The world is moving towards Blended Reality[1], where the physical and the digital worlds are increasingly becoming one. While the economy and society are adopting this new approach, from healthcare to manufacturing, transportation to the home environment, agriculture to critical utility infrastructures, devices are becoming the cornerstones of the new world and cybersecurity.
Attacks on devices are growing and becoming more destructive
As a manufacturer of devices, HP believes that securing the existing and future edge devices is the key to unlock the true potential of a Blended Reality world. The importance of edge devices is growing, and so is the attention they are getting from hackers. In addition to espionage, theft and misinformation, we see an increasing trend towards destructive attacks. Since the 2012 destructive Shamoon computer virus, which shut down the network of oil giant Saudi Aramco, caused millions of dollars in damage, wiped or destroyed 35,000 computers and made headlines for its unprecedented effectiveness, the trend has continued to expand. One example is the Mirai virus that quietly compromised thousands of IoT devices and then used a botnet to create extremely large-scale distributed denial of service (DDOS) attacks. In 2017, a wave of ransomware attacks encrypted data on PCs. There were also versions of the malware that went a step further by corrupting firmware and rendering PC hardware inoperable [2]. Finally, in Oct 2018, the world saw a UEFI rootkit, LoJax, used in a real-world attack. [3]This rise in firmware attacks is particularly worrying. Undetectable by security software, these attacks target the software embedded in hardware and, if successful, provide an attacker with control over an entire system. If they take a destructive form, they can disable hardware devices and render them inoperable on a large scale. This new trend undermines a safe evolution towards Blended Reality and calls for coordinated efforts. Hardware provides the foundation for more robust mechanisms that the OS and security critical software can rely on. This is why security needs to be designed and built in from the beginning and from hardware up.
Need for more awareness of device security in organisations and consumers
Two things are needed. One is that the industry should improve the way it manufactures devices to make them more secure. When new products reach the market with gaping vulnerabilities, poor security design or poor management can open a whole network to attack. The second is that purchasers – be they organization or consumers – should be more aware of the cyber-risks related to devices and the latest industry solutions.
Governments have a special role to play. Until recently, government agencies, which may be strapped for budget, sometimes put more focus on the cost and ergonomic factors of devices than on integrated security features. They are increasingly realising the importance of device security at the deepest level and designing policies to incentivise industry to act. For instance, the European Union Cybersecurity Act (European Commission, 2017[4]) aims at ensuring minimum levels of security for connected devices through voluntary certification schemes. These schemes might become mandatory requirements for access to the European market in the future.
Cyber-resilience should be the keyword for the future
Even the security profession is accepting the axiom that given enough resources, an attacker will eventually be successful. This means that manufacturers and purchasers of devices should aim for connected objects that are designed not only with security protections, but also with mechanisms that detect protections faults and help recover devices or infrastructure to a good state. Design for cyber-resilience is meant to ensure that devices are not only built with protections, but also with reliable mechanisms to detect successful attacks, and recover from them. This model should be deployed in edge devices to ensure they are not the weakest link in the Blended Reality world. Cybersecurity for Blended Reality[5] can only be addressed comprehensively by working in partnership with others. Multiple security mechanisms need to be embedded in the deepest level of computing devices and infrastructures to offer resilience against cyberattacks.
AUTHOR
Giulia Pastorella, PhD. Giulia is Cybersecurity and Data Policy Lead in HP’s Government Relations Global Strategy Program. Based in Brussels, she has been with HP since 2015, being responsible for Government Relations in the UK, Italy and the EU. She works closely with HP Labs in Bristol doing cybersecurity research. Before joining HP, Giulia worked in public affairs in a variety of sectors, including think tanks. She holds a PhD and Master’s degree from the London School of Economics in European Affairs and a Bachelor of Arts from Oxford University in Philosophy and Languages. Giulia was nominated one of the Forbes 30 under 30 most influential people in Europe for policy.
[1] ‘Blended reality’ is a term first used by the futurist think tank, the Institute for the Future (IFTF). The IFTF envisioned it as a tech-enabled sixth sense, which will be worn or maybe even implanted into our bodies and interfaced with our computers.
[2] NotPetya for instance was seeking to disable systems below the Operating System by compromising HDD partition tables needed by the firmware to find the Operating System
[3]LoJax . For more information, see http://www8.hp.com/h20195/v2/getpdf.aspx/4AA7-4019ENW.pdf
[4]European Commission (2017). Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (”Cybersecurity Act”). Retrieved from: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0477/COM_COM(2017)0477_EN.pdf
[5] You can find more about HP’s vision of Security innovation for a safer cyber-physical future here:
https://www8.hp.com/us/en/hp-labs/innovation-journal-issue5/security-for-blended-reality.html