future
Cybersecurity at the Design Stage
All hardware must be designed with updatability in mind. Threats evolve and so must the hardware defending those threats.
Traditionally, hardware has been developed using the waterfall model and for good reasons too (the system requirements are fixed, obviously you can’t patch more ram into the device).
Luckily, there is a place where we can inject a continuous product process and that is in the embedded software development stage.
In this stage of development, a cybersecurity-focused scrum process can be applied. The CIO/CISO can provide security guidance to engineers while allowing them to rapidly develop and improve the software being built.
This cybersecurity-focused scrum process is already being implemented in the United States Space Command and Control.
The other important piece regarding updatability is securely delivering and installing new firmware updates on your hardware.
Some aspects of this process are:
- Firmware verification, which involves using a digital signature to verify the file being received is from the correct source.
- Firmware error checking, as sometimes your devices may be installed in places with low network availability, and as such your device must be able to verify the integrity of any received file
- Support for various encryption methods e.g. AES, DES, etc.
- Adding secure key storage can be accomplished by using things like a One-Time Programmable Array.
Keep in mind, the previous list is not exhaustive, it just provides a starting point when it comes to designing a piece of hardware with cybersecurity in mind.
Data Access Controls – We need more than Keys
Imagine this scenario, a man walks to the gate of a factory. At this gate, he is presented with a card reader. He swipes the keycard he has on his person and the gate swings open.
What is the problem with the scenario that was presented? Well, most of you reading this are CIOs or CISOs and you will realize that no industrial or professional building relies on only keys for access controls. There are security guards, cameras, and even members of the building standing there who can make sure that the person using the security card (or other access methods) is legitimate.
Now, why was this story presented?
The reason was to illuminate the fact that we have all implemented multilayered physical access controls. However, when it comes to data access controls, we usually rely on a sort of “key” which grants access to an account, which grants access to data and permissions that account has.
These keys, for the most part, can be duplicated with ease. So why do we trust the key itself? We have assumed that just because an entity possesses the appropriate credentials, they must be allowed to access whatever the key allows them to access.
Keys and other access mechanisms are methods, they are not proofs of identity. We cannot blindly trust the keyholder. This is security backward. The keyholder must be vetted as well.
Think about it, if someone walked up to your house and unlocked the door, you would not just welcome them in while rationalizing that they must be a member of the household since they possess the correct key.
So what do we do?
User vetting and verification must be added to the user authentication pipeline. A straightforward method of user verification is fingerprinting. A good thing about human beings is, we are very good at displaying minute unique imperceptible actions which can be used to create a digital fingerprint. Some actions are, how we move our mouse, how we type (our cadence for instance), how long it takes to enter a key etc.
Using our current knowledge and understanding of Artificial Intelligence, we can implement systems to distinguish between people using data points that will be almost impossible to replicate.
And if these fingerprinting systems get advanced enough, we could truly eliminate the use of passwords (the bane of every security professional).
Keep in mind that this is only one method of guaranteeing a user’s identity in addition, there are definite privacy concerns with this method. It is left up to the organization to determine what methods of identity verification suit them and those who they serve.
The Importance of CIOs/CISOs
This was touched upon briefly in this article and will be expanded here.
CIOs and CISOs are quickly becoming one of the most important corporate officers in technology today. Just as the CTO rose to prominence 2 decades ago, when companies realized digital technology was a core competency. So are CIOs and CISOs because security is now one of the most important competitive advantages.
A bad security posture can cost companies millions, if not hundreds of millions of dollars in either lost revenue or loss from lawsuits and heavy lines.
About the Author
Neil Okikiolu is a Computer Scientist, Roboticist, and the founder of Simius (https://simius.ai) a consumer-focused IoT cybersecurity company.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
References:
- GSMA – The Mobile Economy 2020
- KPMG – Turning Cybersecurity into a Growth Driver
- Home router security report 2020, 2020-06-26, Peter Weidenbach and Johannes vom Dorp, Fraunhofer Institute for Communication; Information Processing and Ergonomics
- Gupta, Udit. (2015). Secure management of logs in internet of things. International Journal of Advanced Networking and Applications. 7. 2636-2639.
- CPrime – Agile Processes for Hardware Development.
- SolarWinds and Cybersecurity: Using Scrum To Improve National Security
- Kvarda, Lukas & Hnyk, Pavel & Vojtech, Lukas & Lokaj, Zdenek & Neruda, M. & Zitta, Tomas. (2016). Software Implementation of a Secure Firmware Update Solution in an IOT Context. Advances in Electrical and Electronic Engineering. 14. 10.15598/aeee.v14i4.1858.