Wednesday, November 20, 2024

Developers Today Are Missing Out On Firmware Integrity And Signature Verification

- Advertisement -

With the emergence of smart technology driven by the Internet-of-Things (IoT) in India, the industrial sector has been relatively quick to take to the smarter aspects. Now, with rapid penetration of IoT within the industrial sector being the criteria, it is only obvious that the Industrial Control Systems (ICS) have practical layers of security to secure the entire system from external threat actors.

This is true in the Indian small and medium enterprises (SME) scenario as well. In this regard, Rahul R of Electronics For You interacted with Aditya Gupta who is Founder and Principal Consultant at Bengaluru-based Attify. Aditya offered valuable insights on the security threats (and related aspects) accompanying ICS devices and how these can be combated.


Q. Talking about the industrial internet of things (IIoT) security, what are the types of breaches that Indian SMEs should be aware of?

A.  It is worth understanding that for both the IoT and industrial control systems (ICS), manufacturers make lot of mistakes when it comes to implementing secure layers. One of the biggest mistakes that IoT device developers commit is missing out on firmware integrity and signature verification. Even Google Nest had this vulnerability. 

Aditya Gupta of Attify
Aditya Gupta of Attify

Device developers also do not pay attention to making attempts to verify genuineity of source. In fact, it is difficult to verify this, but it does no harm to at least put efforts to try and verify the sources from where smart devices and sensors are procured. This is a major issue that could potentially open- up doors for newer attacks to hit industrial systems.

The second major issue is the insecurity of radio-based communication. This often leads to attacks such as eavesdropping that in turn results in breaching data privacy levels.

- Advertisement -

Q. In line with your above insights, how relevant do you think that ethical testing is from an industrial perspective?

A. In fact a lot of companies do not resort to ethical testing, or do this very poorly. Maintaining dedicated security teams (resorting to ethical hacking of networks internally) is vital today. Penetration testing should also be carried out on all devices before these enter production.

Therefore, in this context, I think that ethical testing is completely relevant in today’s industrial scheme of things, especially in vital sectors such as healthcare and finance. Finally, ethical testing leads to proper evaluation of the entire architecture of devices. This approach naturally leads to formulation of enhanced security protocols for securing networks.

Q. From an IoT security layman’s perspective, why do cyber-criminals even target industrial systems?

A. Industrial systems today are viewed as ‘extremely lucrative’ by cyber-criminals. When digital industrial systems are compromised, the entire functioning of a particular industry can be slowed down several notches thereby resulting in both systematic as well as financial losses.

The best illustration, now, is a scenario where a city’s entire power grid system is taken down by hackers. This often results in irreplaceable losses.

A corporate competition perspective also comes into picture when we mention cyber-attacks. A competitor, in the corporate scenario, has lots to gain by taking down rival systems.

Q. Being an engineer yourself, can you suggest best practices for Indian embedded engineers to develop industrial systems having security of acceptable standards?

A. The first thing for Indian engineers is to get a grip of the embedded scenario (including the underlying threats) in the physical world. This can be accomplished via heuristic research.

Now, as per my experience, a major issue plaguing IoT security and ICS is poorly designed code. This is a result of improper research by engineers (about embedding security from the chip level). Security protocols should be properly defined within individual levels, in modules. These ‘well-secured’ modules can them be integrated to the main components in order to ensure near-perfect secure IoT devices.

Q. At a personal level, if you were to train embedded engineers on IoT security best practices, how would you go about this process?

A. For enterprises, we train engineers by assuming the role of attackers. Understanding the modus-operandi of cyber attackers is the key. Once a system has been attacked, glaring loopholes are then displayed to developers to improvise and cover the holes.

With this approach, analysis of the code written by developers also takes place. Here, enthusiasm amongst the embedded engineers is also at a peak. I would also let developers to fix the gaping holes (as stated above) by themselves via secure codes so that they are in a position to code securely.

Q. Finally, for a more generic sector like healthcare, how do you define IoT security from a researcher point of view?

A. For a sector like healthcare, embedded system engineers (the IoT engineering community) should remember that the data generated is extremely sensitive. Security solutions should be engineered keeping in mind the attack probabilities.

An illustrative scenario here, pacemaker data is vital for heart patients, in case there is a security breach, lives of patients are put at risk. There have also been instances where smart insulin monitors were breached resulting in irregular levels of insulin being monitored to patients. These illustrations only represent the seriousness for developing secure solutions for a sector having general societal impact.

There should also be security at the individual healthcare levels, such as at hospitals where enormous patient & medicine-related data is generated. As of now, the Indian smart healthcare scheme of things is still at a nascent stage. Therefore, engineers should constantly research on the practices employed by the developed economies and come up with appropriate solutions for the sector.

SHARE YOUR THOUGHTS & COMMENTS

EFY Prime

Unique DIY Projects

Electronics News

Truly Innovative Electronics

Latest DIY Videos

Electronics Components

Electronics Jobs

Calculators For Electronics