building resilience
The Cyber-Digital Battlefield: Part 4
Building Resilience in
Critical Infrastructure Building Resilience in Critical Infrastructure

The rise of DevSecOps

Just as human intelligence works most securely when information is handled on a need-to-know basis, the intelligent edge will be most resilient if a single part of the system can’t take down everything.

Security matters, but protecting against attackers will never be enough to create a resilient system. Secure by design is a methodology for creating computer applications or systems in which all aspects of the software are inherently developed in a way that makes it difficult or impossible for a malicious user to damage, attack, or compromise a system. There is a movement among software developers now to incorporate information security with agile software development — a marriage of DevOps and InfoSec known as DevSecOps.

DevSecOps means shifting security to the left by making it a part of the development process, not something to be tested at the end or buried in a report of suspected vulnerabilities. It starts with an assumption that bad actors will find a way to attack the system, so why not attack it from every angle first to expose the weak points and assess the chaos that could be possible? And then keep exploring. “Looking at your infrastructure and code from the viewpoint of an attacker allows for a better security understanding of the weaknesses and strengths of an application, service, data center, and cloud,” says Ian Allison, an information security veteran who put together a Red Team to attack everything, without restriction, at a major corporation — as long as they stopped short of taking down production. “A real-world attacker couldn’t care less about scope. Attackers don’t discriminate between production and quality assurance and [testing], so neither should we.”

Because attacks are inevitable — and real-life attackers would not stop short of taking down production — developers should seek to minimize, contain, and repair any damage an attacker could do. Defense is often handled by a Blue Team (a term borrowed from the military). To build resilience, systems should be built for continuous development and updatability, not only to patch vulnerabilities and repair damage but also to add functionality and improvements.

For mission-critical systems, this is more than a lofty goal. Shutting down the power grid or a car in motion for a software update is not a viable option. Ultimately, updates should occur with no loss of function, as they did in a recent experiment in which a fighter jet — a large system with many controls running on different platforms on multiple clouds — was updated with new capabilities while it was in flight. “That’s the model we’re aiming for: to update dynamically without undermining security,” explains Thompson.

Of course, that is easier said than done. One of the biggest problems with many edge devices is their lack of updatability. Many industrial and healthcare system controls, for example, were never meant to be connected outside of a closed network and are rife with vulnerabilities. Too many “smart” consumer products were not built with security in mind, including those that were designed to connect to the internet. Engineering systems might have a single password that gives anyone who knows it (disgruntled employees, contractors, spies) the ability to control earth-crushing equipment, in the field or remotely. And many IoT devices must be updated physically, even if they are in isolated locations — or they are simply not updatable at all.

flight
Updates should occur with no loss of function, as they did in a recent experiment in which a fighter jet — a large system with many controls running on different platforms on multiple clouds — was updated with new capabilities while it was in flight.
“Security requires an offensive mindset; you have to think like an attacker. Most of us are taught from a very early age to think inside the box and to be a good citizen. That’s why you have to hire hackers to stress-test your system. Then, you have to figure out how to limit the potential damage they could do.”
 
—Irby Thompson
VP, Security Product Sales
Wind River
Irby Thompson

Why? Many of the developers who built these systems — especially older systems — never contemplated that anyone would want to attack them, or they did not understand the implications of interconnecting equipment with critical systems over the internet, without the security layers of an enterprise system. “Security requires an offensive mindset; you have to think like an attacker,” says Thompson. “Most of us are taught from a very early age to think inside the box and to be good citizens. That’s why you have to hire hackers to stress-test your system. Then you have to figure out how to limit the potential damage they could do.”

The intelligent edge is driving new thinking in security and changing the way some traditional security measures can be deployed:

Why? Many of the developers who built these systems — especially older systems — never contemplated that anyone would want to attack them, or they did not understand the implications of interconnecting equipment with critical systems over the internet, without the security layers of an enterprise system. “Security requires an offensive mindset; you have to think like an attacker,” says Thompson. “Most of us are taught from a very early age to think inside the box and to be good citizens. That’s why you have to hire hackers to stress-test your system. Then you have to figure out how to limit the potential damage they could do.”

The intelligent edge is driving new thinking in security and changing the way some traditional security measures can be deployed:

“Security requires an offensive mindset; you have to think like an attacker. Most of us are taught from a very early age to think inside the box and to be a good citizen. That’s why you have to hire hackers to stress-test your system. Then, you have to figure out how to limit the potential damage they could do.”
 
—Irby Thompson
Security Product Sales,
Wind River
Irby Thompson

Walled Garden

Limiting access is the oldest form of cybersecurity, and perhaps the most effective. A system that runs on a closed network can be tampered with only by someone who has physical access to the hardware or data stores. But the kind of closed system that many traditional military and enterprise systems relied on for security will not be possible for a distributed intelligent edge system. Moving computing, analysis, and action to the edge presents very different challenges to security than does a traditional enterprise system. Limiting access to systems and protecting hardware as well as data all become more crucial. A walled garden — a system purpose built to work within an enclosed network — lends itself to a more holistic security approach, says Thompson. This is not possible for every application. But it is an approach that should be considered for critical systems.

Encryption

While cryptographically protecting data at rest and in motion has become commonplace for military embedded systems that could fall into enemy hands, one vulnerability persists: the security of data or code as it's moved into and used within working memory.

Data is a strategic asset. The DoD Data Strategy report released on September 30, 2020, underscores how the integration of real-time data from all of the U.S. armed services and coalition partners will drive greater operational intelligence and more timely and accurate responses for all military operations. “To enable this change, the Department is adopting new technologies as part of its digital modernization program — from automation to artificial intelligence (Al) to 5G-enabled edge devices,” wrote David L. Norquist, past U.S. deputy secretary of defense, in the report. “However, the success of these efforts depends upon fueling this digital infrastructure in a secure manner with the vast flows of data available from external sources, DoD systems, and connected sensors and platforms. Adversaries are also racing to amass data superiority, and whichever side can better leverage data will gain military advantage.”19

Communication security (43%) and data encryption at rest (41%) are already the most widely used techniques for securing IoT solutions, according to a survey by the Eclipse Foundation.20 But, as with continuous software security, encryption will become more dynamic with the intelligent edge. There are opportunities for encryption at every stage of edge processing and for data in motion between devices. The benefits must be measured against any loss in performance. Hardware encryptors are most effective, but they are expensive to develop. Another solution: Create layers of encryption throughout the system.21

While cryptographically protecting data at rest and in motion has become commonplace for military embedded systems that could fall into enemy hands, one vulnerability persists: the security of data or code as it's moved into and used within working memory.

Data is a strategic asset. The DoD Data Strategy report released on September 30, 2020, underscores how the integration of real-time data from all of the U.S. armed services and coalition partners will drive greater operational intelligence and more timely and accurate responses for all military operations. “To enable this change, the Department is adopting new technologies as part of its digital modernization program — from automation to artificial intelligence (Al) to 5G-enabled edge devices,” wrote David L. Norquist, past U.S. deputy secretary of defense, in the report. “However, the success of these efforts depends upon fueling this digital infrastructure in a secure manner with the vast flows of data available from external sources, DoD systems, and connected sensors and platforms. Adversaries are also racing to amass data superiority, and whichever side can better leverage data will gain military advantage.”19

Communication security (43%) and data encryption at rest (41%) are already the most widely used techniques for securing IoT solutions, according to a survey by the Eclipse Foundation.20 But, as with continuous software security, encryption will become more dynamic with the intelligent edge. There are opportunities for encryption at every stage of edge processing and for data in motion between devices. The benefits must be measured against any loss in performance. Hardware encryptors are most effective, but they are expensive to develop. Another solution: Create layers of encryption throughout the system.21

As with all aspects of security, encryption will be an ongoing battle as 5G and the IoT create more dispersed systems, generating greater quantities of data. At the same time, new cognitive and quantum computing capabilities can be weapons for any side with the means to deploy them. “Analysts from the National Institute of Standards and Technology (NIST) believe quantum computing will render current encryption methods useless within 15 years, so it’s not surprising DARPA (Defense Advanced Research Projects Agency) put its focus here,” says Shomo. DARPA has solicited “innovative research” around IoT cryptography through a program called Cryptography for Hyper-scale Architectures in a Robust Internet of Things (CHARIOT). “DARPA initiatives include boosting the human ability to recognize and hunt threats at scale, and more exotic AI advances,” Shomo explains.22

Will long-lived hardware be defensible against advances in computing capabilities? “Being single-use hardware, IoT devices may be deployed long after vendors cease patching vulnerabilities,” points out Shomo. “IoT encryption needs to hold up for decades.”23

Digital-first engineering

Three global aviation experts discuss how the Future Airborne Capability Environment (FACE™) can help ensure system safety as military airborne systems digitally transform.

Building something as complex as an aircraft has always been an iterative process of designing, building, testing, modifying, and testing some more. It is now possible to model everything digitally and create a very high-fidelity simulation to demonstrate how the system will function. “Digital-first engineering allows something like a plane or a ship or a missile to be constructed and tested digitally — including for potential threats. Then, in operation, a digital twin can run in parallel to test new functionality and modifications before deploying in the physical world,” explains Thompson.

Decommissioning

In the wrong hands, an unprotected embedded device can become a gateway into an edge system. When hackers gain physical access to a device, they can pull out the source code, reverse-engineer it, and figure out how to control other devices that run on the same software or network. Whenever a drone crashes in hostile territory or a sea vessel or aircraft is dismantled by another country, sensitive technology is compromised. Any device that is part of a mission-critical system, runs on sensitive code, or contains intelligence that could be compromised should have a destruct feature that would render it useless if it fell into the wrong hands.

A key part of a security policy is the ability to decommission a device that is no longer serving its purpose — before it can be reverse-engineered. This can be achieved through tamper-proofing measures or by establishing a means to wipe sensitive software or connectivity from the device, turning it into a brick so there’s nothing there to reverse-engineer. Decommissioning should be planned for and enabled at the design stage.

Three global leaders discuss how the Future Airborne Capability Environment (FACE™) can help ensure system safety as military airborne systems digitally transform.

Building something as complex as an aircraft has always been an iterative process of designing, building, testing, modifying, and testing some more. It is now possible to model everything digitally and create a very high-fidelity simulation to demonstrate how the system will function. “Digital-first engineering allows something like a plane or a ship or a missile to be constructed and tested digitally — including for potential threats. Then, in operation, a digital twin can run in parallel to test new functionality and modifications before deploying in the physical world,” explains Thompson.

Decommissioning

In the wrong hands, an unprotected embedded device can become a gateway into an edge system. When hackers gain physical access to a device, they can pull out the source code, reverse-engineer it, and figure out how to control other devices that run on the same software or network. Whenever a drone crashes in hostile territory or a sea vessel or aircraft is dismantled by another country, sensitive technology is compromised. Any device that is part of a mission-critical system, runs on sensitive code, or contains intelligence that could be compromised should have a destruct feature that would render it useless if it fell into the wrong hands.

A key part of a security policy is the ability to decommission a device that is no longer serving its purpose — before it can be reverse-engineered. This can be achieved through tamper-proofing measures or by establishing a means to wipe sensitive software or connectivity from the device, turning it into a brick so there’s nothing there to reverse-engineer. Decommissioning should be planned for and enabled at the design stage.

“There is a chasm in security standards between military systems and commercial systems,” says Thompson. He believes that market forces alone will not be enough to secure critical infrastructure, because there is remarkably little liability when things go wrong in the private sector. “Security always seems to lag, because new technologies come out before all the ramifications have been really thought through and analyzed,” he says. “But we can’t afford to have another country own our networks.”