A detailed view of the CERN Computer/Data Centre and server farm in Meyrin, Switzerland. Today’s columnist, Jessica Amado of Sepio, offers insights into why security pros should care about hardware security. (Photo by Dean Mouhtaropoulos/Getty Images)

We all want and need security: it’s a basic human instinct that applies to all aspects of life. From the prehistoric days of a cave and bonfire, security has evolved to the cyber domain in our modern world. Today, there’s a large focus on endpoint and network security, with enterprises investing heavily in these areas. However, hardware security gets neglected, leaving a massive gap in defense capabilities. But how do we define hardware security? And if enterprises seem to ignore it, should we pay attention to it?

What is hardware security? 

Hardware security functions as an essential component of cybersecurity. Through Layer 1 visibility, hardware security provides enterprises with a complete picture of all assets within their infrastructure. This lets enterprises gain proper control over their assets and ensure policy enforcement, which is paramount to a strong cybersecurity posture. Further, asset visibility equips enterprises with the means to identify rogue and vulnerable devices that could get used to execute a hardware-based attack.

Why are so many security pros unaware of hardware security? 

The lack of hardware security awareness largely stems from its lack of media coverage. Now, one may think that if the topic were so important, it would receive widespread recognition. Well, ironically, because of a lack of hardware security, hardware-based threats go unidentified. Manipulated devices operate on Layer 1, where existing security solutions, such as NAC, EPS, IDS, or IoT Network Security, are not covered.

As a result, without hardware security in place, there’s no mechanism to detect suspicious activity occurring on the physical layer, Layer 1. Instead, enterprises are under the false pretense that there are no hardware vulnerabilities. Similarly, should a hardware-based attack take place, it gets misdiagnosed as a quotidian attack. The visibility gap makes it near impossible to correctly identify the attack's origin (i.e. a hardware attack tool), meaning it gets wrongly attributed to a traditional vector, such as phishing or a zero-day software exploit. With the illusory perception that there are no hardware vulnerabilities or attacks taking place, media outlets have little to report. 

In some cases, hardware-based attacks do get correctly identified, Stuxnet arguably being the most famous example. However, the successful identification of a hardware breach in the absence of hardware security requires significant resources; assets must get individually inspected to locate the origin of the attack, an extremely time consuming and costly task. But many victims of hardware-based attacks are unwilling to come forward because of the embarrassment of the breach. Likewise, because of the sophisticated nature of hardware attack tools, victims of hardware-based attacks are often critical infrastructure providers, and shielding such information from the public rises to the level of a national security issue. As such, with the concealment of hardware-based attacks, reporters are once again left without any content to publish.

Why should security pros care about hardware security?

Rogue devices can carry out a range of malicious activities depending on their payload. From data theft and espionage to malware/ransomware injection and DDoS attacks. These rogue devices are extremely perilous tools. Because of their covert nature, these hardware attack tools undermine existing security solutions, allowing for lateral movement across the network, even bypassing air-gapped networks. This leads to the attack surface expanding significantly as the number of entry points dramatically increases.

For critical infrastructure, rogue devices pose a significant threat as an attack on the cyber-physical systems can cause operational downtime, the effects of which spill over into the physical world. Further, with rogue devices going undetected, inconspicuous attacks, such as data theft and espionage, can persist for extended periods, thus exacerbating the severity of the attack. Such features are not lost on bad actors. USB-borne threats increased by 37% in 2021, according to research by Honeywell, indicating a growing risk.

In today’s environment, with the large, and continuously expanding attack surface, hardware threats can enter through various access points, aggravating the risk. Without Layer 1 visibility, such threats go undetected, which leaves the enterprise unknowingly vulnerable and incapable of managing the risk. Therefore, by delivering complete asset visibility, hardware security ensures proper policy enforcement and protection against hardware-based attacks, effectively managing the risk.

So, while the industry does not talk much about hardware security, it doesn’t mean that security pros should overlook it. Sometimes, industry experts have to raise an issue, and we feel the need to do that with hardware security.

Jessica Amado, head of cyber research, Sepio