Our computer systems run on software. Without this, the
industry has a vast inventory of boat anchors, paperweights, and expensive
equipment to prop doors open. With this, we have finely-tuned equipment that
works through miraculous tasks. With our dependency on these systems, seemingly,
as a culture and industry, we could learn from our oversights and mistakes. This
begins in 2015 with the infamous Miller & Valasek Jeep Hack. At this point
in time, the embedded systems industry though passwords made the products secure,
no one would be interested in attacking wireless sensors or cellular, and a
device with a singular function would never be a target. These faulty beliefs
were clearly wrong and our industry was built on curing these issues.
Embedded systems continue to be excessively insecure,
unfortunately. These systems continue to be very accessible. There is no
license required to purchase these. The cybersecurity researcher simply has to drive
to an auto parts store, log into eBay, or call a junkyard to secure one or more
of these units to test. Once secured there are numerous online resources
available to assist the researcher through the hardware configuration and OS
(e.g. CANbus).
These systems are often not secured. The researcher simply
has to connect to these and begin the attack. This is the case, especially with
the CANbus. Other systems may use Linux or Android for certain systems within a
vehicle. These, while an improvement to for cybersecurity, still have ample
vulnerabilities based on the version and other factors.
With these systems, due to their importance in our lives,
security should be built in from the beginning phases through production.
Adding this in at the last bit of the project has not and will not work. We’ve
seen this repeatedly. Cybersecurity needs to be incorporated from the beginning
and not bolted on at the end of the project unless you enjoy the opportunity
to fix the bug or vulnerability for your product located across the globe.
One of the crown jewels for the attackers is the data. This
has to be secured at rest and when this is between the sender and receiver (in
transit). When you don’t have this in place and the appropriate measures
working, there will be issues.
Finally, you should think like the attacker would. The
person attacking your system isn’t going to care about the project gates or
deadlines and why the cybersecurity issues are not fully addressed or the thousandth
of a penny, you saved by not fully implementing adequate security. The attacker
is focused on how to break into your system using present or past tools, or
creating new ones to ensure their success.
No comments:
Post a Comment