Zero day cyber threats

If a threat directly attacks modern day chips, undetectable or infects through a smartphone, perhaps the vulnerability is in the hardware design

By Jeremy Pollard, CET

I finally read something that I have been saying for years now: The Industrial Internet of Things (IIoT) has been around forever. It’s just different now.

Albert Rooyakkers, CTO of Bedrock Automation, mentions in the second installment of Bedrock's white paper series, that Moore's law, software and communication standards along with cyber-threat vectors are reaching out to embedded computing industrial edge device things. It’s the perfect description for anything IIoT.

He was talking about and referring to Bedrock’s designed-from-the-floor-up power supply systems. A cyber-threat vector on a typical power supply would be to render the power supply useless. While most power supplies are switching supplies, an injection of physical noise could shut the power supply down.

State of Technology Report: Time-sensitive networking

It shouldn’t be that hard, but yet it has to be to incorporate all the tools and hooks to make the system impenetrable, if there is such a thing.

I remember back in the good ol' days when a power supply could be “bricked” by keying a walkie-talkie in the vicinity of the supply itself. While I am not a power-supply expert, one wonders what attack vectors can be applied to modern-day supplies.

And then, by God’s wish, I get an email on the cyber threat that modern-day chips can present to the systems that they are installed in. These chips from Intel, ARM, AMD and Qualcomm should demand more attention to the hardware design process and the possible effect on the system's cyber-readiness.

The report, prepared for Defense One, a political news site, suggests that the only true mitigation is hardware replacement. While that would help with the employment numbers, it isn’t very practical.

Meltdown and Spectre exploit hardware vulnerabilities in modern-day CPUs, which are used by many industrial-control-system (ICS) manufacturers. These cyber attacks however break the software rules by allowing communication between running programs which were previously thought to be running in protected memory. The exploit can bridge between the operating system (OS) and the applications running to gain access to data, including passwords and sensitive data.

While there are patches available in the OS software, this requires the attention of the owner and/or the IT department to be sure that the end points are infected. The worst part is that it is undetectable and could be considered as zero day threats.

Even smart phones are not immune, bringing the BYOD movement into focus. While the beginning attacks are focused on gaining data, future resulting symptoms could very easily be shutting down SCADA nodes, control processes in critical infrastructure which are controlled by embedded computers which use the CPUs that are the target of the malware.

So is Bedrock a pioneer in the field of new hardware design? I think so. But do they suffer from the same issues that most others do? If not, why not?

Bedrock has created a white-paper series explaining its revolution, ranging from the explanation of the backplane (magnetic), power supplies, cybersecurity fundamentals and securing ICS systems.

Based on my experience in control systems, all was fine until the Internet came into our world. The platforms didn’t need to be redesigned and rethought like Bedrock has done. So, why now?

Lack of legacy allows Bedrock to have a blank canvas, but has the design taken into account such things as Meltdown and Spectre? It has to use standard chips, right?

Something that makes me think that they have really thought out their approach is in the opening paragraphs in the third chapter, “Intrinsic Cyber Security Fundamentals.”

As a preamble, I believe in one-door-to-the-floor, with regard to access. Most current cyber solutions for best practices is to build a bubble of complex enterprise defenses around an ICS target, which is my rant in my one-door-to-the-floor presentation. It really doesn’t have to be that complicated. It seems Bedrock and I are thinking alike.

It shouldn’t be that hard, but yet it has to be to incorporate all the tools and hooks to make the system impenetrable, if there is such a thing.

The Bedrock approach has been to take all the reasons and ways that existing industrial control systems can be compromised and design them out of the system. With security as the design base, does Bedrock go too far in its design-to-dollars equation?

Based on its current usage, I would say that most don’t care. Users are buying into the secure-by-design mantra and hoping that Bedrock will do some work for them.

I’m still reading the white paper series, and have asked the company a few questions. I will report next column.

ALSO READ: Case study: Hits and misses in an actual IIoT implementation