Page 20

EETE JUN 2015

ENCRYPTION & DATA SECURITY Why NOW is the time to invest in security By Alan Grau Researchers from Kaspersky Labs, at their annual Security Analyst Summit (SAS), presented detailed findings of pervasive malware and embedded surveillance tools that have largely gone undetected for over a decade. The report implies that the surveillance tools were developed and deployed by the US National Security Agency. Some of the more startling revelations were: • A program to systematically penetrate and map air-gapped systems • Malware operating at the firmware level that enabled discovery of encryption keys, cracking encryption algorithms and that could remain in place through an operating system reinstall • Malware that replaced hard-drive firmware to create a secret storage area on a hard disk that would survive drive reformatting • Some of this malware has existed since around 2001 and has gone undetected until now What is new in this report is the extent to which these tools were aimed at non-IT assets. Much of the report details efforts to penetrate air-gapped systems and other industrial control and critical infrastructure systems. These findings raise some interesting, and troubling questions for the CyberSecurity industry, and specifically for those of us developing the systems used in industrial automation, factory control and other critical operations. Chief among them is; what are we doing to protect our systems? Cyber warfare: a harsh reality Even if we accept the implication that the malware discovered by Kaspersky Labs was created by the NSA that does not imply that the critical infrastructure systems within the US and our ally nations are safe from attack. There is little doubt that China, Russia, and Iran have large, dedicated and active cyberwarfare groups. If the US has developed sophisticated cyberware technology there is little doubt that other countries either already have or soon will develop comparable technology. Much of the technology described in the report from Kaspersky Labs is more than a decade old. Even if other countries are a decade behind the US, which is unlikely, then they would now have equivalent technology to infiltrate air-gapped systems, discover encryption keys, and remain undetected by standard security technologies. Anyone building industrial control systems, or critical infrastructure devices must take a new look at security. Air-gaps are a myth. Not only did the Kaspersky report detailed methods to compromise them, many customers fail to maintain a strict air-gap. Additionally, insider threats must be considered. Hardware enabled secure boot is a requirement. Security by obscurity must be abandoned as the relic that it is. The investment must be made to build security into the foundations of every device being utilized within critical infrastructure. Cybersecurity investment: a neglected requirement Recently, President Barack Obama held a cybersecurity summit in Silicon Valley to push for greater awareness and investment in cybersecurity. At this conference, venture capitalist Venky Ganesan, the managing director of Menlo Ventures, a major investor in cybersecurity, warned that not enough was being done to protect systems from hackers, despite recent high-profile attacks. “We still are not spending the right amount of time and resources and money on the cybersecurity problem. It’s much bigger than people think,” said Ganesan. In fact, Ganesan said that only 5 percent of corporate information technology budgets are spent on security. “That’s the equivalent of protecting a Tiffany’s with a deadbolt. We need to make sure that we spend the right amount of money because this is an existential threat to our society,” he said. All too often, companies are looking at cybersecurity and asking “What is the ROI for investing in security”. That is simply the wrong question to ask. Given the threat, cybersecurity should be considered a critical requirement, just as safety has been. The critical infrastructure, manufacturing, automotive and other industries have invested billions into safety Despite the growing risk, government initiatives and a growing awareness, companies are still, by-and-large, failing to invest in cybersecurity. Security challenges for critical infrastructure devices The IoT and IIoT (Industrial Internet of Things) are comprised of a wildly diverse range of device types- from small to large, from simple to complex – from consumer gadgets to sophisticated systems found in DoD, utility and industrial/manufacturing systems. Part of the expanding web connected network, embedded Alan Grau is the President and cofounder of Icon Labs – www.iconlabs.com - You can reach him at alan.grau@iconlabs.com Fig. 1: A comprehensive security framework can provide critical security capabilities for embedded devices. 20 Electronic Engineering Times Europe June 2015 www.electronics-eetimes.com


EETE JUN 2015
To see the actual publication please follow the link above