Cyber-War – Have I Been Attacked?
- Created on Thursday, 13 June 2013
Today we are pleased to have a guest blog on embedded device security from Alan Grau, president of Icon Labs.
In July of 2011, Bloomberg Business Week’s cover story was ”Cyber Weapons: The New Arms Race.” Media reports of cyber-attacks by China on military targets and military contractors are frequent and are increasing. It is clear that a cyber-war has begun.
The reported attacks focus on attacks against corporate networks, many aimed at stealing intellectual property and military secrets. One report details how Chinese hackers stole information relating to the operation of the power grid from a large corporation in the US and Canada.
Large Enterprise and DoD networks are protected by sophisticated multi-layer security solutions including enterprise firewalls, intrusion detection and intrusion prevention systems and integration with Security Information and Event Management (SIEM) systems. Together, these systems provide robust threat detection, prevention and reporting capabilities. Systems such as McAfee’s GlobalThreat Intelligence (GTI) system monitor threats worldwide to detect issues such as an endpoint that is communicating with a website that is known to be malicious or that is sending packets to China.
However, embedded devices lack this type of security detection and reporting. Many new embedded systems being developed today include built in security capabilities such as secure boot, data encryptions, security protocols and authenticated logins to protect against attacks. These features provide limited ability to detect and report an attack, or to provide remediation if a device is compromised. A cyber-attack against an embedded device could go completely undetected.
The type of security implemented for enterprise networks requires tremendous computing resources. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) systems run on detected servers, frequently using hardware designed specifically for deep packet inspection. Due to their tremendous resource requirements, implementing these functions on an embedded device is clearly not possible with the hardware that is available today. However, integration with SIEM and GTI systems can provide an ability to detect attacks against an embedded device.
Providing an integrated solution provides device protection on the RTOS device itself along with situational awareness and integration with security management systems. . The RTOS device could report to a product such as McAfee’s GTI or SIEM a log of all the IP addresses that the device communicates with or receives packets from. The SIEM or GTI product can then analyze the communication and detect threats or cyber-attacks. If the embedded device receives a flood of packets from China or another known insecure domain, it will be detected, allowing us to at least know that the device was attacked. This information can be used to adjust security policies, firewall filtering rules, or take other actions to remediate the threat.
Security solutions for embedded devices need to move beyond simply securing the endpoint. Embedded devices need a solution that provides situational awareness and integration with security management, GTI and SIEM systems.