Developing effective hardware and software COTS security technologiesStory
August 17, 2016
The armed forces of the United States and its allies around the world rely on critical military technology that is under constant threat. These threats range from the reverse-engineering of systems lost on the battlefield to the accidental introduction of counterfeit components on the factory floor. In response, commercial off-the-shelf (COTS) suppliers are more frequently being called upon to help users address rapidly expanding requirements for anti-tamper (AT) and cybersecurity or information assurance (IA) capabilities.
Effective mitigation of threats to critical systems requires the development and implementation of advanced, industry-leading technologies and techniques, which for obvious reasons, the specifics of these security strategies and techniques cannot be described in detail. In order to provide the reader with a useful introduction and high-level overview to contemporary AT and IA techniques, it is possible to discuss, at an appropriately high level, some of the ways in which COTS hardware might come under attack and provide an outline of some of the methods that are available for protecting against such intrusions.
Defense in depth
The most effective approach for implementing AT and IA technologies to protect deployed COTS systems with a “defense in depth” strategy, implements multiple layers of security to protect CPI (critical program information) at the module and component level. It also ensures that manufacturing is performed in a trusted manner. Today, there are a variety of options for protecting hardware at the device and module level.
Some of these approaches involve techniques that make it possible for the user, at their discretion, to add their own protective measures into the system hardware. To help mitigate against the introduction of counterfeit parts into their system hardware, it’s imperative that users ensure their COTS module supplier’s supply chain is capable of taking an active role in preventing against the presence of counterfeit parts on their modules. The COTS vendor’s supply-chain management should be performed with an approved vendors list, and all suppliers should be subject to audits and able to comply with quality clauses. Also important: ensuring that the COTS vendor’s quality management system (QMS) is appropriately certified.
The unique attributes of secure COTS products demand that when a module is in need of repair or is no longer serviceable, it be handled in a manner that ensures the proper disposition of any CPI on that module. Methods for disposing of the CPI include the use of algorithms to securely erase the module’s nonvolatile memory so that the CPI is permanently removed. There are also methods for handling special components that might contain critical information.
To support any specific and unique customer requirements, the COTS vendor should also be able to support customization in order to add in additional layers of security as needed.
One key element of protecting hardware is being able to identify and then respond effectively to any attack as quickly as possible. Fortunately, a malicious encroachment into the system hardware can result in anomalous conditions that can be identified in real time. Techniques to identify such intrusions may involve the use of integrated sensors, such as temperature and voltage sensors, which are able to recognize any abnormal conditions.
Another malicious technique used to attack system hardware involves the probing of signals that emanate from the module’s electrical traces. One technique used to protect against this attempted violation of data involves burying any sensitive traces – especially those that carry critical data, deep within the PCB substrate – to eliminate an adversary’s ability to analyze and probe them. A module’s input/output (I/O) interfaces can also provide an attractive target for an adversary to attack. Methods have been developed for securing JTAG and serial ports in order to protect a module’s I/O.
To protect against remote attacks on hardware based on Intel’s Xeon processor family, module designers can implement Intel’s Trusted Execution Technology (TXT). This “Measured Boot” technology uses boot code to verify that the correct code is being run on the processor. Security options for Intel, Power Architecture, and ARM processor-based modules also include support for secure boot. To provide protection for data at the chassis or module level, system designers can implement volume protection technologies that enable a module to be physically “surrounded” so that any attempted intrusion is reported and appropriate responses to that intrusion can be triggered.
In addition to protecting hardware at the module and chassis level, a comprehensive approach to data protection also needs to securely store, retrieve, and move data in a system while enabling only authorized access to this data. This requires secure network routers for data-in-motion solutions as well as secure storage for data-at-rest, with support for Type I, FIPS 140-2, FIPS-197, AES-256, and AES-128 encryption.
A flexible approach to next-generation security
When it comes to the protection of CPI, every program and every user is different; there is no one-size-fits-all approach. Effective mitigation against security breaches requires flexibility. COTS vendors need to actively and closely work with users to build in AT and IA capabilities at the module and subsystem level that meet the particular system’s specific requirements. The resulting solution may be based on an existing “building block” approach, or may require a custom module design. For requirements that can’t be satisfied with existing building blocks, those interested should seek a vendor able to provide MCOTS (modified COTS) services to develop new or customized products.
The risk-mitigation techniques described above provide examples of AT and IA strategies we at Curtiss-Wright have implemented via our TrustedCOTS initiative, which takes hardware and software based on standard products then designs in security features that enable those who need protection to implement protection plans for critical technology and data. These products enable users to begin development on standard COTS hardware and software and then move to a secure 100 percent software- and performance-compatible version of the product when they are ready to implement their program-protection requirements.
A moving target
The complex task of protecting CPI against unwanted intrusion presents an engineering challenge that is both ceaseless and ever-evolving. The COTS industry needs to maintain its vigilance and continue the development of sophisticated approaches for protecting critical data from falling into the wrong hands. A multileveled Defense in Depth strategy enables COTS vendors to provide effective mitigation against malicious attacks by leveraging a combination of cost-effective off-the-shelf technologies, specialized data and hardware IP, and custom design solutions. For peace of mind and the highest possible level of confidence, system designers should undergo serious and detailed discussions with their module suppliers to ensure that the best-possible security techniques are available and can be implemented on their critical systems.
Steve Edwards is Director, Secure Embedded Solutions for Curtiss-Wright Controls Embedded Computing. He can be contacted at [email protected].