As the swarm of cyber attacks continues to disrupt business operations, it becomes crystal clear a serious issue exists. Companies have become increasingly digital, relying on an array of tools generating data, data that in many instances drives new efficiencies. Unfortunately, if something generates data, it is also susceptible to an attack -- and, in many instances, a very attractive target for today's sophisticated hacker.
Solving the current cyber problem is going to take far more than regulations, the involvement of law enforcement, air gapping, bolted on hardware or software. Simply put, there is no silver bullet. What is the answer? All of the above and then some. The best means of protection is to take a big picture view embracing the right mix of tools, and paying close attention to the security built into today's architecture from the ground up.
Martin Dixon, Intel fellow and vice president in the Intel security architecture and engineering group at Intel Corp., shares his insights around how companies often overlook the role that hardware security plays into the equation – especially in a digital world.
IW: What are companies missing in their security strategy?Dixon: Security is a system property anchored in hardware. While scalable attacks come from software propagation, if you don’t trust your hardware you can’t trust any of the software running on top of it. I think even the smartest IT teams often overlook this fact. Software is only part of the solution. Hardware is the foundation, and hardware-accelerated security capabilities are becoming increasingly important among enterprise IT teams. According to a recent Ponemon Institute study, 76% of IT decision makers say it’s highly important for their technology providers to offer hardware-assisted capabilities to defend against software exploits.
Hardware has a unique view across the system stack — and thus, different insights to detect and protect it. We believe the software-hardware contract is evolving to indicate more intent to the hardware. The hardware security technology we develop and deliver in our products, such as Intel Software Guard Extensions or Intel Threat Detection Technology, provide additional layers of protection to security solutions already in place. This broadening of the software-hardware interface requires software ecosystem engagement to enable. Yet, the inherent tunability of these features allow developers and IT administrators to optimize performance and security to meet their specific needs.
IW: Considering the ongoing digital transformation trend, is the growth of connected operational technology creating a larger risk? If so, what additional steps do organizations need to take?
Dixon: I would position this more as untapped. Our approach to security innovation is to build defenses into the foundation, protect data and workloads and improve software resilience. Good security requires defense in depth.
Today, AI-based robotics are used to perform repetitive and potentially hazardous tasks with greater speed and accuracy than humans. Machine vision is also used to validate features and check for defects, helping to deliver the highest-quality product possible. These edge deployments expand the attack surface of a system. Meanwhile Stuxnet in 2010 showed that virtual attacks can cross over into the physical realm. It’s critical for systems to enable a path to securely onboard, boot and update to ensure they remain up to date. While zero days get the attention, all too often attacks happen on known vulnerabilities that have not been patched.
We continue to find new ways to solve these common security challenges. We are a member of the FIDO Alliance that recently announced a new, open IoT protocol to simply and securely onboard any Internet of Things (IoT) device. It’s an important step in addressing the security gaps that currently exist in IoT deployments within enterprise and industrial environments.
Manufacturing is part of our critical infrastructure and that means it is a priority target. I recommend manufacturers prioritize replacing legacy technologies and take a hybrid approach to their security infrastructure (hardware plus software). However, this is easier said than done. Replacing systems takes financial investment, innovation and vendors with industrial IIoT solutions to support the critical work being done. It’s vital to partner with vendors who can help solve these challenges today, while ensuring the interoperability and scalability that will be needed in the future.
As we look to the future, the challenges and threats are not slowing down — if anything, they're accelerating. A siloed approach to security does not provide organizations with full protection available to them. Organizations that choose solutions that combine hardware-assisted and software-based security improve protections and help secure data as it travels from edge to cloud.
IW: How do we protect the infrastructure that allows us to live out our daily lives?
Dixon: Critical infrastructure is an attractive target for hackers — the greater the impact, the higher the potential profit margin for bad actors. Critical infrastructure sectors that don’t maintain up-to-date systems lag behind and increase their risk.
Some best practices for protecting critical infrastructure include:
- Deep offensive security research to gain the right insights and enable IT to make informed decisions to improve system resilience.
- Modernizing critical infrastructure systems can go a long way. It’s critical for systems to enable a path to securely onboard, boot and update to ensure they remain up to date.
IW: How important is transparency as infrastructures suffer cyberattacks including ransomware?
Dixon: Transparency about potential vulnerabilities is crucial in reducing risk and preventing a small breach from becoming catastrophic. In a recent survey, Intel partnered with the Ponemon Institute and found that 64% of nearly 2,000 IT decision makers surveyed around the world consider transparency around security updates to be critical. However, only 47% say their technology provider doesn’t provide this transparency. It is hard to trust a vendor who does not find and publish their own vulnerabilities.