Addressing Edge Computing for CybersecurityFollow article
Securing the Physical Edge – What does Edge Computing mean for Cybersecurity?
Edge computing may seem enigmatic but is simply the latest term used to describe the decentralization of some special-purpose computing technology out of the cloud and back into the real world. In this article, we explain the reasons why this is necessary and the benefits that it brings. We also consider the challenge of protecting these remotely connected devices from physical attacks by intruders and consider some innovative countermeasures that edge device manufacturers can use to keep them secure.
Figure 1: Edge computing - do you know what it means?
Where is the ‘Edge’?
The term ‘edge computing’ might best be introduced within the context of a brief history lesson. In the 1970s computer technology was very large and extremely expensive. Often referred to as ‘mainframe’, computers could occupy much of the floor space in a small room and cost in excess of $1,000,000. Maximizing efficient use of the available processing power meant sharing it among multiple users who could interface to the processor, memory and storage via a ‘dumb terminal’, consisting simply of a keyboard (for user data input) and a monitor (to provide output). In the 1980s, the advent of Very Large-Scale Integration (VLSI) in integrated circuit manufacturing saw the size and cost of computing fall meaning that users could now have a Personal Computer (PC) with its own storage, memory and processing. The advent of the internet and the deployment of high-speed broadband would later allow PC users to connect to remote computing resources far more powerful than their own machines. This new architecture, referred to as ‘cloud’ computing, was a return to the centralized architecture of the 1970s, with the ‘cloud’ replacing the mainframe. Large data centres, consisting of vast arrays of powerful server machines, now meet the processing, memory, storage and software requirements of multiple simultaneous users, spread across the globe.
While cloud computing provides efficiencies of scale and has led to the development of whole new fields such as data mining, it is unsuitable for some applications. For example, an autonomous self-driving vehicle that receives a reading from a proximity sensor may need to make an instantaneous decision whether to change direction or apply a brake. It does not have the time to relay the sensor reading to a remote cloud processor to decide on the appropriate course of action and then wait to receive the response before acting on it. Even the slightest delay in the communication (due to network latency) could mean that the vehicle is involved in a collision with potentially disastrous consequences for the occupants. Devices that interface with the real world, which make near-instantaneous decisions to act in real time, are said to be located at the ‘edge’. Edge computing refers to computing devices physically placed close to the location where they are needed to interpret and immediately act on received information.
Factory Floor Edge
Industrial process control systems used on the factory floor provide another example of an application where even the slightest delay in remote communication is intolerable. Indeed, these systems are so delay-sensitive that they have mostly retained a centralized architecture of their own, where decisions are made by a Programmable Logic Controller, located in a control cabinet, which monitors multiple sensor readings and engages actuators that drive motors and valves, in response.
Figure 2: Programmable Logic Controller used for industrial process control
However, the massive size and scale of modern factories means that automation engineers are now looking to locate computing intelligence (in the form of smaller controllers) literally at the very ‘edge’ of the factory floor. For example, a sudden build-up of pressure in a vessel could require the immediate opening of a safety valve: any latency in the communication of this reading to a remote industrial controller (located in a distant part of the plant) could lead to an explosion. A smaller ‘edge’ controller located right next to the vessel could be programmed to take the appropriate course of action, while still communicating periodically with the central controller to provide less time-critical data readings from other sensors, status updates or to receive software or firmware upgrades. Indeed, the imminent deployment of 5G wireless cellular technology will provide much higher connection speeds for this purpose and over time, the accumulation and storage of large volumes data from edge devices will be analysed and interpreted with the intention of improving their performance. While edge computing devices maintain the necessary connection with the cloud for uploading data and to keep their intelligence and up to date, they do not rely on that connection at the time when they are required to apply that intelligence.
Dangers of an Exposed Edge
The history of warfare has taught us that the coastal edge of a country represents a potential point of access for unwanted intruders, which requires constant monitoring, protecting and periodic reinforcing. It has also taught us that the longer the coastline, the more difficult these tasks become. In many ways edge computing presents a similar challenge. Centralized and cloud computing architectures provide a single point of vulnerability which can be easily monitored and protected from intruders as information flows in and out. Conversely, every device added to an edge computing architecture represents a point of vulnerability with the potential for it to be exploited by an intruder who may try to take control of the device itself (for example, a terrorist seeking to disable or damage a production facility) or simply gain access to the data travelling to and from the device itself (perhaps for reasons of old-fashioned industrial espionage). In some cases, the edge device user may not be the intended victim or even be aware of an attack, with the intruder simply seeking to enlist it as part of a “Bot” army to launch a denial-of-service attack on a third party. It is easy to make the mistake of thinking that the tasks being performed by some edge devices are unworthy of the effort or expense required to protect them – after all, how important can a set of temperature or humidity readings really be? However, when losing control of a single device could potentially lead to a whole production line being disabled or a vehicle owner becoming prey to ransomware, the importance of protecting every single edge device soon becomes clear.
Although encryption and authentication tools are readily available and can be easily implemented in software to mitigate against network attacks, it is easy to forget that every edge computing device provides a physical opportunity for an intruder to exploit. For example, they could use a simple USB port on an edge device to upload counterfeit software or firmware then bypass or disable the device ‘security settings, allowing them to gain access to the private network of the device owner.
Figure 3: A simple USB port makes edge devices vulnerable to intruders
One way to guard against this type of attack is to use digital certificates. These contain identity information which manufactures can use to verify the source and authenticity of uploads to their equipment in the field. However, the authenticity of digital certificates, in turn, must be guaranteed by a trusted certification authority (CA). For reasons of convenience, many manufacturers avail of the services of universally trusted third-party certification authorities. When software or firmware is uploaded to their equipment e.g. an industrial Programmable Logic Controller (PLC), it contacts the CA (via its internet connection) to verify the source and authenticity of the digital certificate included with the upload. If verification of the certificate is successful, the installation proceeds as normal, otherwise it fails. However, there is an inherent weakness in this apparently secure protocol – it relies on a live internet connection being present at the time of upload. This means that an intruder who gains physical access to the equipment could simply break the internet connection by removing the network cable to prevent it communicating with the CA. In this scenario, since there is no way for the offline PLC to verify the source of the upload, the intruder could proceed with the installation, changing the configuration settings of the equipment to allow them to gain access to the organisation’s private network once the internet link has been restored.
While gaining access to a controller in a physically secure industrial complex may be somewhat unlikely, the thousands of automobiles that are illegally accessed on driveways and on kerb-sides every day show the scale of the physical threat to edge devices as the number of autonomous vehicles on the road begins to increase.
Another physical security concern for edge device manufacturers is how to ensure that only genuine replacement or consumable parts are used with their remotely located equipment. Without proper authentication measures, counterfeit parts (e.g. disposable medical sensors and dispensers) of inferior quality can lead to the generation of spurious data, loss of revenue and damage to brand reputation.
Guarding the Physical Edge
When the very purpose of edge computing devices is that they can perform their dedicated functions more efficiently by working independently of the cloud, it is illogical that their physical security should depend on a permanent connection to it. Therefore, the question arises as to how to best protect from them against the type of physical threats considered previously. One solution to the problem of protecting an offline edge device is for it to include an additional secure microcontroller integrated circuit (IC). Such cryptographic microcontrollers allow manufacturers to create their own CA, meaning that edge devices no longer require a permanent internet connection to a third-party CA to verify the source of future uploads. A secret key is pre-installed in the EEPROM of the secure microcontroller during production and this then acts as a ‘root of trust’ to authenticate the digital certificates of future software and firmware updates presented to offline edge devices in the field. This root key is protected by strong cryptographic hardware security features in the microcontroller IC which are guaranteed to prevent unauthorized access and tampering by intruders. Another advantage of this approach is that if the edge device manufacturers choose to use alternative software providers, there is no need to make any physical change to edge devices in the field. Since the digital certificate to be used by the new software provider is electronically signed by the edge device manufacturer, field devices will still be able to verify authenticity using their stored key. Another advantage of using a separate microcontroller to handle security features is that the main system controller can dedicate all its processing capacity to perform its core functions.
Authenticating disposable and replacement parts used with field devices should, in theory, be a relatively straightforward task. Many IC manufactures provide electronic authenticators to perform this function. However, attackers go to such extremes as reverse engineering these parts to discover the stored keys that allow them to create counterfeit clones that can fool edge device into believing that they are genuine. However, a recent innovation in this area is a range of authentication ICs whose manufacturer claims to be physically unclonable. Slight statistical variations in the semiconductor process technology are used to create stored keys during manufacture. This means that even if an intruder attempts to observe or probe the contents of the IC package, the stored key immediately changes thereby making its discovery impossible.
Figure 4 Secure integrated circuits provide tamper-proof protection for encryption keys
Edge computing devices interface with the real world in real-time in applications where network latency is intolerable. Protecting these devices in the field requires additional physical cybersecurity countermeasure to guard against counterfeit software uploads and cloned replacement parts. Edge devices that rely on connecting to an online certification authority to verify digital certificates of software/firmware uploads are vulnerable to attack when offline. Manufacturers can overcome this vulnerability by implementing their own CA using an additional secure microcontroller. To guard against the use of counterfeit or cloned replacement parts, manufacturers can now choose a tamper-proof authentication IC that is physically impossible to clone.