How to secure-by-design
As a pre-requisite to defining security-by-design requirements, a Security Assessment has to be performed in order to define what needs to be done for the product’s security. The product should then be designed and pre-configured with functionalities that are based on well-established security practices and that are reduced to the strict minimum required for system operations. Another important aspect, is that security need to be integrated at every stage of the product’s development, covering the entire product life-cycle (Security-life-cycle) starting from its design and ending with its disposal, as opposed to adjusting or adding security features afterwards.
The anatomy of remote attacks
In the case of the Internet of Things (IoT) and Cyber Physical Systems (CPS) where (massive) remote attacks are the most critical ones, the security-by-design requirements will be guided by the different phases of attacks:
The identification phase
When addressing the identification phase of the attack, security architects and developers will have to consider potentially sophisticated physical attacks. Technologies and know-how to resist to such attacks are widely available and, in the end, the only issue is cost. So, the main strategy will be to keep to the very minimum the number of assets that need to be protected against sophisticated and expensive hardware attacks, and/or to minimize their value for attackers. Secure elements, HSMs and cryptographic processors can be used for that purpose, provided that the list of assets has been brought down to a few (root) secrets and keys that only need to be stored, and used to perform cryptographic operations. Even more important is to build a security architecture that reduces the value of assets by ensuring in particular that if such assets are compromised during the identification phase on one device, they cannot become key in performing the exploitation attack on a large number of remote devices. Once the problem of resistance with respect to the identification phase has been properly handled, physical attacks don’t have to be considered anymore, besides side-channel attacks that can be addressed by using state-of-the-art know-how and technologies.
The exploitation phase
When addressing the exploitation phase of the attack, protection against logical attacks becomes the main challenge, and this is quite new. Resisting to logical attacks indeed has been until recently the easy and marginal part of the security challenge. This is because the hardware components to secure were both very small and had very small attack surfaces. But this situation is radically changing, mainly due to the much larger attack surface exposed by IoT and CPS products and situations where assets that need to be protected are not just virtual, but also physical: goods, infrastructures, lives, etc. In effect, an analysis of the attacks reported in conferences and in the press shows the ever-increasing importance of logical attacks. Hackers typically exploit errors (in the large sense) to break into systems: low-level implementation bugs, protocol or specification flaws, design, configuration or initialization errors, violations of organizational security policy, etc.
Build on trust with a robust TCB
In the face of protecting against logical attacks, and in order to limit the risk of vulnerabilities, security architects and developers will have to design their connected products with a Trusted Computing Base (TCB) that need to be well identified, as small as possible and made-up of components that can really be trusted.