With reputational, financial and operational implications, Joe Pennisi, President and Chairman, Trusted Computing Group stresses the need for cyber resilience
When it comes to attacks, cybercriminals are not only getting smarter, but bolder. Hackers are increasingly taking control of connected technologies such as cameras, microphones, and GPS-enabled devices used in homes and offices, and weaponising them for their own benefit.
In 2023, for example, the BBC uncovered major flaws within Hikvision and Dahua security cameras used by public bodies across the United Kingdom. These vulnerabilities could be exploited by hackers to monitor people or government buildings, or even be used as a trojan horse to wreak havoc on critical infrastructure such as power supplies and transport networks.
We have continued to see malicious actors access everything from electric vehicle chargers and rail communication equipment in recent years, all while engaging in GPS jamming and smart television hacks. Even consumer devices aren’t safe – in 2019, the European Union (EU) recalled a smart watch designed for children, over concerns regarding its cyber resiliency. The nature of the devices at risk means the need for greater security has never been greater.
Small and large scale threats
These attacks can bring serious financial, reputational and operational damages down on victims. Just one single, successful attack costs medium-to-large businesses £10,830 ($14,466) on average, but if sensitive data is also accessed, it can lead to further attacks on entities linked to a business, including employees, customers, and any other companies within its supply chain. If a business is connected to critical infrastructure such as an energy grid, then hackers can take control and turn these off in an instant, putting lives at stake.
It’s at this point many users and businesses turn to expensive cybersecurity software and platforms in order to protect their devices. These can help, but they are not the ‘one does all’ solutions many believe them to be. At the same time, there remains a significant skills shortage when it comes to cybersecurity: 92% of cybersecurity professionals have reported proficiency gaps within their organisations.
The need for trusted computing
To establish the core, foundational elements of cybersecurity, the concept of trusted computing must be adopted. This refers to the latest international standards, specification, components and technologies designed to make devices more secure – whether through hardware upgrades or software modifications. Devised by standards organisations like the TCG, trusted computing provides assurance that computers only boot up and operate in a predictable manner, ensuring an environment where data can be authenticated and used safely.
Though technology continues to evolve, trusted computing should remain ever-present. Initial standards and specifications designed for computers have now expanded to cover the wide range of connected devices found today. Over two billion devices now use a Trusted Platform Module (TPM) – the cornerstone of trusted computing – which provides the initial building blocks required for a device to attest its health and ensure a system can be trusted. However, as attacks grow and the availability of skilled professions is limited, vendors not only need to establish a strong line of defence, but the means to recover if an attack is successful. Enter CyRes!
Resist and recover
Like the name suggests, the ‘Cyber Resilient Module and Building Block Requirements (CyRes)’ specification is focused on the implementation of cyber resilience. Devices are made up of numerous firmware layers and smart components, many of which may have vulnerabilities hackers can potentially exploit. To overcome this issue, CyRes defines a set of essential building blocks so devices can remain secure in the event of an attack.
The specification also introduces the concept of the Cyber Resilient Module. Within IoT technologies, this usually takes the form of an integrated system on a chip, and – if a device is successfully breached – provides the capabilities necessary to recover to a trusted state successfully.
Recovering compromised IoT devices often involves manual intervention. For instance, new authentic firmware may need to be reloaded on a compromised device after an attack. This may be added from an external storage device or a secondary computer system, and the manually repaired device must subsequently be rejoined to a network service using passwords or other credentials. However, the ongoing IoT has increased the number of devices available, with many of these using the same imperfect software. This makes manual intervention for recovery or repair an almost impossible task at scale, due to the sheer number and variety of devices either physically inaccessible or lacking the required interface for manual use.
Of course, there are a number of enterprise-class technologies capable of remote device management, and some of these may include recovery-as-a-service. Yet many of these remain unsuitable for the majority of IoT devices, owing to limitations in cost, form factors, and power requirements. This makes specifications like CyRes so vital – they eliminate the need for manual intervention but can be built with limited resources.
Protecting the device ecosystem
Through the baseline set of measures afforded through CyRes, vendors can manufacture IoT devices that is not only resilient but recoverable, with minimised cost, power consumption and hardware requirements. With billions of connected devices found across the world, this is no easy feat!
The beauty of standards and specifications is that they are constantly being enhanced too. Resiliency will be maintained over the coming years because the CyRes document is – and will continue to be – structured so other architectures and platform specific requirements can be added to it in the future. This means that, as the dependence on technology grows, the cyber resilience provided through CyRes will continue to prove critical for the future security of all interconnected devices and systems.
Author: Joe Pennisi, President and Chairman, Trusted Computing Group
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
