Joerg Borchert, vice president of chip card and security ICs at Infineon Technologies North America, will take the stage at ESC Boston later this month to deliver a message to embedded systems designers: you are in an arms race with potential attackers.
Borchert, who will deliver a keynote address at the conference on Sept. 27, said he will provide details about what types of attacks can be done physically to microcontrollers today, based on his experience in microcontroller security, and talk about some of the ways embedded systems designers can go about mitigating risk. But will Borchert is a proponent of certain techniques, he stresses that no approach to security is bullet proof.
Borchert said his talk will touch on two prominent cyber attacks against embedded systems that resulted in physical damage. The most prominent of these is the Stuxnet computer worm, believed to be have been created by elements of Israeli defense forces with possible involvement by the U.S., which caused significant damage to Iran's nuclear program. The second attack Borchert plans to touch on is an alleged 1982 attack on a natural gas pipeline in the Soviet Union which resulted in an explosion (some dispute exists about whether this attack, alleged orchestrated by the U.S. Central Intelligence Agency, actually occurred). Both attacks used vulnerabilities in supervisory control and data acquisition (SCADA) systems, which control a lot of infrastructure worldwide, Borchert said.
Assuming that the 1982 attack actually occurred, we've been living for 30 years in an era when cyber attacks have the potential to commit actual physical sabotage to equipment, Borchert said.
"Stuxnet is something which used a controlled system which was in place for quite some time," Borchert said. "We have lived under the impression that the industrial control systems are detached from the PC world and are pretty controllable. As has been proven in the past five to six years, this is not the case. Designers have to think about how to mitigate possible attacks in their systems."
Borchert stressed that designers must obviously consider the risks involved with potential attacks on their systems when implementing security. "If the washing machine controller is getting attacked, I would say that the risk is relatively limited," he said. "If we are talking about control systems for water supply or gas supply, then it is a different equation."
One relatively straightforward approach to mitigating the potential attacks is to incorporate security controllers, which act as a kind of watch dog, overlooking the system's integrity when it's in operation, Borchert said (Infineon markets security controllers). But he stressed that such ICs, while mitigating risk, are not a magic bullet. Embedded systems can be in operation for 20 years or more, and technology is always evolving, he said.
"There is no absolute security," Borchert said. "We are in a race with attackers."
Borchert classifies attackers in four different classes—students, IP companies who identify system vulnerabilities in order to sell IP, organized crime, and state-sponsored attackers. Of these, the second two are the ones to worry about, Borchert said. "We are in a constant arms race with attackers," he added.
Though the sophistication of attacks is constantly increasing, Borchert believes it is possible to design embedded systems that will remain at relatively low risk of attack even if they will be in service for more than two decades by making them security upgradable.
"The principles of attack basically stay the same," Borchert said. "If you apply computer security principles and take embedded software into consideration, you have a chance to stay ahead of the game." ESC Boston, the East Coast version of the embedded world's twice yearly event, will take place Sept. 26 though 29 at the Hynes Convention Center in Boston.
Pffffffffft! The ONLY reason for such vulnerabilities is for the "convenience" and/or economic gain of those designing such equipment or software for it. If a device merely provides data when requested by an authorized requestor, and merely saves data when provided by an authorized source, and never allows updating its software/firmware without physical interaction by an operator, only receiving such updates from a local source of such data... At that point the device is truly secure, and the only holes in that security are present through indirect attacks via data storage devices used for program transfer. A simple, non-published and non-standard, program update interface will take care of preventing any but internal personnel access to the code for purposes of attack. What is so hard?
Oh, you say "Updates can't be done via the internet!"? I say GREAT!!! I don't want my toaster, microwave, oven, hot water heater, solar electric power controller, etc. (or ones I might design with your design tools) to EVER be a subject to such issues. I am willing to pay postage/shipping to ensure that I get only updates originating from my equipment manufacturer. And, if updates are extremely critical, there is overnight shipping.
David Patterson, known for his pioneering research that led to RAID, clusters and more, is part of a team at UC Berkeley that recently made its RISC-V processor architecture an open source hardware offering. We talk with Patterson and one of his colleagues behind the effort about the opportunities they see, what new kinds of designs they hope to enable and what it means for today’s commercial processor giants such as Intel, ARM and Imagination Technologies.