Cybersecurity has become a critical issue in recent years. Attackers have gone professional. Some seek riches, while others desire to crush political foes. Either way, attacks have become deliberate, focused, and unrelenting. When the attack penetrates firmware, the result is particularly grim, since firmware can’t be scrubbed clean.
When sophisticated attacks are launched on network equipment, strong protection is required for network equipment, both on the device and service level. The industry consortium, Trusted Computing Group (TCG), provides security standards to keep networking services free of disruption. Membership in TCG includes the leading computer and network companies.
On a Mission to Protect Firmware
TCG is focused on protecting against the attack itself, since there is little ability to recover from a deliberate attack on firmware. “The thing that’s different about firmware, is that once it gets hacked, it may be impossible to un-hack it,” Guy Fedorkow, a distinguished engineer at Juniper Networks who works with TCG, told Design News. “If your laptop is infected, you might have to re-install the operating system. Then, whatever was hacked in the OS is gone. That’s not true of firmware. You can’t just remove it.”
TCG’s goal is to create security specifications and promote best practices for cybersecurity protection that involves firmware. TCG’s Network Equipment Working Group is tasked with providing guidance in the security design for communication devices and in the application of Trusted Computing standards within network infrastructure.
Preventive Maintenance for Firmware
TGC’s effort in creating standards is focused on warding off penetration. If you know you can’t recover from an attack, it’s critical that you make sure the attack is unsuccessful. “So far, the firmware attacks have been subtle and challenging. There is always a concern that these kinds of attacks move down-market in the hacker world,” said Fedorkow. “Once the techniques are known and established other hackers will find them easier to use.”
TCG puts forth a path for creating protected, safe systems. The resulting standards and best practices become the instructions needed to prevent an attack from becoming successful. “Standards are mostly preventative medicine. The underlying theme of the TCG strategy has been pretty much constant through the lifetime of the organizations going back to 2003, though they’ve been refined and developed to a considerable extent,” said Fedorkow. “TCG takes the approach of defining an architecture that is fundamentally sound.”
TCG is an industry membership organization. Members are involved in developing the standards and best practices, but once developed, they’re shared openly. “The development of the specifications requires membership in TCG. Once the specifications are reviewed, they’re published. Then you can download the specifications,” said Fedorkow. “The technology has been adopted by some large software suppliers and that drives hardware suppliers to take notice.”
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.
Image courtesy of Trusted Computer Group