All cyber systems are built using the physical hardware of the semiconductor chips found in all modern electronics, computers, communications networks and other critical infrastructure. These chips are becoming faster, cheaper and more powerful, and this has enabled the rise of artificial intelligence, the internet of things (IoT), and autonomous systems as key technologies of the future. Cybersecurity technological environment risk management has become a compliance requirement for those in the critical infrastructure industries. This is because for those in the critical infrastructure space, a cyber-attack can also pose physical threats.
As the world becomes increasingly reliant on advanced technologies for economic growth and national security, implicit trust in hardware becomes an untenable option. Ultimately, hardware is the foundation for digital trust. A compromised physical component can undermine all additional layers of a system’s cybersecurity to devastating effect. Hardware security, therefore, focuses on protecting systems against the vulnerabilities at the physical layer of devices. Recent global developments call for a greater focus on hardware security to ensure the continued health of our increasingly interconnected world, through cybersecurity technological environment risk management.
Critical infrastructure protection is a long-standing priority, but many organisations are behind in their response to cyber threats. Organisations managing critical infrastructure must develop a proactive cybersecurity technological environment risk posture. Hardware, software, and firmware are the three core components that make up computers and systems. Hardware includes the physical components of a computer system, which may wear out over time and require replacement. Software includes sets of instructions that allow a variety of inputs from the user. Firmware is a specific type of software that is designed to act as the intermediary between the software and hardware or for the operation of single-purpose embedded systems, such as printers or routers. End users typically have limited interaction with firmware and it is modified infrequently.
Hardware attacks take advantage of vulnerabilities in hardware-manufacturing supply chains. Modern chips are incredibly complex devices consisting of billions of transistor components that can be compromised during the processes of design, fabrication, and assembly and testing.
The complexity of integrated circuits and microelectronics makes hardware vulnerabilities difficult to detect. Physical modifications to a single integrated circuit can be well hidden among the sheer number of valid components, and can function undetected for a long time. A well-designed hardware vulnerability could therefore go undetected until well after the malicious hardware has been widely incorporated into critical infrastructure.
Cybersecurity Technological Environment Trends
Globalisation has transformed the semiconductor industry over the past few decades. Original equipment manufacturers have relocated their assembly plants and foundries to inexpensive geographic regions and have tapped into economies of scale by outsourcing manufacturing to dedicated suppliers. The semiconductor industry has experienced a 90% contraction in the number of companies with leading-edge fabrication capabilities, with only three remaining companies maintaining foundries.
The growing expense of advanced semiconductor fabrication reflects the fact that technological growth in semiconductors has largely been driven by process innovation and advanced hardware architecture design. The primary semiconductor technology has not fundamentally changed since its invention in the 1960s. Rather, advanced manufacturing and innovative designs allow smaller semiconductor structures to be packed with increasing density to boost computational power.
All nations and their economies are increasingly dependent on advanced semiconductor-based technologies for high-tech sectors and economic growth. This is reflected by the technological investments of well-resourced nations that seek to bolster their semiconductor manufacturing and innovation base by concentrating on developing critical technical expertise and production capabilities.
Component manufacturing capabilities and the technical workforce have consequently been concentrated in a few countries around the world. This has lead to the current paradigm of haves and have-nots in semiconductor innovation and fabrication. Growing competition among the resourced nations to take the lead in semiconductor-manufacturing technology and innovation is ongoing, and impacts hardware security through changes in oversight and control of the supply chain. Nations without a semiconductor industry are exposed to geopolitical risks akin to those faced by commodity markets such as oil-dependence in the energy sector, and will have little influence over the security standards for hardware.
Achieving trusted hardware
Semiconductor technologies are essential to today’s economy and tomorrow’s prosperity. Consumers of microelectronics, from governments to corporations to individuals, purchase hardware with implicit trust, thereby exchanging security for capability. Ultimately, global cybersecurity requires diversified manufacturing sources of critical cyber infrastructure and future advances in hardware. Hardware manufacturers may also seek to ensure security and standards in their supply chain, and may be compelled to do so by governmental regulations.
Hardware security should be approached cooperatively by the private and public sectors. Both sectors have an important role to play in ensuring the safety and security of our digital infrastructure. This partnership should emulate well-established mechanisms in other engineering disciplines, such as civil or aeronautical engineering. The public sector sets standards and controls while the private sector designs, manufactures, builds and sustains. in the past, the global community has learned how to secure our physical infrastructure to safeguard our safety, now it is time to learn from that past and apply the same principles to secure our hardware.
The potential magnitude of impact of a successful hardware attack makes designing a comprehensive mitigation strategy imperative. Such an approach should seek not only to prevent a hardware vulnerability from occurring during the manufacturing stages, but also to enable systems to identify and respond to attacks as they take place. Prevention requires shoring up all stages of the manufacturing supply chain and developing thorough means of testing. Identification and response require designing integrated circuits with security features to detect, quarantine and shut down attacks as they occur. Success in achieving hardware security is possible only if the attacks are considered inevitable, not plausible, and are therefore pre-empted.
Future Cybersecurity Technological Environment
Over the past decade, criminals have been able to seize on a low-risk, high-reward landscape in which attribution is rare and significant pressure is placed on the traditional levers and responses to crime. In the next 10 years, the cybersecurity landscape could change significantly, driven by a new generation of transformative technology. To understand how to secure our shared digital future De Morgan Intelligence are researching how cyberthreats will change and how the consequent risk landscape will be transformed. This critical and urgent analysis is being based on evidence and research. By doing this, we can help build a new generation of cybersecurity defences and partnerships that will enable global prosperity.
Have a question? We’re here to help.
You can reach us through our contact form, by email, or by phone. We will get back to you within 1 business day.