Category: blog

 

Security though Software and Hardware Based Modularity

Indulge me while I ruminate a bit on the whimsical world of technology, where modularity reigns supreme as the unsung hero of security – think of it as the bunch of individual Legos that are assembled to create your digital Fort Knox.  In both software and hardware design, embracing modularity is like putting up layers of defense against cyber threats, creating a fortress of digital resilience that even the most hardened security professionals endorse as the gold standard for securing embedded systems.

Let’s start with software-based modularity, shall we?  Picture your favorite connected device as a puzzle, with each modular component acting as a unique piece that fits snugly into place.  Using your favorite type-1 virtualization tool (seL4, Bedrock, etc) to enable the compartmentalizing of functions and data within these modules, developers can create barriers that restrict unauthorized access and limit the impact of potential breaches.  One wrinkle to consider, the puzzle still sits on a table (aka the chipset) which means the bottom layer is still not trusted.

Ships today are built on the construct of hardware-based modularity.  Modularity is a critical design principle when it comes to protecting ships from torpedoes. By compartmentalizing various sections of the ship and ensuring that each module is structurally independent and well-protected, the impact of a torpedo strike can be contained and minimized. In the event of a torpedo hitting the ship, the damage is less likely to spread throughout the entire vessel, as the modules act as barriers that limit the flooding and structural compromise to specific areas.

Software or Hardware based Modularity – which is right for you?   The answer is easy – yes.  The goal is the creation of a high assurance and resilient connected device.  Better answer – use both.

For the last decade, the focus of the embedded systems industry has been on leveraging software-based virtualization to achieve modularity.  This was primarily an exercise to take out cost while adding resilience because the chipsets in your processing devices have been the long pole in the total BOM cost of a connected device.   However, the increasing commoditization of chipsets is allowing industry to consider a swing back to leveraging hardware-based modularity while still achieving cost efficiencies.

What if you built (or were building…grin) a device with three chipsets in one mobile device, one for the radios, one for the encryption, and another for the UX.  Wrap a couple of the chips in Faraday cages and add some anti-tamper, then layer in some added software-based modularity to create modules in modules and voila….modularity squared.

This product would be a game changer that enables an improvement in SWAP-C, the assurance and resilience you demand, and packaged in a standard, commercial high-end mobile device.

That is right.  By leveraging both hardware and software-based modularity you can have an ultra-secure, connected device with a commercial look and feel that the market has been demanding for far too long.

Interested?   Call me.

 

 

Aegis R51 ERD Admin Guide v2.1

 

As I slogged my way along the North Coast Trail on Vancouver Island, BC, a thought (or many) occurred to me.  Hence this blog post.   The trip was a solo-trip, 8-days with no resupply, active wildlife (bears), a ‘primitive’ trail, a very remote part of the world, and a challenge to me both physically and mentally.  

The next big cyber-attack is coming, and it will not be trivial.  A state actor, critical infrastructure, broad consumer impact, not sure when or how it is coming, and you know it will be a challenge to overcome.

It turns out that backpacking is like managing your company’s cyber security.

Do you have the tools in place to prepare your strategy for ‘Defense in Depth’ to ensure that you have a safe and secure hike but also for your business by leveraging a common set of principles to drive towards risk mitigation?

Prepare for the Trip.   

• Understand the local landscape and determine if there are any specific rules or regulations that you need to be sure to follow for your trail or business vertical.
  • Read blogs, study the terrain to set your pace, and learn the rules for this trail (bear boxes).
  • Look for best practices, study other relevant use cases, and determine what certifications you need to gain to provide assurance to your business.

Pack for Contingency.

• Weather, accidents, and wildlife happen. The same could be true for your infrastructure depending on your region, HW vendors, or network availability.
  • Pack rain gear, first aid kit, gear repair supplies, short or tall gaiters, and some extra food.
  • Rain, cold, ‘brown outs’ may require back-up generators or fuel supplies.

File your Itinerary. 

• Study the terrain, determine your hiking pace, and establish camping sites. For companies learn industry practices, understand likely attacks, and read voraciously to understand your risk profile.
  • Publish your trip plan, share it with family, and then list it on your Permit.
  • Establish milestones, set contingency triggers, and educate your employees.

Paper Map.  

• Sure, it is old fashioned. But, having a hard copy map matters.  As does, having written contingency plans available to your employees.
  • Bring a basic map, a topographic map, a waterproof map, a detailed map of each section.
  • That written manual of contingency plans could be the difference if your systems are off-line.

GPS Trail Guide.

• Many applications are available for mobile devices that can guide your hike. Even airlines are using tablets for kneeboards and contingency manuals.
  • Even with no cellular coverage, your phone can still support a GPS application to help guide your hike safely or to get you back on course should you lose your way.
  • A digital set of manuals to guide your employees to maintain course and counter the inevitable threats that will present themselves.

‘Oh Poop’ Device.

• Backpacking or in Business, it happens. Be prepared.
  • This is why people now carry a Garmin In-Reach because it has a ‘Oh Poop’ button that is there for you in case the un-foreseen happens.
• Get a Red Team, get a Government Agency on file, or know who to call when the ‘Oh Poop’ moment of the hack comes for organization.

As I prepare for every hike, especially as I tend to go solo, the list above is exactly what I do to ensure that I lessen the risk as much as possible so that I can ensure a fun and safe trip for me and all of my loved ones back home wondering when I will get out.   And, in candor, most of the in-depth planning that I execute against today are from hard learned lessons on the trail over my many years of backpacking.

It is my view that this same accumulated knowledge of planning to mitigate the risk of a cyber attack to your enterprise is very similar.   Maybe the question to ask is whether you have six layers of ‘defense in depth’ to your cyber security preparation as I do for when I go backpacking?   Many lessons have also been painfully and publicly learned in the market today that you could directly apply to your own security posture.

However, if you want some help, then call me.   Call Cog Systems.  ‘Being Prepared’ is not a tired motto, it is an essential first step to lessening your risk and helping you to enjoy doing the best part of your business – delivering for your customers.

Thank you.

 

 

As the saying goes, “Curiosity killed the Cat, but Satisfaction Brought him Back…”

For those of you that know me, I have always been curious.   Some call it a thirst for knowledge though I think it would be more accurate to say I have a craving for new experiences.   Lately, that drive for more experiences has pushed me to not just explore new things or activities but to add a mental component to those experiences that allow me to test the fortitude of my mental strength and endurance.

By way of an example, winning a pickleball game is way more fun for me after I rally from being down by 5 points or more.   The win is mostly moot for me, but that I dug in and won by coming from behind is what gives me the Satisfaction to keep coming back.

The cyber security industry offers a myriad of ideas to help the curious, but in the end none of us in the industry can promise that you will not be compromised (aka dead as a cat).   But, how to get to that elusive place of Satisfaction?

Continue to be curious.  Push harder.  Add the mental component to further enhance your Satisfaction.  Add these extra foundations to your requirements for solving your next problem beyond just buying a product, but by crafting a product for you and your business.

By way of an example, we had a customer who came to us that did not want to settle by just adding some software to their existing mobile devices, but asked if we could design and build a new mobile device from the ground up in the USA.  The customer was curious.  The customer pushed. We figured it out.  It was hard.  This is what creates that strong sense of Satisfaction that keeps us coming back for our customers.   The fact that it was a very hard problem to solve brought even provided that extra mental test that I seem to crave more and more in my life.

So, do you have a hard problem?

Are you curious as to whether the cyber security community can solve that problem?

Then call me.   Call Cog Systems.    Especially as trying to solve that problem seems to be our sweet spot that gives us all the Satisfaction to keep coming back.

Thank you.   http://www.cog.systems

 

 

Sometimes, real life shows you the true potential of ‘The Perfect Hack’.

Last week, after a trip to San Diego, I woke up with cold like symptoms.  So, I took a Covid test on Wednesday and it was positive.  Fortunately, I am fully boosted so my illness was mild but regardless it was necessary for me to quarantine in my house for 5-7 days.   That Friday my friends at Comcast decided that reliable TV and Internet were now optional, and I lost all connectivity to my house.   And, as Sunday was Father’s Day, I was double disappointed because my Covid Quarantine had given me the perfect excuse to watch the US Open and literally everyone had to leave me alone (grin).

But, alas, it was not to be.

Then it occurred to me – what a perfect hack.   No TV, no internet, and I can’t go anywhere.

So, I started thinking – and I had a lot of time to do so – if I was going to cause America a giant headache, I would attack the cable companies.  Think about it – no TV, no internet, no Alexa (how do you turn off lights BTW).  And the only fix was a truck roll from Comcast that they could not do for 5 days.

For a long-time I have been pondering the ease by which someone could hack your TV and make your life miserable – and it is not like the fix is easy.  What do you do? Buy another TV, get someone to do a truck roll to fix everyone’s TV, or perhaps the brand damage is so bad that they just mail everyone a new TV.  None of these are good choices (both heavy on time and money).

Considering recent events, I now realize that the better attack is that simple modem into your house from your Cable/ Internet Provider.  It is easy to hack.  In fact, I wonder why no one has done it yet.   If you really want to make things painful for Americans – take away their TV and Internet.  Brilliant.

The irony here is that the fix is simple.  There are tools today that can be used to protect your modem into your house from malicious software – not that they are implemented as the price might add another $0.25 to the BOM cost of your modem (got to keep that cost down).   My company does it today for folks that do worry about the potential for exactly this kind of hack.

However, we as consumers do not demand the protection and the cable companies don’t want to spend the money – and you know the government does not want to tell them what to do (if they could agree).   So, enjoy your connectivity but do not take it for granted because what is here today could (and likely will) be gone tomorrow.

Postscript:  No TV or Internet did allow me time to have some great conversations with my spouse, read some books that I have really wanted to get to, and take a nap or two.  And, without all the noise of the world, my stress level did go down quite a bit……but, I knew how long my outage would last.  With a hack – all bets are off for how long the fix would take.