The ultimate challenge: network security. Connected but access-protected. Open standards but private keys. Locked-down but useable. Collaborative but intrusion-protected. From devices to supply chains. Where to begin?
Software security has been a hot topic ever since the first computer virus, named “Creeper”, was detected back in 1971 and Fred Cohen coined the term in 1983. Since then, the software security industry has steadily grown to $20 billion in revenue in 2014. On the other hand, hardware-level security has been the laggard, maybe even overlooked, as the focus traditionally has been on facility-level security rather than the hardware components themselves.
Recently, the advent of smart connected devices within the Internet of Things, 3D printing and easy transportability of computer designs, among others, has accelerated the need for hardware security paired with software security in network devices. Hardware and software protection are synergistic and interdependent--the yin and the yang.
Unfortunately, our society today has a dark side that intensifies the urgency to integrate them for 360-degree security as we cross the globally competing interests of cultures, governments and businesses. Hardware and software tampering has become the “big business” of counterfeiting and diversion in our world of global supply chains and contract manufacturing, large-scale software-driven critical infrastructure for electricity and transportation, and the necessity of maintaining longer product lifecycles in military defense.
"Acting as an invisible identifier “hiding in plain sight”, it is ready for authentication at any step of the supply chain"
Cyber-physical security is born. While the term “cyber-physical systems” was first used in 2006 as an acknowledgement of the interdependencies of hardware and software, it was only on June 30, 2014 that NIST convened the first meeting of the Cyber-Physical Working Group to drive standards and interoperability through a world of multi-vendor, globally deployed products and systems.
While much focus is placed on protecting the perimeter of a network, newer technologies are now available to protect the devices of our networks based on traceability, tamper-evidence and authenticity. The building block of the concept is the creation and encryption of forensic DNA molecular codes attached to or embedded within the hardware itself. Acting as an invisible identifier “hiding in plain sight”, it is ready for authentication at any step of the supply chain. The hardware layer, in effect, becomes the first line of defense to the software.
As the marked component becomes part of a circuit board, and the circuit board becomes part of a navigation system, and the navigation system becomes part of a complete fighter plane, the DNA of each part is referenced to the others and the software stored in a database for future audit. In effect, this multi-factor identity can be thought of as a “system genome” which can be authenticated physically “CSI-like” as it travels through its networked supply chain and into the field of use.
This Identity of Things (IDoT) technology is field-proven in marking more than 100 million pounds of U.S. cotton, more than a half-million military electronics parts, more than one million personal assets and autos, and commercial-grade batches of plastic, silicone, print media, cash-staining inks and more.
To establish its place in a network, in the vernacular of the OSI and TCP/IP network stack models, we can loosely describe:
• the physical and data-link layers as the DNA, encoded and encrypted to standards and used for traceability
• the transport layer as the item itself, whether it is labeled, inked or even embedded with DNA
• the presentation and application layers as the devices and software used for the series of validations and authentications of a given item or system, including the addition of test and trace documentation, referenceable throughout its supply chain or lifecycle
Drilling down into the “data layer” is the use of DNA as an information carrier. Continuing the trajectory of increasing information capacity from one-dimensional to two-dimensional bar coding, DNA can be thought of as a three-dimensional code carrier with higher density and capacity. Where the binary digital world offers “0” or “1” for each bit with eight bits to a byte, DNA offers four “states” for each “bit”. Each DNA “bit” is represented by combinations of its four nucleobases adenine, thymine, cytosine and guanine (shortened to A-T-C-G). Using one “byte” (or eight bases) of data as a sample comparison, the number of codes that can be generated is 28 = 256 for digital or 48 = 65,536for DNA.
At the “transport layer”, the device carries its own security by overtly marking or covertly embedding every device with a traceable DNA identity or message for traceability. Synchronizing the hardware DNA code to a software program key provides cyber-physical security at any time during the lifecycle. Physical security can be heightened by using an encrypted DNA compound in sealed seams or fasteners that become visible when broken. Evidence of physical tampering is an excellent early warning for software tampering before it is too late. Should the items be stolen, the forensic ID will be able to trace them back to their rightful owner.
The “presentation layer” of this model is formed by the readers that capture, translate and store the information in a way that enables users to validate and authenticate the products traveling through its networked supply chain within a common, trusted software application platform. This embodies an axiom of collaboration: trust is value, and authentication is its currency. It should be shared and protected by all.
The cyber-physical security concepts described here are lifelines to our population. At the network level are appliances such as routers, servers, PC’s, laptops and even mobile phones. At a supply chain level are the electronics and systems underpinnings of military aircraft. At a national infrastructure level are the miles of electrical cabling and railroad tracks. In the end, it doesn’t really matter where you begin. All it takes is one weak link.