What scientists and engineers need to know to help keep software, hardware and connected systems secure
By Patricia Panchak, Contributing Writer
In the cat-and-mouse struggle against bad actors in our inter-networked world, scientists and engineers are on the front lines. As developers of technology that can mean the difference between an adversarial breach and a successful defense, they must remain vigilant in staying apprised of how their work can build-in security or open a vector for potential incursions. Now, with the introduction of the Internet of Things (IoT) technologies, the stakes are higher. An intense focus on cybersecurity is every researcher’s purview, not just the cybersecurity experts’. Here’s why and what you need to consider.
The rise of the connected economy is accelerating the types and varieties of potential intrusions. Whereas earlier network architectures had boundaries that limited ingress and egress, “that’s significantly changed with the advent of cloud mobility,” asserts Vince Urias, a cybersecurity researcher at Sandia National Laboratory. “The perimeter is now many places, so where we defend is now more pervasive, and how we defend becomes more of a data synthesis problem.”
“Everywhere there’s a connection, there’s a potential attack vector where an adversary can comprise your network. It’s extremely terrifying,” Urias said.
Addressing cybersecurity in this environment requires efforts on all fronts in designing software, firmware, hardware and connected systems that collect, move, combine and analyze data. Further, it takes a new mindset geared to counter adversarial efforts that can only be imagined.
Data, data and more data
Stacy J. Prowell, the chief cybersecurity research scientist at Oak Ridge National Labs, calls the overall megatrend the “IoT and computerization of everything.” This trend, he explained, encompasses three changes in the use of data: the need to collect all the data of a particular use case, to combine it with other data to make it more useful, and then to make that data available in a way that allows people to use it.
“So, the question becomes, how do I then figure out how to operate in a secure manner in that world,” Prowell said.
The upcoming shift to 5G will compound the challenges.
“It has potential for have higher losses of data that are more distributed fashion,” Urias said. “How do you institute protections or even understand your reasoning at the volumes of data we’re talking about?”
New approaches to creating software, firmware, hardware and systems development also expose researchers to potentially introducing vulnerabilities inadvertently. The increased use of open-source software is one area.
“I think this notion that we understand how much risk we’re assuming in the software that we’re composing into our new products, and how much residual risk we have in that software, I think it is not well known,” Urias said. “Our ability to look at smart devices is all powered by software, firmware, etc. — and we’re sort of linking these libraries and linking these things that may not necessarily be fully trusted.”
Meanwhile, Jeff Gottschalk, who heads the Cyber-Physical Systems research group at MIT Lincoln Laboratory, raised concerns about security arising from the electronics.
“We typically think of cybersecurity-related to the specifics of software,” he said. However, cyber vulnerabilities also are found in the firmware and hardware of microelectronics. “Those [types of] attacks use properties of how the microelectronics were built to affect the performance of that microelectronic device to do a digital job,” Gottschalk explained. “You trust the CPU to do its job, and so you usually only think about the software vulnerbilities as a point of attack for an attacker.” He cites as an example the Spectre and Meltdown vulnerabilities, which are flaws in the CPU’s design that could allow an attacker to gain access to software that was running on that microprocessor.
To help prevent attackers from deliberately designing-in or manufacturing security flaws into microelectronics, Gottschalk’s team recently filed a patent on an approach that offers cyber secure “techniques and methods for people who design microelectronics circuits.” It features heuristics integrated with Computer Aided Design (CAD) tools that would help a circuit developer decide where to put wires or transistors to make the circuit less vulnerable to attack. He described the patent as a rule book that checks the design and indicates when circuit features are placed, say, to optimize circuit performance, but are not in “the best place for security.”
Other hardware issues to watch out for, according to Gottschalk, are the “huge proliferation of IoT devices.” In industry, he pointed out, are devices that are analogous to home devices such as Nest or Ring, in which cyber security researchers have found vulnerabilities. “In some cases, organizations may not pay attention to the security of those, depending on where they are in their company’s ecosystem,” he said. Designers must now pay attention to the security implications of these new devices that they may not otherwise consider potential attack vectors. “When adding an IoT widget to your system, you might want to think about whether anyone has done any rating in terms of cybersecurity and choose one based on how secure it is.”
Assumptions gone awry
The way scientists and engineers design new systems also has to change, insisted Prowell. He sees two issues to address. First, when designing a component or system, engineers generally make assumptions about normal operating conditions, which, when violated, can create an access point for an adversary. “They assume failures will occur in a way that is independent and identically distributed, a statistical thing,” Prowell explained. Systems designed with these assumptions are secure — until they are used in a way that generates random errors.
A row hammer attack, for example, takes advantage of how causing random failures at a higher rate can break a system. Though a computer’s memory is subject to random errors, the user doesn’t notice because they are quickly corrected. However, “If I hammer on the memory with repeated read requests, I can toggle it fast enough to cause a random error in an adjacent row of memory,” Prowell said. “That may seem like that’s not particularly useful, but it turns out that you can leverage that to gain control of systems to break through security.”
The second class of problems, said Prowell, includes “systems that may have been very well designed, even given a malicious environment, but then someone adds ease-of-use on top of that, which creates a problem.” An example is connecting a wireless printer to a secure wireless network. “The WPA2 protocol used by wireless routers is pretty solid,” he explained. “But to connect a printer and other peripherals to it, designers created another protocol, WPS (WiFi Protected Setup),” which has been found to allow a remote attacker to gain access to the wireless system.
Another example is the hacking of a Jeep Cherokee in 2015. Prowell said that the hackers remotely gained access to the vehicle through the head unit, which is the system that displays maps and is connected to external networks. However, in this case, that system was connected to the control area network (CAN) that governs the operation of the car, such as braking. While the CAN is designed to operate the vehicle, “it’s not designed to be secure against external attacks, Prowell says.” The assumption when the CAN was designed was that it would not be connected to external networks, a non-secure environment. By combining the secure CAN to the less secure head unit, the designers opened an attack vector.
“So you can take a system that is very secure, then someone deploys it in a way that violates your assumptions, or discovers something unknown to you at the time you designed it,
and you wind up with a very insecure system,” Prowell said. “The challenge for engineers trying to design a secure system is to think about the complete context in which the system will be deployed — different environments, adding features to it, etc.,” he advised. “And think of the way in which those may violate the security assumptions of the original system.”
Designing in resiliency
Another countermeasure designers can take is to apply strategies for building resiliency into a product when confronted with a threat. “We do a great job of designing systems to be resilient against random failures — memory errors happen all the time in your computer, but you don’t notice it because it’s resilient to those kinds of small failures,” said Prowell. “We could do much better building resiliency with respect to cyberattacks.”
For example, by imagining that an attacker might exploit a vehicle’s entertainment center to gain access to the CAN, the designer could have built in technology that recognized the breach and reacted by turning off the antenna, rebooting the entertainment system to a known secure state and then powering the antennae back up. In this case, maybe “you lose radio or satellite navigation for a while, but you can still control the car,” Prowell said.
Ultimately, engineers and scientists must realize that perfect security is impossible, so they must design with cybersecurity in mind. One option Gottschalk suggested is that they adopt a Zero Trust mindset, a security concept that’s emerged over the past year and a half in the IT infrastructure world. “The idea here is that you’re never going to keep all the bad actors out of the infrastructure, so having a lot of monitoring and understanding of how to do that is really important,” he said.
Thrust and parry
Unfortunately, as engineers and scientists build ways to strengthen security, they can create new vulnerabilities. “Even when you introduce new security tools that are focused on making the system more resilient, more secure, those software or hardware packages provide another vector, another avenue for an adversary to explore,” said Adrian Chavez, a cybersecurity researcher at Sandia. “So one thing that needs to be considered when deploying cybersecurity focused software is how do we ensure that the software that’s supposed to secure the system doesn’t make it insecure.”
Using IoT technologies is an option. “AI (artificial intelligence) is going to be helpful in Industrial IoT, where you’ll have millions of devices interacting with one another on the network,” Chavez said. Otherwise, it will be impossible to manage all of the data the devices are exchanging. “So you’re going to have to have algorithms that are looking at that data, analyzing that data, looking at anomalies and abnormal behavior, and making a decision on that abnormal behavior or at minimum presenting that abnormal behavior to an operator.
Even with AI and machine learning to help, however, engineers will have to be careful with the data they’re using to train the algorithms. Chavez warned: “There are problems where adversaries can analyze the data being monitored, make a slight manipulation to it, and cause your ML or AI algorithms to misclassify the data as normal when it’s actually abnormal.” That means engineers need to find ways to build-in validation of the data.
Chavez’s team recently completed a project which explored automatic detection and response to threats using AI to execute a rule-based algorithm. Eventually, the goal is to move toward developing autonomous systems, which involves developing AI algorithms that are capable of appropriately responding to alerts with no human intervention. Thinking out loud, he suggests that in the future, “a first step could be deploying a digital twin that models the actual environment, and then validating that the observed behavior of the actual environment is consistent with the digital twin environment.”
Awareness, education and teamwork
Critically, however, designing for cybersecurity and leveraging technology still likely will not be enough. The vectors for an attack are too many and varied, and the attackers are endlessly creative. More awareness, along with more education and training is needed. “We’re already in a fast-changing environment,” Urias said. “But we’re not investing in security education and awareness.” He calls for more cybersecurity education in undergraduate degrees and corporate programs. The curriculum should highlight areas of concern, alerting engineers that, “As you write software, as you develop tools, as you collaborate, these are all these interactions may introduce vulnerabilities into your systems,” Urias said. Education then must continue throughout a designer’s career, increasingly focusing on domain-specific threats to security.
“Security is a challenging problem because defenders have to plug every single hole in a system, while adversaries just have to find one hole to be successful,” Chavez pointed out. That means engineers and scientists must always look broadly for “potential areas where an adversary could leverage as opportunities for themselves, which is challenging. You have to have a different mindset,” he said. “When developing cybersecurity protections, having a wide breadth of knowledge across software, firmware, hardware to protect against adversaries is critical. That’s tough to get with one person, and often requires a multi-disciplinary team to accomplish.”
Chavez stressed that teamwork inside and outside your organization is critical to meeting the challenge. “Including an independent security assessor on the project from the beginning is critical,” Chavez said. “An independent third-party red team assessor helps evaluate, cross-check, and provide an unbiased security assessment of hardware, firmware, and software cybersecurity solutions. The security assessments are most effective when performed throughout the lifecycle of the project, from design to deployment, to help ensure that the cybersecurity solutions developed are also secure before deployment.”
For engineers and scientists, only one thing is certain. The challenges to building cyber-secure software, firmware, hardware and systems in the internetworked world will become increasingly challenging. They must remain constantly vigilant and use every tool and method available to stay ahead of the hackers.
The threats and the bad actors who are cyber-hacking and how they’re doing it — engineers and scientists can track and monitor cyber-intelligence issues at the following sources:
Verizon’s Annual Data Breach Investigations Report: An annual review of a broad array of cybersecurity trends.
National Vulnerability Database: The U.S. government’s repository of standards based vulnerability management data using the Security Content Automation Protocol (SCAP), which enables automation of vulnerability management, security measurement and compliance, according to the website.
CrowdStrike’s Annual Global Threat Report: An annual in-depth analysis of the top cyber-threat trends.
The Mitre Corporation’s National Cybersecurity FFRDC: A federally funded research and development center sponsored by the National Institute of Standards and Technology (NIST).
The Mandiant APT1 Report, published in 2013, detailed the advanced persistent threats to the U.S. and directly implicated China in cyber espionage.