Before anything, it is critical to understand what is at stake, economically, technically, reputationally and what needs to be done regarding security. This is the objective of a Security Assessment and it needs to be conducted end-to-end, from chip to cloud and at all levels of the ICT infrastructure of connected devices and services; at the chip, device, systems, edge and cloud levels.
It is critical to define the security requirements
It is first important to follow a proper security methodology. This is obviously not the case for many of the connected systems affected by reported attacks, probably because the security issues were not taken seriously enough. Many acceptable security methodologies exist. Yet, a proper security methodology should at least involve a proper Risk Analysis including the identification of assets and a study of the risks inherent to the architecture and associated functionalities for the expected usage environment.
Such a risk analysis should lead to the definition of primary and secondary assets with associated security properties (integrity, confidentiality, availability, etc.). It should also lead to the identification of attackers’ profile, of threats, of assumptions on the usage environment, of organizational and technical security objectives for the intended usage. The outcome is an assessment of all applicable risks, and the definition of a targeted resistance level commensurate with those risks and the potential business models for attackers.
It should typically be followed by the definition of product security requirements. When such a proper security methodology is followed both the security architect and the development team have a clear framework with proper objectives and requirements to perform and guide their work as well as a way to assess the adequacy of their solution to the security context.
Remote attacks: an attractive business model for hackers
In the case of the Internet of Things (IoT) and Cyber Physical Systems (CPS) where (massive) remote attacks are the most critical ones, following such a methodology almost always leads to distinguishing two phases in an attack.
1. The identification phase
where the attack is identified and prepared
2. The exploitation phase
which corresponds to the use of the analysis, data, technique and tools defined during the first phase.
The investment that can be reasonably made by attackers in the first phase is much higher, leveraging on sophisticated tools, than the investment that can be reasonably applied to each single device in the second phase. Even when attacks require a substantial investment (>1M$) during the identification phase, there are very attractive business models for hackers for exploiting remotely vulnerabilities of connected systems in the case of IoT and CPS systems