The Device Chronicle interviewed Tommy Gardner, CTO, HP Federal, about IoT cybersecurity and the best ways to address the cyber security threats.
It is not everyday that one gets the opportunity to interview a former commander of a US Navy submarine, and so it was a great honor to learn from a leader such as Tommy Gardner. Tommy has spent over 40 years working in artificial intelligence and what he describes as “sensitive data programs” since his days working in Government. Few are better placed to understand how technology is evolving and what the cyber security threats are emerging in tandem.
Tommy distinguishes between how the government and industry see cyber security threats and calibrate their approaches accordingly. He says “Governments must be motivated by their mission and must be ready to serve their constituents. Industry’s priority is the protection of IP and process methods that drive their profits. Both are broadly concerned with the threats from the criminal and political actors, amateur actors and support the bug bounty hunters.”
Securing IoT products against cyber security threats
Tommy provides some straightforward and pragmatic advice for companies looking to secure their digital products that have IoT dependencies. He advises taking the NIST risk management framework and applying it to the enterprises’ “crown jewels” i.e. their cloud and edge infrastructures. He says, “Continuous investment is needed to understand and mitigate the threats and the potential attack vectors. The investment in research allows the organization to put up economic barriers, traps and stone walls.”
Real physical risks from cyber security threats
Tommy has a doctorate in Energy Economics and it is in this industrial complex that he sees some potential risks of devastation from cyber attacks. He worries about the hundreds of industrial plants in the United States, where they crack basic crude oil. A consolidated contemporary cyber attack on them simultaneously could result in severe energy shortages much worse than what was experienced during the Colonial Pipeline event. Physical damage to these plant’s critical equipment and core infrastructure could keep them out of operation for up to 6 months. Such an occurrence would be termed a “black swan event”. In cracking and distilling plants a cyber attack that results in pressure points for safety relief values being changed could result not only in plant damage, but in personnel injury as well. In addition to monetary damages, there could be loss of human life.
Cyber physical paradigm & cyber security threats
This speaks to the cyber-physical system where “software is the mind and the neurons”, and “the infrastructure is the physical body.” It used to be that operational technology and information technology were separate worlds, but Tommy has seen them come closer together. Operational Technology (OT) has seen the increased adoption of Internet protocols, with the result that if an actor can hack an IT system, they could also hack the OT system in an organization. As a safeguard, OT professionals need to follow IT protocol and procedures and use the cyber tools of the trade from there. All of this, Tommy believes, drives the enterprise towards Zero Trust, where the assumption is that the enemy is already inside the system or has access, so it is critical to verify first, establish a root of trust, and to use things like a trusted computing module inside the IoT device.
HP and the root of trust
HP puts in the root of trust to protect the BIOS in its connected printers, which are considered IoT devices. An experienced hacker will first go for an attack on a printer, as most present an easy way to get into a network. Printers are generally not very well secured. Once into a network through a printer, the hacker can quickly escalate permissions going from one account to another to gain increasing network rights and privileges. He regales a story of where he engaged with a CIO in a large government organization, where there was no “2 man control” on the updating system BIOS for a large fleet of 8,000 computers and printers. With a single button press, the system was updated in 8,000 machines. There was no second checker in place to protect and validate for each individual machine. Once this CIO understood the risk, within two weeks ordered better protected equipment so as not to lose the whole network with one button push.. Also, at the Blackhat and DefCon security conferences an independent third party penetration testing company from Spain ran numerous tests on six different enterprise printers. Tommy points out that the testers conclude that based on their tests HP had the most secure printers.
Mapping of the Digital Supply Chain
There are several points on what constitutes the digital supply chain. Tommy advises “You can’t manage what you don’t measure, and you can’t measure what you don’t define” So you need to accurately and precisely define the digital supply chain. He believes that NIST does it very well by getting everybody in the room, arriving at consensus and building a taxonomy for a common understanding. NIST listens to government agencies, industry, and academia. NIST Special publication 800-213 and NISTR 8259 are key documents on the subject and cover the key principles in implementing IoT protection. NIST can take a holistic and comprehensive view of the threats and best forms of defense as it set standards for government departments, industry and academia both in the United States and across the World.
IoT device security takes center stage after Solarwinds and the Coastal Pipeline
Over the Air (OTA) software updates have come into focus after Solarwinds and the Coastal Pipeline attacks. CEOs are waking up to the fact that they can’t have second best when it comes to product security. Tommy says it takes a large degree of effort to test an update, to make decisions whether to run it on another sandbox, or to use anomaly detection. Products and security must be planned with a knowledge of how the actors plan to attack. Tommy advises “An enterprise needs continuous improvement in product security design as sensors are not designed to be secure, they are designed to perform a functional job. The cost does go up with security but one must recognise that security is worth paying for. By putting in an encryption layer or an intrusion detection sensor or a BIOS self check, you can avoid significant downstream costs from a cyber attack.” He adds that HP BIOS protection has a crypto signed chip that checks if the hash is the same in the chip as in the BIOS in memory. NIST 800-193 defines hardware resiliency with 16 recommended steps. 12 of these steps are mandatory. HP has integrated all 16 into product design. You need resilience in order to bounce back after an attack.
OTA software updates and Linux embedded
Linux open source comes with an additional benefit: attack vectors and vulnerabilities are picked up quickly, because of the large number of people reviewing the changes. With OTA updates and a Linux embedded system, the numbers game makes it much safer to use. An enterprise still needs to factor in the need for encryption methods, detection methods and resiliency issues i.e. “how do we get back up and running if something goes wrong?”
We wish Tommy and his colleagues at HP well as they continue to secure enterprise endpoints, networks and their printers from malicious actors and hackers.