Embedded computers can be found in places such as smart home appliances, medical gear, cars, and even facilities such as power plants. And they run software that can be exploited just like any computer, warmed Ang Cui, founder and CEO of cybersecurity company Red Balloon. “This is probably the most important cybersecurity threat that we have today because these computers control every single aspect of our critical infrastructure that we depend on every single day,” Cui told CNBC in an interview. The major data breach Target experienced in 2013 was due to a malware that was installed on its point-of-sale system. “[The breach] certainly cost Target a great deal of money and a great deal of headache,” Cui noted. “They’re by no means the only company that had to recover from some event like this.” Cui believes the problem is only going to become worse, as more embedded devices get produced.
Hardware selection can profoundly affect an electronic system’s ability to withstand cyber threats. Attacks such as those that take advantage of the Rowhammer vulnerabilities inherent in dynamic random-access memory enable malicious actors to subvert system security remotely. Similarly, the Meltdown and Spectre vulnerabilities exploit the side effects of processor pipeline architectures to enable cyber attacks. While many cyber attacks can be mitigated via firmware updates, these fixes may result in unintentional effects, including increasing power consumption and affecting processing or timing, all of which can limit hardware performance.
“By most people’s estimates, we’re going to have about 20 to 25 billion embedded devices in about 15 years,” the expert said. “That is obviously more than one embedded device per person on this planet.” CNBC reported that, earlier this year, Cui’s Red Balloon discovered a critical vulnerability in millions of Cisco devices. The cybersecurity firm announced its findings to the public in May after informing Cisco of the hardware design flaw, which could be remotely exploited to bypass the secure boot process.
Embedded computing systems are also ubiquitous in critical infrastructure, vehicles, smart devices, and military systems. Conventional wisdom once held that cyberattacks against embedded systems were not a concern since they seldom had traditional networking connections on which an attack could occur. However, attackers have learned to bridge air gaps that surround the most sensitive embedded systems, and network connectivity is now being extended to even the most remote of embedded systems. In short, embedded systems are now subject to cyberattacks, either as the end goal of the cyber assailant or as a means to a greater end, and there is a critical need to protect and defend embedded systems in a cyber-context. The mechanisms currently employed to secure embedded systems include development of software using cyber best practices, adapting mechanisms from information technology (IT) systems, and penetration testing followed by patching. Unfortunately, these methods have proven to be generally ineffective.
Because they are deeply entrenched inside critical hardware, these systems can be tricky to safeguard, so cybersecurity and cyber resiliency must be considered at the beginning of the design and architecture process. And although upgrades can boost embedded systems’ cybersecurity, system operators must determine when the potential pitfalls of doing so outweigh the benefits.
Critical systems are built by requirements-based engineering and it is an accepted axiom of systems engineering that requirements are positive, testable statements about the system—statements on the systems’ functional behaviors and non-functional properties often captured as “shall” statements. This style of engineering has proven to be ineffective in engineering cyber resilient systems because cyber requirements are often statements on what the system should not do, i.e., “shall not” statements.
The goal of CASE is to develop the necessary design, analysis and verification tools to allow system engineers to design-in cyber resiliency and manage tradeoffs as they do other nonfunctional properties when designing complex embedded computing systems. Cyber resiliency means the system is tolerant to cyberattacks in the same way that safety critical systems are tolerant to random faults—they recover and continue to execute their mission function. Achieving this goal requires research breakthroughs in:
- The elicitation of cyber resiliency requirements before the system is built;
- The design and verification of systems when requirements are not testable (i.e., when they are expressed in shall not statements);
- Tools to automatically adapt software to new non-functional requirements; and
- Techniques to scale and provide meaningful feedback from analysis tools that reside low in the development tool chain.
General Electric : GE Researchers Working to Improve Cyber Resiliency of Critical Military and Industrial Systems
GE Research, the central technology development arm for the General Electric Company (GE), today announced it is leading an up to $4.9 million project through the Defense Advanced Research Agency’s (DARPA) Cyber Assured Systems Engineering (CASE) program, to develop VERDICT to assess and strengthen cyber protections for military and other industrial systems.
DARPA’s CASE program is focused on supporting new technologies that strengthen cyber protections for the embedded computer systems that manage or control critical infrastructure, vehicles, smart devices and military systems. The threats to these types of systems have grown, as attempts to attack these systems have become more sophisticated in nature. Kit Siu, a Senior Engineer in the Research Lab’s Controls and Optimization team, and Abha Moitra, a Principal Scientist in the Artificial Intelligence Group, are leading GE’s CASE project, which involves development of a comprehensive toolkit that can assess a given computer system’s vulnerabilities and prescribe the best defense measures to shore them up. Siu recently demonstrated GE’s technology for Naval Information Warfare Systems (NAVWAR) personnel in San Diego, California.
‘A key objective of VERDICT is to deliver a thorough cyber threat assessment that not only flags a system’s vulnerabilities but also recommends the best defense measures to address them,’ Siu said. ‘This could work across many types of systems, from military platforms like a ship or aircraft to critical infrastructure like a power plant or wind farm.’ Siu said, ‘Power systems, like military systems, often are controlled and operated separately from the Cloud to insulate or reduce their susceptibility to cyber threats. But that doesn’t mean someone can’t get to your system. With the technology toolkit we’re developing, we will be able see the potential vulnerabilities more clearly and enable additional measures to strengthen protections.’
Siu and Moitra are collaborating with GE Aviation Systems and University of Iowa on this project. The Aviation Systems business is providing domain expertise for cyber analysis on commercial and military aircraft, and the University of Iowa is providing fundamental research in the area of cyber security and formal methods. By the end of the program, the team will deliver the VERDICT as an open source toolkit that may be used to safeguard critical infrastructure.
The VERDICT tool is intended to perform analysis of a system at the architectural level. VERDICT user will capture an architectural model using AADL that represents the high-level functional components of the system along with the data flow between them. The VERDICT Model Based Architecture Synthesis (MBAS) back-end tool will analyze the architecture to identify cyber vulnerabilities and recommend defenses. The defenses will typically be recommendations to improve the resiliency of components, such as control access to and encrypt communications links, or add components to reduce dependence on a specific source of information. For example, add position sensors and voting logic rather than depend exclusively on a GPS signal to determine location.
Once the architectural analysis is complete, VERDICT supports refinement of the architecture model with behavioral modeling information using AGREE. The VERDICT Cyber Resiliency Verifier (CRV) back-end tool performs a formal analysis of the updated model with respect to formal cyber properties to identify vulnerabilities to cyber threat effects. This valuable capability provides an additional depth of analysis of a model that includes behavioral details of the architectural component models which will help to catch design mistakes earlier in the development process. Once the CRV analysis is complete, the developer will go off and create a detailed implementation. The intent of VERDICT Automated Test Generation is to verify that the implementation is consistent with the architecture and behavioral models analyzed by VERDICT MBAS and CRV.
VERDICT’s OSATE Plug-in Architecture
The VERDICT tool contains a user interface front-end (an OSATE plug-in) which runs the VERDICT back-end tools from OSATE’s integrated development environment. There is a clear separation between the functionality of the OSATE plug-in and the back-end tools, which also can be used separately on their own. The OSATE plug-in simply calls the back-end tools and informs the user of the results. The diagram below shows how the back-end tools are invoked by the plug-in to perform architectural and behavioral analysis of AADL models.