You Will Be Hacked. Be Ready For It
June 23, 2021
Story
When I started the research for this article, I was looking for how OEMs could keep their systems safe from hackers. By the time I finished the research, it became clear to me that my vision was not accurate. You can not design a system that can’t breached, unless it’s one that does not connect to the outside world.
The marching orders have now shifted to, “you will get hacked, so be sure to minimize the damage when it does occur.” And of course, you must have a strategy in place to recognize when your system has been compromised.
According to Haydn Povey, the Founder and CEO of Secure Thingz and General Manager of the Embedded Security Solutions division for IAR Systems, “The best tips to stop the hackers are to first make it financially unviable. Second, you reduce the attack surface as far as possible. Third, we have to build systems where compromises are expected, meaning that we must continually patch, upgrade, and test.”
What They’re After
Ransomware is the new reality, and it has been for a while, if you look at the number of ransomware attacks. These attacks don’t get a lot of publicity because of the stigma that’s attached to them. Many who become a victim of ransomware prioritize the fact that it could hurt their brand image and reputation, rather than the fact that they’re a victim. The number of individuals and corporations that actually pay the ransomware is astounding. And unfortunately, that doesn’t put an end to it. It just tells the hackers that you’re willing to pay and they often come back more than once.
Image source: OpenPR.com
A typical scenario is that the "bad guys" will enter your system and just sit idly, waiting for the right time to announce their presence. They could also be doing some nefarious things in the background, like downloading databases, etc. In one recent incident, the attackers were able to access the company’s banking information, so when it came time to ask for ransom, they knew just how much they could ask for—down to the penny.
It's nearly impossible to catch experienced hackers because it’s not that difficult to keep your trail untraceable. Even if the IP address could be determined, it’s gone through so many different servers you’d never know where it originated. In addition, use of a roaming address is common.
“The code required to put the ‘hacking wheels’ in motion can be quite simple, written by fresh graduates, even undergraduates, within a week,” says Srinivas Kumar, Chief Product Officer at Mocana. “And the toolkits to do that are readily available. That code will encrypt the target system and put out a red alert saying, ‘I got you. Pay up. Then I'll give you the key to your system.’ It’s as simple as that.”
Reinforcing Legacy Systems
So far, I’m referring to systems that we are designing today. But an even bigger problem is what to do about all the systems that are already out there, some that were designed 30, 40, or 50 years ago. Case in point: the Colonial Pipeline. The company’s CEO is on record as saying that the system that was compromised did not employ multifactor authentication. Hence, your typical $100 electronic IoT device is far more secure that the pipeline that serves millions of people. Go figure.
These older systems were not designed to have to withstand the type of attacks that occur today. And in many cases, there’s not a big desire to spend the millions of dollars needed to shore up these systems—until a hack occurs. And frankly, even if they were, so much of today’s hacking occurs through social engineering, where people steal passwords, or passwords are reused on multiple systems. In other words, we need to be protected from ourselves.
And even those that are willing to spend to shore up, sometimes the platforms are so massive with so many different tentacles, that it’s simply impossible to know where every node lies.
Says Ian Ferguson, Vice President at Lynx Software Technologies, “The recent Cybersecurity Bill (passed late last year and updated a few weeks ago) mandates some of these security features, but it didn't go far enough. It’s a good start, but there are still some standard things that critical infrastructure must implement. The bill provides something that industries can align to at the very least.”
“Like what happened in the financial industry some years ago, CEOs need to be held accountable for the quality or lack thereof of the systems that they're in charge of,” adds Ferguson. “That would allow us to look at the issue from both ends—go after the attackers, but also go after the system owners to ensure that the security is adequate.”
The Starting Point
If you’re designing a system today, there is a basic set of rules that should be followed. For example, looking at the Cybersecurity Bill, if offers a guideline as to how to handle authentication and passwords, how they are created and tracked, and whether they are encrypted. Next, take advantage of what’s offered by the CPU vendor, like PSA from Arm, and what’s offered by the Cloud vendor, such as Microsoft’s Azure Sphere, assuming you’re connecting to the Cloud.
Then there are vendors like Mocana, who come in and ensure that everything is done right at the vendor/OEM level, like pre-installing all the proper software. “We make sure that all crypto traffic artifacts, all contents, software, firmware, OS updates, basically everything comes through a supply-chain source where we can track it back to the developer,” says Mocana’s Kumar. “So, it's not just code-signing. When we receive something, there are multiple signatures on it. And everybody involved says, ‘Yes, I touched it, and I signed it, so we can be sure that I didn't tamper with it.’”
No one said security was going to be easy. But it is necessary.