Physical-Device Recognition Improves Cyber Security

By Jim White, vice president of critical infrastructure security at Uniloc

At the top of the list of critical projects for both the U.S. government and information technology (IT) groups that support our critical infrastructure is making that infrastructure invulnerable to cyber-attack. All concerned have recognized the supreme importance of protecting our critical infrastructure, noting that the consequences of a breach could be disastrous, going far beyond the results of the malicious misuse of data.

Cyber-attacks on any of the critical infrastructure sectors could lead to specific and even catastrophic consequences to the country. The deployment by these sectors of special hardware and software applications as industrial control systems (ICS) to control critical assets for production and distribution makes it imperative that only limited access to them be provided, and only to those who have the specific clearance, knowledge and training for their safe operation.

CSIS: Strong Authentication Should be Mandatory
In December 2008, the Center for Strategic and International Studies (CSIS) presented a report entitled, “Securing Cyberspace for the 44th Presidency,” which emphasized the critical importance of addressing the vulnerabilities. The report called for the use of “strong authentication,” which is most often defined as a form of computer security in which the identities of networked users, clients and servers are verified without transmitting passwords over a network. The report said:

The United States should make strong authentication identity, based on robust, in-person proofing and thorough verification of devices, a mandatory requirement for critical cyber infrastructures (ICT, energy, finance, and government services).

The authors of “Physical and Logical Security Convergence” also recommend strong authentication based on identity and trust-based security:

Build upon identity with strong authentication.
To make identity a building block of security, it must be supported with a failsafe method of authentication where one entity can identify another entity with absolute certainty. This kind of authentication must be tamper-proof to ensure that identities cannot be stolen, copied, or falsified.

Allow organizations to create trust relationships.
Once technologies have unique, secure identities that can be authenticated, large companies must have the capabilities to map technology identities together to form trust relationships. For example, entities A and B could be grouped into exclusive trust relationships based upon their identities. In this example, no other identity is trusted by either A or B and all are therefore restricted from communicating with both. By defining who can participate in an activity, trust relationships preclude malicious outsiders from gaining access to an IT asset, and thus lower the risk of an accidental or intentional compromise.”

Strong Authentication via Asset-centric Identification
The objectives and tenets of strong authentication as outlined in the excerpts above and in the CSIS report align well with technology that uses identification of machine and device assets. This lends itself to an approach that centers on building a “white list” of approved users. Acceptance into the white list would be based on a highly secure “fingerprint” of any device or asset that attempts to communicate. Access is only granted if there is a match with a list of authorized devices.

Trust relationships have long been the guiding principle for both interpersonal and business relationships. In the same sense that business and finance people need to know the people and organizations with whom they’re doing business, the work of maintaining and protecting critical infrastructure must also rely on a foundation of trusted people, controls, and devices.

The Three A’s: Authentication, Authorization and Audit
Authentication, authorization, and audit are the three elements of the AAA security framework incorporated into protocols such as Kerberos and Radius.

Authentication is the establishing of the digital identity of one entity on a network to another entity.
Authorization is the name for the process of granting or denying explicit types of privileges to entities or users attempting access or communication on a network.
Audit (sometimes referred to as Accounting) refers to the process of tracking entity or user network resource consumption.

Of these three elements, authentication is the most critical for protecting cyber assets in critical infrastructure in the key sectors of critical infrastructure. If access can be tightly controlled with the most secure authentication available, the threat is essentially eliminated.

Limitations of Traditional Authentication Technologies
A variety of technologies have been deployed to provide authentication, but all have some inherent weaknesses, many of which have been documented at length.

Many financial institutions have turned to anti-phishing technologies that rely on specific images and security questions to provide a second layer of authentication before granting access. This approach was dependent on the criminal’s inability to find a way to intercept the image or security questions. However, two Indiana University professors created a proof-of-concept program to show precisely how phishers could effectively act as the “man in the middle” to defeat the technology’s protections.

Some credentials-based authentication mechanisms have security flaws that allow an attacker to brute-force valid user credentials even after repeated authentication failures and after the account’s lock-out mechanism is enabled.

Token-based authentication systems, which rely on objects such as cards with magnetic strips, SecurID cards, USB keys, or smart cards, are more difficult to hack, but offer no protection if a token is stolen.

The challenge has always been to find a way to deploy highly sophisticated authentication technologies without:

  • Impacting the operations of critical systems and networks
  • Requiring a staff of experts to administer and manage the security.

Locking a Single Device to a Credential
One new approach involves basing security credentials on the machines or devices that attempt access to a network, rather than on individual people or on their membership within approved organizations. Called physical device recognition (PDR), the technology uses the unique hardware characteristics, or “asset DNA” of a user’s computer to generate a highly unique signature or “device fingerprint” for that specific device. This highly secure “fingerprint” is then used as an online credential that is “locked” to that device for use as its authentication credential.

This approach to physical device recognition (PDR) employs a combination of characteristics essential to genuine security for technology assets: uniqueness and integrity.

Uniqueness: 10-50 different components can be analyzed, depending on the type of device being fingerprinted and which components are present. Each component can have a number of different attributes or variables available to include in the fingerprint. These include the presence of the component, serial numbers, version numbers, static metrics, number of ports, slots, etc. From among thousands of potential combinations, these variables can be assembled into a unique fingerprint for the host device.

Integrity: Security technologies such as obfuscation, encryption and hashing will work together to provide integrity to the physical device credential. Any attempt to copy, tamper with or reverse-engineer a device credential should render it invalid, and it should be impervious to attempts to intercept, record or play it back on another machine.

Asset DNA Offers More Definitive Access Control
Uniloc USA, the developers of a patented physical device recognition technology called Uniloc, performed a study of various clients and implementations over the past 14 years and found that there has never been an instance of a set of identical physical device fingerprints.

Since most systems, applications, network infrastructure, and users of control systems are better defined and controlled than other functional environments within an organization, the use of an asset’s DNA to generate a unique identifier allows a company to definitively control who should have cyber-access to critical assets.

Once a unique device has been assigned a unique credential, it can be added to the “white list” or “trusted device network.” Absolutely no other machine or device is given access under any circumstances. Thus, the trusted device network meets the critical challenge of strong authentication and forms the basis for an impermeable defense for critical infrastructure IT.

About the Author:
A seasoned professional with experience in computer hardware, software and networking businesses, Jim previously served as CEO of BW2 Solutions and Alteer Corporation. Prior to this he served as senior vice president and general manager of Wonderware, president of The Jamar Group and managing partner at Group 6 Security, LLC. Jim served in the US Army Special Forces as a Green Beret.

i. “Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cyberspace for the 44th Presidency,” Center for Strategic and International Studies, December 2008.

ii. “Physical and Logical Security Convergence,” by Brian T. Contos, William P. Crowell, Colby DeRodeff, Dr. Eric Cole, Syngress Publishing, 2007.