Last week, Director of National Intelligence Daniel Coats testified before the Senate Select Committee on Intelligence (SSCI). Coats discussed a range of topics outlined in the Worldwide Threat Assessment of the U.S. Intelligence Community, including artificial intelligence, the slowdown of Moore’s Law and the Internet of Things (IoT).
According to the report, the widespread incorporation of smart devices into everyday objects is changing how people and machines interact with each other and the world around them, often improving efficiency, convenience and quality of life. However, the report also warns that the deployment of IoT devices has introduced vulnerabilities into both the infrastructure that they support and on which they rely, as well as the processes they guide.
“Cyber actors have already used IoT devices for distributed denial-of-service (DDoS) attacks, and we assess they will continue,” the report stated. “In the future, state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks.”
It should be noted that Coats’ testimony about the IoT comes shortly after the Defense Advanced Research Projects Agency (DARPA) expressed interest in adopting a hardware-based approach to cyber security, with the agency offering preliminary details about a new program dubbed “System Security Integrated Through Hardware and Firmware (SSITH).”
As Network World’s Michael Cooney reports, the program’s goal is to develop new integrated circuit architectures that lack the current software-accessible points of criminal entry, yet retain the computational functions and high-performance integrated circuits were designed to deliver. The program also seeks to develop design tools that would be made widely available to encourage the adoption of hardware-anchored security for both military and civilian systems.
“Security for electronic systems has been left up to software until now, but the overall confidence in this approach is summed up in the sardonic description of this standard practice as ‘patch and pray,’” SSITH program manager Linton Salmon of the Agency’s Microsystems Technology Office explained in a statement quoted by Network World. “This race against ever more clever cyber intruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software.”
More specifically, SSITH plans to address seven classes of hardware vulnerabilities detailed in the Common Weakness Enumeration, including permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors and code injection. It should be noted that researchers have documented approximately 2800 software breaches that have exploited one or more of the above-mentioned hardware vulnerabilities.
Perhaps not surprisingly, the U.S. Department of Homeland Security (DHS) also recently emphasized the importance of implementing security at the design phase by using hardware that incorporates security features to strengthen the protection and integrity of a device. This includes leveraging computer chips that integrate security at the transistor level – embedded in the processor itself – to provide encryption.
Building hardware that incorporates hardened security features would see devices protected throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning. This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and cloud services.
In addition to implementing security at the design phase, the DHS recommends device manufacturers promote security updates and vulnerability management. To be sure, even when security is included at the very beginning of the design process, vulnerabilities may be discovered in products after they have been deployed. These flaws can be mitigated through patching, security updates and vulnerability management strategies.
Interested in learning more? The full text of “Strategic Principles for Securing the Internet of Things” (PDF) can be download here on the DHS website. Readers can also check out our CryptoManager platform which creates a trusted path from the SoC manufacturing supply chain to downstream service providers with a complete silicon-to-cloud security solution.
