Cyber-Security: Is Software Alone Enough? Andreas Wild Executive Director

Andreas Wild

Executive Director

Software and Hardware Threats

•

In 2012, Cambridge University researchers announced the

discovery of burned-in vulnerabilities on the silicon of high-security

chips used widely in defense, financial, and industrial control

systems.

•

These backdoors originated in manufacturing process at

industry-leading suppliers and they permit attackers to disable security,

monitor and modify information on the chip, and to permanently

damage the device.

•

Cybersecurity efforts have focused on protecting against insider

threats and vulnerabilities in software,

•

…but without addressing the foundational vulnerabilities in

hardware and the supply chain behind it, those security efforts

amount to little more than building castles on a foundation of sand.

Building Trust in the Global Technology Supply Chain

Scott Charney, Microsoft, East-West Institute’s Second

Worldwide Cybersecurity Summit, London, 2011:

•

Hardware and software today are composed of

subcomponents from a range of suppliers.

•

A trusted supply chain means managing the risks

related to production, delivery and deployment.

Software versus Hardware Vulnerability

•

Malicious software can be created and

disseminated by anyone with a computer and

access to the Internet

•

Malicious hardware can only be inserted by

someone who can access and alter a chip

before it is placed in a finished product.

Defensive Strategies for Hardware

•

Large amount of attention/resources are dedicated to software security,

but countering malicious hardware is in its infancy:

–

Design practices:

• need-to-know partitioning of information; scrutiny of third-party suppliers; controlled premises; Trusted Platform Modules (TPM) as per ISO/IEC 11889 (2009)…

–

Secure the supply chain

• Grading participating companies; split fabrication…

–

Quick response to an attack

• Pre-emptive identification/creation of an entity for hardware attacks; supplier database for rapid tracing of chips at risk while protecting proprietary information

–

Testing procedures able to detect corrupted chips

–

Built-in defences

• Chip self-monitoring, identifying attacks, putting offending portion of the chip in quarantine, and notifying other devices containing similar circuits

-John D. Villasenor, “Ensuring Hardware Cybersecurity”, The Brookings Institution, Technology Innovation No 9, May 2011

- David Inserra and Steven P. Bucci, “Cyber Supply Chain Security: A Crucial Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace”, The Heritage Foundation, BACKGROUNDER NO. 2880 March 6, 2014

Lagging European Investments in Chip Manufacturing:

A Security Threat?

Future investments announced by the end of 2014

Million 200mm equivalent wafers per year

<= 200mm 300mm $14.7B $14.7B $17B $170B in 5 – 10 years $6B ELG Roadmap ?

European Strategic Investment Funds?

Split Fabrication:

Partial Solution to

Contain Cost ?

Electronic Components and Systems:

the “Smart” of Everything

Smart

phone

Smart

Card

Smart

Grid

Smart

Cities

Smart

Mobility

Smart

Governance

….

Smartanything !

“Smart” =

chips

running software,

integrated in a system,

enabling applications !

ECSEL = Electronic Components and Systems for European Leadership

ECSEL JU:

a Public-Private Partnership

Keeping Europe at the Forefront

of Technology Development

Established by the Council Regulation (EU) No 561/2014

Autonomous Union body implementing a

Joint Technology Initiative

Total eligible costs > 5B€



Members:

-

EU (represented through the Commission): H2020 up to

1.17 B€

-

ECSEL Participating States : envisaged contributions

~ 1.17 B€

-

Private Members (Assoc. AENEAS, ARTEMIS-IA, EPoSS)

>2.7

B€



_{Launching calls for proposals, selecting projects for}

funding

European Government(s) Vision Evolves…

Ten years ago, the heads of states were

not interested in internet companies

and router manufacturers….

y

Electronic Components and Systems Belong Together

Europe Must Increase Investments

Both in R&I and in Defense

COM(2013) 542/2

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND

SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Towards a more competitive and efficient defence and security

sector

{SWD(2013) 279}

…to be a credible and reliable partner, Europe must be able to

decide and to act without depending on the capabilities of

third parties. Security of supply, access to critical technologies

and operational sovereignty are therefore crucial.