Winning the Cyber Battle: Trusting Your Digital Assets

Winning the Cyber Battle: Trusting Your Digital Assets

Digital assets are mission-critical elements of combat environments. They could be as complex as a modern fighter jet, as simple as an air purity sensor, or as commonplace as the cell phone that soldiers carry on them. From their role in communication and intelligence gathering, to their presence inside weapon systems that assist critical-missions cannot be disregarded. However, over the years, these digital assets have become complex ecosystems that are cumbersome to manage and protect against the risks of interference and exploitation from third-parties.

In this article, we explore the factors that catalyze the wariness among the armed forces in adapting to digital assets in combats, discern the critical need to trust and adopt digital assets in critical-missions, and the necessary precautions the equipment manufacturers and the military can adopt to ensure trust in digital assets.

Introduction

In this epoch of robotics and artificial intelligence, digital assets (electronic systems that rely on digital logic and an embedded circuit to perform a task) have made in-roads into almost every aspect of our lives-from communication and transportation, to medical care and home automation. Their influence in combat environments has also evolved commensurately.

Lenk, chief of service strategy and innovation, NATO Communications and Information Agency predicts that in 5 or 10 years from now, the military world will be full of devices that are talking to each other, talking to command and control systems and talking to everything! [1]

When you think about it, the benefits of using digital devices in combat is fairly obvious: – improved situational awareness and logistics support, expert medical assistance (anywhere-anytime), enhanced accuracy in intelligence gathering and surveillance, secure communication, etcetera. Indeed, in modern warfare with its asymmetrical dimension, it does seem difficult to imagine military successes without the aid of digital assets.

Nevertheless, the adaption to these digital devices in the armed forces hasn’t been easy. It seems that our dependence on digital technologies is at odds with the level of trust we can place in them.

Why the distrust?

Various factors have contributed to the wariness among the armed forces for adopting digital devices in combats:

Erstwhile exploitations: There are diverse reasons why an adversary would want to compromise a device, as part of the overarching aim to gain a strategic or tactical advantage. If they can disrupt its functionality, deny its services to legitimate users, degrade its performance, deceive its users into performing unintended actions or destroy it completely, their position becomes stronger. Adversaries can do so by compromising vulnerabilities present in the devices. In recent times, this has been realized in various digital weapons and devices. For instance, drones -digital devices used by the military to generate interference in enemy signals and for long range surveillance- have been the subject of exploitation by enemies and insurgents over the years:

  • In 2009, insurgents in Iraq compromised drones using a software available on the Internet for $26 a piece. They intercepted live video feeds that were relayed back to a US controller from the drones. The information leakage revealed potential targets targeted by the US and aided the insurgents in taking evasive actions. [2]
  • In 2011, a computer virus infected the drone control center of Predator and Reaper drones and monitored keystrokes during missions carried out in Afghanistan and other war-zones. The monitoring and relaying of the keystrokes during missions potentially revealed classified information to the enemy. [3]
  • At the 2015 DEF CON event, security researchers successfully compromised a Parrot A. R. Drone using open WIFI and an open Telnet port to remotely terminate the process that makes it hover [4]. Thereby, providing a proof of concept for a possibility of a compromise while in combat.
  • In early 2016, hackers at AnonSec claimed to have developed a method for gaining partial control over one of the Global Hawk drones used by NASA [5]. But, NASA has completely denied that its drones were hijacked [6].

The empirical hacks, proof-of-concept hacks and the blatant denial of hacks from trusted parties, has implanted a sense of suspicion in drones and other digital devices among the armed forces.

Prevalent Device Vulnerabilities: lack of adequate security measures or improper implementation of the security measures in devices accompany loopholes that can be compromised by malicious persons. Exploitations of these vulnerabilities/loopholes can result in leakage of sensitive, classified information from the devices, putting combatants at a strategic disadvantage on the battlefields as stated earlier. Some common hardware vulnerabilities and attacks that require a mention are:

  • Hardware Trojan [7]: is a malicious modification of the circuitry of an integrated circuit (IC). Hardware Trojans could be placed into the system by the manufacturer for debugging and maintenance tasks. However, an adversary would place a Hardware Trojan on the target hardware to cause subtle disturbances or catastrophic system failures; like accept inputs that should otherwise be rejected, such as co-ordinates over a no-fly zone, leak cryptographic keys used for secure communication, perform Denial of Service attacks, etcetera.

 

  • Hardware backdoors [8]: are similar to Hardware Trojans, but involves code that could reside in the firmware of a computer chip. Hardware backdoors can be deliberately placed by the manufacturer for testing, debugging and maintenance purposes or could be placed by an enemy after a device has been compromised to enable them to control the system remotely [9]. Hence, their effect is as catastrophic or maybe even more so, than that of a Hardware Trojan.

 

  • Unified Extensive Firmware Interface (UEFI) vulnerabilities [10]: UEFI is a specification that defines a software interface between the operating system and platform firmware. Existing vulnerabilities in UEFI can be exploited to install highly persistent malwares on to the device that would allow the enemy to control the entire system to their will [11], regardless of any security measures that might be in place.

 

  • Semiconductor doping: is the process of adding impurities to silicon-based semi-conductors to change or control their electrical properties. Chemicals such as phosphorous and arsenic are used to alter the properties and are widely and easily available. Doping performed by an adversary on the device aids malicious Trojans to pass build-in tests that are primarily designed for reporting manufacturing or operational defects in the devices [12].

 

  • Hardware devices, in general, are susceptible to hardware side-channel attacks such as timing attacks, power analysis and fault injection that could be used to steal sensitive in- formation, eavesdrop, etcetera [13].

It is interesting to note that the vulnerabilities and subtle modifications of chips in the devices are virtually impossible to detect in a timely manner on the battlefield. Also, these vulnerabilities being pervasive, completely undermines the trust the soldiers have in these systems.

Poor response to vulnerabilities: Delayed remediation of vulnerabilities in devices has been a consistent concern among the armed forces. The flaw in the 2009 drone attack by the Iraqi insurgents on US drones is said to be dated back to the 1990s according to a military technology analyst, Peter Singer [14] and another US official stated that the flaw was finally identified and fixed over a period of 12 months [2]. Though the military was aware of the flaw, it assumed that its adversaries would not be able to take advantage of it.

The inaptness in handling the vulnerabilities and “security by obscurity” attitude has persisted over the years and with increasing complexity of devices and the confusion over legal responsibility for security with no single party (either manufacturer, integrator or end user) assuming this role has undermined the confidence the soldiers have in the system as a whole.

Globally sourced technology: Nations that lack the ability to fulfill the capacity requirements needed to manufacture computer chips for classified systems are moving offshores. Nonetheless, nations are also concerned about the risks generated from using globally sourced technology for implementing and manufacturing digital devices. Counterfeit computer hardware components are viewed as a significant problem by private corporations and military planners [15].

A recent White House review also noted that there had been several “unambiguous, deliberate subversions” of computer hardware components. The specter of subversion causing weapons to fail in times of crisis, or secretly corrupting crucial data, has come to haunt American military planners. This problem has grown more severe as most American semiconductor manufacturing plants have moved offshore (to countries such as China) [16], [17] and resulting in countries like China to acquire a monopoly over manufacturing and implementation of chips and device.

Furthermore, the Chinese government has been noted to include hardware backdoors in some commercial components manufactured in China on the pretext of prevention and investigation of terrorists’ activities. Thereby, putting third-party nations at a risk of being snooped or digitally hacked by the Chinese [18], [19], [20], [21], [22]. The risk of being hacked is a concern that subverts trust in any globally sourced device.

Opaque decision making: Digital devices can make many thousands or millions of decisions each second that govern its operation and actions. Users and operators often have no visibility into the reasoning behind these decisions, so it becomes difficult to evaluate their accuracy and outcome. There have been numerous occasions where devices have malfunctioned while in practice.

One instance is the malfunctioning of an antiaircraft cannon (Oerlikon GDF-005). The anti-aircraft weapon used by the South African National Defense Force is computerized and designed to use passive and active radar to obtain its target data. The malfunctioning killed 9 persons and injured 14 others. It is believed that a software glitch in the machine caused its malfunctioning [23].

Another instance is the malfunctioning of G36 assault rifles used by the Germans in combat. The German troops reported that the rifles lost accuracy after sustained firing in hot environments [24]. Likewise, during an Indonesian Navy exercise on September 14, 2016, two Chinese made C-705 missiles failed to hit their targets after launching from two KCR-40 attack ships [25].

The uncertainty in determining if a device would make the “right” decision on the battlefield is a matter of concern in the military.

Dependence on insecure third-party communication channels: On April 8, 2010, state-owned China Telecom rerouted U.S. and other foreign Internet traffic, causing 15 percent of the all internet traffic to travel through Chinese servers for nearly 20 minutes [26]. Although the long-term impact of this rerouting remains unknown, there is a gaping possibility of military information leakage during this incidence.

While heeding to the above incidence, it can be stated that third-party network providers are inherently insecure and susceptible to attacks such as man-in-the-middle attacks, snooping, sniffing, etcetera [27]. Moreover, lack of knowledge or use of cryptographic primitives in communication channels only adds to military’s concerns.

Why the need for trust and adaption?

Digital assets may be a strong target during Phase Zero, or pre-conflict operations. In the Internet age, controlling information is as important as influencing opinions on an international platform such as the United Nations (UN). For instance, network attacks widely believed to have originated in China have targeted diplomats from the United States and partners, politicians, human-rights campaigners, military networks, and corporations to glean confidential information to influence in matters of interests to China. [28]

The Chinese government acknowledges the strategic culture of defeating an enemy prior to the onset of hostilities. Its intentions are to bend the will of an adversary nation without having to resort to force [29]. In accordance with its philosophy, the Chinese government has carried out not only sophisticated computer-network operations [30], but that it has also been taking measures to target embedded devices. In 2007, Jonathan Evans, the Director „General of the UK Security Service, MI5, stated that the Chinese “continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects and trying to obtain political and economic intelligence at our expense.” [31]

Another instance of Phase Zero operations is the injection of Trojan horses by the United States in the 1980s. The American Intelligence added a Trojan to a gas pipeline control software to ensure that the machine – being shipped through Canada to Russia – would work erratically and could be disabled remotely. The machine was bought by the Soviet Union from Canadian suppliers to control a Trans-Siberian gas pipeline. However, the doctored software failed, leading to an explosion in 1982, an outcome that met the interests of the United States [32], [33]. Similarly, Crypto AG, a Swiss maker of cryptographic equipment (Enigma) is believed to have colluded with NSA to rig the equipment provided to certain countries. The Swiss reputation for secrecy and neutrality lured Iranians and other nations to buy the equipment. In the aftermath, NSA’s access to the hardware back door in the company’s encryption machine made it possible to read electronic messages transmitted by many governments [34], [35].

However, other nations focus on building capacity-of-partners and influencing potential adversaries to avoid wars. Such nations do not engage in tactical approaches as the Chinese do. As a result, these nations lack the strategic advantage that the Chinese government possesses. Therefore, in order to stand side-by-side on international platforms such as the UN without being tactically coerced by adversary nations, these nations need to adapt and trust their devices. They need to employ trust measures to safeguard their devices and eventually their will.

What does it mean to trust a digital asset?

The word “trust” in this context means relying on a device to effectively perform a functionality. In other words, devices should not function to aid the enemy. Examples of device abuse include:

  • Spying on behalf of the enemy to glean confidential information to undermine the efforts of the armed forces using the device.
  • Providing false or dated information to allies that could jeopardize a mission. An instance of this could be providing wrong location co-ordinates for the launch of a missile. The outcome of the launch could potentially kill innocent civilians.
  • Inadvertently revealing confidential information to the enemy. This can be attributed to employing insecure communication channels where-in the data is not encrypted or that the enemy possesses the encryption key to the encrypted data transmitted over the communication channel.
  • Acting as a launch-pad for enemy attacks or take false inputs from an adversary to mar the outcome of a critical functionality. An instance of this could be the use of the kill switch by the enemy at their will, thereby undermining the efforts of the armed forces in a mission.
  • Revealing its location or the location of other assets to the enemy in the event of stealth operations. This is made possible either by insecure communication methods or by com- promising the device by a Trojan.
  • Performing in a reduced capacity so as to disrupt the sup- ply-chains. Thereby, drastically impacting the performance of the military due to shortages of food, water, ammunition and other basic supplies.

How to ensure trust in digital devices?

Securing a device can be daunting, complexity of the chips and device functions only add to the difficulty of providing robust security controls. However, security can be ensured.

While presuming that the hackers/insurgents/enemy have the technical prowess to hack into digital devices remotely or exfiltrate information from the devices when in possession of it, some measures that could be employed for ensuring trust include (Figure 1):

                      Figure 1: Ensuring trust in digital devices

  • Establishing an effective threat intelligence and monitoring operation can inform operators of vulnerabilities before they impact a mission. Although not specific to device security, these operations are vital to ensure proper countermeasures are developed and deployed without undue delay.
  • Adopting secure device update mechanisms can rectify vulnerabilities in a timely and secure manner. Inherently, no system is resilient against all future threats at inception. Digital devices must be developed to provide provisions for secure updating of its software and firmware. This act will allow for countermeasures against new threats.
  • Ensuring a comprehensive device security assessment can alleviate the mistrust in digital devices. Hardware is the crux of any digital asset. If the hardware is compromised, all components -firmware, software- stand compromised. Establishing advanced labs for hardware and software evaluations that identify and address security vulnerabilities is a necessity and a step towards ensuring trust. Recruiting expertise in embedded security, white box cryptography, Security on chip (SOC), and IoT-enabled devices is critical as well. An assessment may include:

–  Evaluation of communication protocols for man-in-the-middle attacks, sniffing, etc.

– Source code analysis for buffer over-flow attacks, information leakage, etc.

– Cryptography analysis for leakage of secret keys, implementation errors etc.

– Hardware Analysis for side channel attacks, fault injection attacks, imaging and IC modification attacks, backdoors and Trojans, etc.

– Supply chain evaluation.

  • Adopting anti-tampering technology and compromise/threat detection mechanisms in the device. This involves countermeasures that enable the detection of a compromise or a break-in. Encryption Wrappers, Code obfuscation, software watermarking and fingerprinting, Trusted Execution Environments (aids in detection and reporting of unauthorized changes to the operating system or programs, detects rootkits), etc. [36] are few techniques that help achieve threat detection and prevention. In conjunction, access control mechanisms and identity management systems also help prevent the emergence of rogue devices and impersonation.
  • Developing fail-safe mechanisms. These mechanisms enable devices to fail (in a safe and predictable manner) in the event of an attack or on tamper detection. Once such mechanism is the implementation of hidden kill switches in devices. Switches enable to disable computer-controlled military equipment from a distance if the device fell into enemy hands.
  • Implementing cryptographic primitives can ensure secure communication (authentication, integrity and confidentiality of the information in transit) over third-party communication channels, and secure over-the-air patching and updates to the devices. It is increasingly important in today’s combat environment to use cryptographic primitives because enemies and potential adversaries are rapidly acquiring “jamming” and “hacking” technologies; giving them an ability to interfere with and compromise device operations. To achieve secure communication, device manufacturers can embed secure elements like Trusted Platform Module (TPM) into the device. Secure elements are specialized chips on an end- point device that stores encryption keys, performs cryptographic computations, and authenticates the devices.
  • Implementing trusted computing. This involves computing involves the development of a Trusted Computing Base (TCB) into the device. TCB is the set of all hardware, firmware, and/or software components that are critical to the devices’ security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. It contains four primary security mechanisms – a security policy, identification and authentication, labeling, and auditing. TCBs are usually accompanied by Trusted Execution Environments (TEE), a secure area of the main process that evaluates the code and data loaded onto the chip for confidentiality and integrity. TEE also provides hardware root of trust functionality. Root of trust supports features such as:
    • Secure boot and secure access control.
    • Secure identification and authentication.
    • Firmware integrity assurance.
    • Secure storage for the rest of the chip.
    • Secure debug and test access control.
    • Runtime protection.
o Secure field updates.

Conclusion

War zones are being digitized. In addition to the undisputable benefits that these digital devices provide, the low cost of much of these technologies (sensors, drones, etc.) is facilitating their permeation in to the military and industry at a rapid pace. While the security of much of these devices seem obscure, nation states across the world are researching [37] vehemently the utility, risks and challenges of deploying digital assets in war zones. Nevertheless, additional responsibilities need to be adopted to ensure trust.

All parties – from device manufacturers to end users need to make an effort to enforce trust measures in digital devices. Security needs to be enforced throughout the lifecycle of the device – from procurement to design, development to deployment, and maintenance to retirement. Supply chain must enforce accountability and responsibility. Policies and laws need to be enacted by nation states to support the same.

Finally, discretion in ensuring that the established-trust remains consistent across all domains of device operation via practical demonstrations and comprehensive evaluations of risks vs benefits can greatly alleviate the concerns of soldiers and help them adapt to new digital devices. 

Literature

[1]  https://www.afcea.org/content/?q=Article-nato-stu-dying-military-iot-applications

[2]  https://www. theguardian. com/world/2009/dec/17/sky-grabber-american-drones-hacked

[3]  https://www. wired. com/2011/10/virus-hits-drone-fleet/

[4]  https://www.csoonline.com/article/2970932/security/ten- 
scary-hacks-i-saw-at-black-hat-and-def-con.html

[5]  https://www.hackread.com/nasa-data-leaked-nasa-dro-ne-hacked/

[6]  https://www.hackread.com/nasa-denies-anonsecs-claim-of-hacking-global-hawk-drone/

[7]  https://en.wikipedia.org/wiki/Hardware_Trojan

[8]  https://en.wikipedia.org/wiki/Hardware_backdoor

[9]  http://www.dailymail.co.uk/sciencetech/article-2152284/Could-vulnerable-chip-allow-hackers-Boeing-787-Back-door-allow-cyber-criminals-way-in.html#ixzz28fcdeOdm

[10] http://www.securityweek.com/researchers-find-se- veral-uefi-vulnerabilities; https://threatpost.com/cert-warns-of-uefi-hardware-vulnerabilities/110213/

[11] https://www.pcworld.com/article/3187264/security/ue- fi-flaws-can-be-exploited-to-install-highly-persistent-ran-somware.html

[12] https://arstechnica.com/information-technology/2013/09/researchers-can-slip-an-undetectable-trojan-into-in-tels-ivy-bridge-cpus/

[13] http://gauss.ececs.uc.edu/Courses/c653/lectures/SideC/intro.pdf

[14] http://www.cnn.com/2009/US/12/17/drone.video.hacked/index.html

[15] https://www.scientificamerican.com/article/the-pent-agon-rsquo-s-seek-and-destroy-mission-for-counter-

feit-electronics/

[16] http://www.nytimes.com/2009/10/27/science/27trojan.htm-

l?mcubz=3

[17] http://www.homelandsecuritynewswire.com/fa-

ke-chips-china-threaten-us-military-systems

[18] https://www.theguardian.com/technology/blog/2008/

oct/06/security.china

[19] http://gizmodo. com/5897493/all-chinese-made-electro-

nics-could-be-bugged-says-former-head-of-us-counterter-

rorism

[20] https://www.schneier.com/blog/archives/2012/05/back-

door_found.html

[21] http://www.popsci.com/technology/article/2013-07/

spy-agencies-have-banned-lenovo-computers-becau-

se-theyre-chinese

[22] http://www.reuters.com/article/us-china-security/chi-

na-passes-controversial-counter-terrorism-law-idUSKB-

N0UA07220151228

[23] https://www.wired.com/2007/10/robot-cannon-ki/

[24] http://www.popularmechanics.com/military/weapons/

a21427/german-troops-dont-trust-their-weapons/

[25] http://www.janes.com/article/63815/indonesian-presi- dent-watches-failed-firings-of-chinese-made-c-705-missi-

les-at-naval-exercise

[26] http://www.foxnews.com/politics/2010/11/16/internet-traf-

fic-reportedly-routed-chinese-servers.html

[27] https://www.wired.com/2014/03/how-huawei-beca-

me-nsa-nightmare/

[28] http://diplomacydata.com/cyber-security-and-cyber-espio-

nage-in-international-relations/

[29] Phase Zero: How China Exploits It, Why the United States

Does Not Scott D. McDonald, Brock Jones, and Jason M. Frazee (https://www.usnwc.edu/getattachment/eef71cb7- abe7-4410-adaf-d78d085d933e/Phase-Zero–How-China- Exploits-It,-Why-the-United-)

[30] http://www.npr.org/2013/02/19/172373133/report-links-cy- ber-attacks-on-u-s-to-chinas-military

[31] http://www.telegraph.co.uk/news/worldnews/asia/chi- na/8597485/China-and-Britain-locked-in-cyber-war.html

[32] https://www.cia.gov/library/center-for-the-study-of-intel- ligence/csi-publications/csi-studies/studies/96unclass/fa- rewell.htm

[33] http://www.nytimes.com/2009/10/27/science/27trojan. html?_r=1&ref=science&pagewanted=all

[34] https://web.archive.org/web/20080202225034/http:// www.inteldaily.com/?c=169&a=4686

[35] http://www.atlasobscura.com/articles/a-brief-history-of- the-nsa-attempting-to-insert-backdoors-into-encrypted- data

[36] A Survey of Anti-Tamper Technologies by Dr. Mikhail J. Atallah, Eric D. Bryant, and Dr. Martin R. Stytz (https://pdfs. semanticscholar.org/50b5/e90d919cc7641225281bfb84cb- daf5751d17.pdf)

[37] https://www. cso. nato. int/ACTIVITY_META. asp?ACT=8647

Senate bill to secure Internet of Things (IoT)

Senate bill to secure Internet of Things (IoT)

The Internet of Things, and now the U.S federal government along with it, have a problem. Devices are smart enough to impact the world around them, but aren’t built smart enough to protect themselves.  In the recent past, these devices have been maliciously commandeered to bring down large swathes of the Internet, steal sensitive information, send spam emails, spy on individuals, and bring a whole city to its knees.

The first step in solving a problem is admitting you have one, and the Senate took this step with the introduction of the “Internet of Things Cybersecurity Improvement Act of 2017”.

The new legislation introduced by Sen. Mark Warner and Sen. Cory Gardner, sets minimum standards for the manufacturing, deployment and maintenance of IoT devices purchased by the U.S federal government. It received inputs from technology experts at the Atlantic Council and Harvard University to address cyber attacks that leverage IoT devices. The bill is aimed at responding to the “obvious market failures,” said Warner in an interview with Reuters and also to prevent further intrusions into federal systems “without halting the life-changing innovations that continue to develop in the IoT space,” said Gardner.

The key provisions of the bill are:

  • The manufacturer or the contractor of the device to the federal government must provide a written certification bearing, but not limited to the following:
    • No known vulnerabilities are to be present at the time of delivery of the device. If present, mitigation strategies are to be disclosed to the agency in detail.
    • Any updates to the device (inclusive of hardware, software and firmware) are to be properly authenticated by means such as digital signatures.
    • The devices are to use only non-deprecated industry-standard protocols and technologies.
    • The devices will not have fixed or hard-coded credentials such as usernames, passwords, tokens, cryptographic keys and other authentication primitives and that these credentials will not be modified or revoked by the user or manufacturer, except via an authenticated firmware update.
  • The U.S federal government and associated agencies are to outline policies and procedures for conducting cybersecurity research on Internet-connected devices and safeguards for such well-meaning and good-intended researches from criminal liabilities or penalties.
  • Finally, that if an existing third-party security standard for Internet-connected devices provides an equivalent or greater level of security, an executive agency may allow a contractor to demonstrate compliance with that standard in lieu of the requirements followed by a written certification that the device complies with the security requirements of the industry.

Assuming this bill passes, what does this mean for enterprises purchasing IoT devices? In theory, the purchasing power of the federal government should lead large IoT manufacturers to start following these minimum security standards, which would benefit all companies by default. However, an enterprise should not assume this to be the case. Companies should use the key provisions in the Senate bill as guidelines to discuss with their device manufacturers before a purchase. Ask your suppliers if they meet these provisions, and if not, where they have gaps and what their plan is to fill them.

For device manufacturers, this bill will affect your approach to security. Let’s look at each requirement and its possible ramifications:

  1. No known vulnerabilities are to be present at the time of delivery of the device to the federal government:

There are several nuances in this point that should be explored. First, a vulnerability must be known to be covered by this provision.  It’s not perfectly clear if it is specifying if the word ‘known’ means ‘publicly known’ or just ‘known by the company’, but I would guess the latter. Assuming it’s known, the company has two options: fix it or report it at procurement time along with mitigation strategies. Taking this into account, what is the incentive for manufacturers to perform detailed security testing? This is where the provision on cybersecurity research comes in. Since cybersecurity research is encouraged, it is likely someone will find vulnerabilities in your products. It is generally in the company’s best interest to find vulnerabilities internally and patch them rather than have a vulnerability exposed publicly.

Finding vulnerabilities in IoT devices includes software vulnerabilities, but there are also key hardware tests that should be performed. IoT hardware testing involves attacks such as side channel attacks, fault injection, imaging and IC modification. The testing process also involves source code audit, deobfuscation testing, fuzzing, cryptography implementation audit, software vulnerability verification, assessment of long-range wireless IoT protocols and of short-range communication protocols. The assessment process can be daunting to device manufacturers, but some IoT security solutions companies have the skills and experience to perform advanced hardware penetration testing (device, application, network) while leveraging proprietary security schemes and security intelligence.

Remember that device manufacturers do have the option to mitigate vulnerabilities without fixing the root cause. The vulnerability and mitigation strategy need to be disclosed at the time of delivery. In general, the manufacturer should continue to work on mitigating the vulnerability completely and integrate it into their future upgrades to the device, if applicable.

  1. Any updates to the device (inclusive of hardware, software and firmware) are to be properly authenticated by means such as: digital signatures: This provision is relatively straightforward: updates should be authorized and authenticated before they are applied to the device. There is no language that indicates this is a reference to over–the-air updates only, so even locally initiated updates need to be secure. Generally, authentication uses digital signatures, which can be challenging to implement correctly at scale. Device manufactures that lack expertise to implement or assess the implementation of PKI could rely on security solution companies to provide key management solutions that involve online and secure generation of device keys. Alternatively, device manufacturers can use third-party solutions to manage their updates that provide authentication.
  2. The devices are to use only non-deprecated industry-standard protocols and technologies: The federal government expects the device manufactures to adhere to industry security best practices for the manufacturing of the devices and hence, on those grounds, the device manufactures would need to stay abreast with the current trends and practices in the field of cybersecurity. Although it is best practice to use the latest version of protocols and technology if possible, this provision only prohibits deprecated technology (such as the MD5 algorithm). Device manufacturers could rely on technology consulting or security advisory companies for guidance in implementing these solutions.
  3. The devices will not have fixed or hard-coded credentials such as – usernames, passwords, tokens, cryptographic keys and other authentication primitives and that these credentials will not be modified or revoked by the user or manufacturer, except via an authenticated firmware update: Hard coded and global credentials have been the root of many IoT security incidents in the last two years. This provision ensures that keys and credentials can be changed or rotated, and hopefully are not set globally on all devices (although this isn’t technically in the provision). It also mandates that any changes to credentials be done in a secure fashion. Rotating device secrets securely at scale is a challenging undertaking, and should be approached with care. There are IoT platform vendors that provide this service today, and unless a manufacturer already has an infrastructure to support this, they should consider using third-party support.
  4. To outline policies and procedures for conducting cybersecurity research on Internet-connected devices and safeguards for such well-meaning and good-intended researches from criminal liabilities or penalties: Cybersecurity research usually involves breaking into things (this involves open source and proprietary devices, protocols, softwares, hardwares, etc.) and anything that requires breaking without prior notice or permission may be considered a crime. While the procedures to obtain permission can be rigid and expensive, it leaves little room for cybersecurity researchers to perform experiments and studies and to provide the best security measure to safeguard devices. This in turn, results in limited knowledge among device manufacturers about the best way to secure the devices. By being more open to cybersecurity research on IoT, the device manufactures could invest into cybersecurity research and the IoT community as a whole stands to benefit from the outcomes of the research as has been in the field of digital media (robust watermarking and anti-piracy technologies have morphed and evolved through over decades of research and experiments)
  5. Finally, that if an existing third-party security standard for Internet-connected devices provides an equivalent or greater level of security, an executive agency may allow a contractor to demonstrate compliance with that standard in lieu of the requirements followed by a written certification that the device complies with the security requirements of the industry: This provision allows the device manufacturers to employ third-party institutes to evaluate and certify their devices from a security perspective. One example of a device certification is the CSPN from ANSSI (L’Agence Nationale de la Sécurité des Systèmes d’Information).

Though the proposals and guidelines will later be detailed by NIST and other related federal agencies (provided the bill is passed), it is a safe bet to say that IoT security is imminent. Through rapid and educated investments in advanced labs and strong R&D base, device manufacturers can be uniquely placed to meet current and future security requirements of this fast-growing industry. Alternatively, device manufacturers also have several options to partner with IoT security solution companies that provide in-depth security assessments and evaluations of IoT products allowing the device manufacturers to identify and address security vulnerabilities before products go to market, and helping ensure their company doesn’t become the next big cyberattack headline.