Given the extension of the field of IT security, project BIECO will focus on three specific scenarios among those which are identified as relevant by ICT Security experts.

  1. Insertion of intended faults within software smart agents that are deployed at runtime. These intended faults can manifest into malicious behaviour in key situations.
  2. Exploitation of architecture vulnerabilities though physical attacks
  3. Exploitation of “morally degraded” technologies for attacks (attackers become smarter than the current technology in use).

1.1.Relevant scenarios

A wide number of critical scenarios has been recently reported by ENISA[1]: a concise document describes the analysis of several security scenarios starting from the identification of high-level categories of security threats according to a research and validation work carried out on the basis of interviews and surveys involving experts.

1.2.Physical Attacks

1.2.1. Sabotage

Assembly pipelines can provide malicious actors with the opportunity to interfere and inject defects both to HW and SW components, which may be exploited at a later time causing problems (including the total shutdown of the production line or malfunctions of the product).

This case is impacting Component assembly and embedded SW implementation.

1.2.2. Grey Markets

Defective, discarded or lost products may be offered in grey markets outside proper distribution networks. Such systems may lead to the release of untested and unreliable final products.

The two stages where the problem may occur are technical support and maintenance or device retiring and disposal.

1.2.3. Exploitation of Inadequate Physical Enclosures

This situation is referred to HW devices which should feature physical tamper-proof. This aspect involves the proper design and choice of material to avoid illegal malicious access to core elements. A significant example is given by the maintenance ports which should be disabled or removed prior to field installation to avoid their usage by attackers.

The lack of tamper-proof solutions can be exploited in Service provision and end-user operation phases as well as in technical support and maintenance.

1.3.Intellectual Property Loss

1.3.1. IP Theft

The illegal acquisition, exploitation, storage or distribution of intellectual property and sensitive information (e.g., design documents, source-code, credentials etc.) represent a previous asset for attackers. This threat is usually handled in a security-by-obscurity approach – which is subject to much criticism by experts.

Mainly, product design and component manufacturing can be affected by IP theft.

1.3.2. Reverse Engineering

While reverse engineering is not a threat for itself, it should be considered similarly to IP theft in the sense that both ways lead to the discovery and release into public domain of design details, vulnerabilities or backdoors, which can be exploited by attackers.

Usually, reverse engineering takes place during component assembly and SW embedding, device programming as well as technical support and maintenance or device retiring and disposal.

1.3.3. Overproduction and Cloning

This practice relates to fabricating a product, whose design specifications have been provided under a limited agreement by the rightful owner, outside of the bounds of the legal contract. Malicious parties can clone physical characteristics, FW and SW or the security configuration of a given device. Clones may include modifications and backdoors (for later reverse engineering or access) and then be sold on the market at cheaper prices. Alternatively, a genuine device can be substituted with a modified clone during transportation or commissioning.

The affected phases are component manufacturing and assembly or SW embedding.

1.4.Abuse and Manipulation

1.4.1. Electric and Magnetic Field Attacks

Interfering with a given device at an electromagnetic level is the basis of this attack aiming at corrupting or reading system memory and thus deploy Denial-of-Service attacks or the extraction of sensitive information – including, for instance, private keys during the generation process.

Such attacks can be deployed throughout component assembly and SW embedding as well as in Service provision and end-user operations.

1.4.2. Malware Insertion

Inserting malicious software can provides illicit access and other unauthorised functionalities to attackers. The operation can be carried out in the frame of insecure update mechanisms and poisoned software providers. This is a major concern in the area of IoT gateways which can be turned in a source of threats – these nodes, originally conceived to support security, can represent a main way to get access into trusted networks once compromised.

Many stages can be affected, ranging from component manufacturing and assembly to SW embedding and device programming, from Iot platform development to Service provision and end-user operation.

1.4.3. Debug Interface Exploitation

Debugging of IoT devices is a hard task especially when it comes to ensure confidentiality, integrity and availability. Standards do not specify how to implement debugging interfaces (e.g., JTAG) which are intended for internal use; if improperly disabled they may end-up in the final design and be vailable in production and assembly stages. Included with malicious intent or just for oversight, they enable access in the system of the final product at a dangerous level.

Their exploitation can be deployed in service provision and end-user operations, mainly.

1.4.4. Tampering and Counterfeits

Unauthorised supplier may distribute counterfeit products (specially chips) featuring malicious and modified modules (e.g., HW trojans) or non-validated parts that may increase the entity of vulnerabilities in the final product, which is referred to as tampered product. Such unauthorised chips and, more in general, HW components may come from similar parts with lower tolerances and capabilities and from reused, defective and disposed-of parts,

Opportunities for tampering can be found in many stages: semiconductor fabrication, component manufacturing and assembly.

1.5.Legal

1.5.1. Implications due to standard and Regulation non-compliance

Conceiving and designing privacy (encryption) processes is a challenge constrained by laws and regulations. Besides, actors have their own different interpretation of security issues. Service-Level-Agreements (SLAs) are meant to ensure common contractual view of the whole platform to be implemented: they specify security-guidelines which all components have to comply with. Furthermore, General Data Protection Regulation (GDPR) and local regulation must be applied as well. The result is that many existing and available components should not be included in the final product, leading to cost increase and production slow-down.

As initially mentioned, product design, service provision and end-user operation as well as technical support and maintenance may be heavily affected by these issues.

1.6.Unintentional Damage or Loss of Information

1.6.1. Compromise of Network

Lack of Quality of Services (QoS) and firewall policies may easily lead to compromised nodes in a network. The situation can be weaponised to organise large-scale attacks, such as Denial of Service (DoS), or degrade the supply-chain operations. Nodes with direct access to the Internet are the most exposed.

This kind of actions can be implemented at different levels: product design, device programming, service provision and end-user operations.

1.6.2. Use of Factory Authentication Settings

Authentication credentials of devices should never be fixed or derived from easily accessible information – for instance Media Access Control (MAC) address. This is of particular concerns for updates, which represent a critical point in security. Devices should be assigned unique random credentials during manufacturing.

These aspects involve product design, components assembly, SW embedding, device programming, together with service provision and end-user operations, technical support and maintenance.

1.6.3. Undetected SW or HW Disruptions of Devices

Extensive monitoring of all supply chain systems should be ideally implemented for early detection of HW and SW issues. The more proactive is the approach, the lower the number of disruptions and down-times in the supply chain in comparison to reactive measures only.

This kind of issue is affecting all stages of the supply chain and of the product life cycle.

1.6.4. User Errors

Informing and training users is a good approach to raise awareness of system functionality and secure risks. Human errors represent one of the most direct approaches to attackers aiming at breaking through a system security, be the case of internal members acting on critical systems or of end users improperly setting or using their own devices even when adequate protection measures are available. The topic also relates to other aspects of security since communication interception, among stakeholders in the supply chain for instance, and other social engineering attacks may open the way to more serious vulnerabilities.

Thus, all the above may concerns service provision and end-user operations, technical support and maintenance, device recovery and repurpose.

1.6.5. Technological Evolution during Device Lifecycle

Unexpected vulnerabilities may appear along a device life cycle due to technology improvements beyond the state of the art at design and implementation stages. This is particularly impactful in the case of long life-cycle products, as is the case of vehicles. An example is represented by the inability to enhance encryption strength after a flaw has been discovered in the previous scheme or the SW vendor disrupt support to its product.

Involved stages are service provision and end-user operation, technical support and maintenance.

1.6.6. Use of unpatched devices and systems

While new vulnerabilities may be commonly found during a device life cycle, as expected, a SW update mechanism needs to be implemented to avoid lacking the possibility to react to a new security risk. Noteworthy this tool should implement all measures to avoid code tampering and ensure genuine FW upload.

1.6.7. Cloud Service Disruption

Cloud-service based systems which are critical to the supply chain should be designed to run core operations even when off-line for extended time periods. A common example is given by the availability of some form of backup service when the service vendor goes out of business. Another frequent situation comes from the malicious takeover of domain names seriously impacting cloud services for which security measures need to be implemented.

Starting from device programming and IoT platform development, through service provision up to end-user operation, this issue must be taken into account.

1.6.8. Recovery Procedures Failure

A system may be unable to recover as a consequence of an attack; furthermore, FW, settings and credential might need to be updated along the device lifecycle. Also here comes into play the chain of trust with different implementation approaches, depending on the situation: the whole recovery procedure must be planned for the different potential situations that might cause security issues and stop or worsen device services. Criticality levels must be considered to select the appropriate solution.

Service provision and end-user operation are most affected by the problem in addition to technical support and maintenance.

1.6.9. Attack to Registration Procedures

Insecure registration procedures offer to attackers the opportunity to register malicious devices or prevent the proper registration of regular ones. Authentication platforms are dedicated to this purpose after device initialisation in manufacturing line and prior to final user provisioning in order to grant them proper access to services.

This aspect is covering device provisioning, IoT platform development, Service provision and end-user operation, technical support and maintenance.

1.6.10. Use of Recovered or Repurposed Components

Reuse of components regularly applied in a supply chain may seem a valid option for cost optimisation and timesaving. If not properly validated for reinsertion, they could contaminate an otherwise secure batch of devices.

This threat holds in device recovery and repurpose.

1.6.11. Attack to Manufacturing Processes

Within a supply chain the manufacturing pipelines are among the most sensitive zones. The lack of proper measures to regulate and monitor personnel access can rise security issues and create vulnerabilities. In the simplest scenario such a situation can lead to further threats as the already described sabotage or malware injection.

Among the most sensitive stages, along the supply chain, are semiconductor fabrication, component manufacturing and assembly, together with SW embedding.