Systems engineering is managing the risk inherent in integrating pieces into a predictable whole. In order to make the whole system as predictable as possible, engineers rely upon standards and operational use cases.
The system is engineered with a deterministic process, meaning if “this” happens in the environment, then the system will do “that.” To trust a deterministic system prior to putting it in operation, the system is validated and verified to gather empirical evidence that the system operates as expected in known scenarios. As long as the environment and use of the system doesn’t change unexpectedly, deterministic systems allow automation.
Deterministic systems like the assembly line and microprocessors have been the growth engine powering progress to a $100 trillion world economy. Digital systems in particular have fueled growth in the last 30 years.
China, for example, has harnessed digitization to grow from a largely agrarian economy in 1980 to the top country for manufacturing output. Digital deterministic systems underpin the modern world as we know it. They are also the Achilles heel.
Systems engineering did the hard part of harnessing randomness into determinism. While reverse engineering, hacking and supply chain tainting may appear to be nearly impossible, a bad actor only needs to focus on understanding one thing: the assumptions behind determinism.
Published standards help reduce the number of assumptions bad actors have to make. Each piece of information gathered from the Internet, from an unsecure cloud, from employees or from experimenting with commercially available parts lends a clue to those assumptions and thus facilitates system exploitation. Moore’s law is slowing, and complex control systems are in service longer and longer. The predictability and lifespan of a deterministic system now become liabilities.
While IT and system-to-system communications present real attack surfaces, not enough attention is being paid to the embedded security of the devices and machines used in the manufacturing process. Recent supply chain compromises have only underscored the need to focus on embedded security.
A large part of the technical solution to security relies upon authentication to ensure data is encrypted. Encryption relies upon keys generated from a random source. But that “random” source is often also deterministic. Today’s industry standard encryption would take 50 supercomputers about 3x1051 years to run through the possible key combinations. The premise of current encryption techniques isn’t that it’s impossible to reverse engineer but that it places time back in the favor of the operator instead of the bad actor.
Quantum computing is expected to be 100 million times faster than today’s standard and could reduce that brute force attack time from 3x1051 years to less than two weeks. Even before quantum computing becomes a reality in the wrong hands, today’s systems leak clues about encryption algorithms, which make it possible for a graduate student to uncover the encryption keys in a matter of days.
A bad actor has the advantage of a predictable system and time, as well as perceived security measures often built upon assumptions that don’t really provide additional protection. So how can the digital devices that control the manufacturing process be secured? There are three primary options:
Connect With Us