Finishing up our series on 2022 predictions we went to some of the people we’ve talked to in the past year to get their views on what will influence chip security for the positive in 2022. The consensus is legislation will make cybercrime more difficult for criminals and make some smaller targets more attractive.
Log4J and open source software
The log4j vulnerability set the internet on fire in December and IT staff are still struggling to find just how bad it is in their systems. It’s going to consume a lot of coding shifts long into 2022. State actors launched close to a million attacks through the vulnerability before the end of December as security teams applied patch after patch. Apple closed the holes in the iCloud servers by December 15 and issued an update to iOS 15, but the popularity of the open-source code will mean will bedevil the teams for the better part of 2022.
“The potential devastation that can result from the Log4j vulnerability is deeply concerning,” said Francis Cianfrocca, CEO of InsightCyber. “The flaw enables hackers to gain access to servers and applications. It enables them to take over OT and IoT devices thanks to corporate IT and cloud app jump over.“ He predicts companies will prioritize continuous AI-powered monitoring, Zero Trust methodologies and reference models.
The conventional wisdom on open-source code, being more secure than proprietary software is less wise than conventional. It is true to an extent. It is hard to obscure malicious code slipped into an open-source string. But vulnerabilities can hide in plain sight as the code balloons into multimillions of lines. Vulnerabilities can hide in plain sight, just as the log4j vulnerability did for years. This is going to reignite internal debate regarding using open-source code over in-house development for the foreseeable future.
Forced security for semiconductors
We noted a few weeks ago at the Design Automation Conference in San Francisco that the semiconductor industry will be forced to take security seriously after decades of throwing security concerns over the wall to systems designers. The semiconductor industry will be forced to do some serious redesign of core products by governments worldwide. Bentsi Ben-Atar, CMO, Co-founder/CMO, Sepio Systems, agreed.
“These requirements will be intended to minimize supply chain hardware risks so that the risk of introducing a rogue chip into the assembly line would be minimized,” he explained. Vendors will find themselves blocked from government contracts unless they comply with new regulations from US and EU regulatory agencies.
Alan Grau, VP of Business development for PQShield, takes it further sees see three main initiatives among chip vendors in 2022:
- Stronger general HW security. Chips with an HW root of trust and greater use of Trusted Execution Environments such as ARM’s TrustZone.
- Chips with preprogrammed digital identities with PKI services, or with chip vendors partnering with PKI companies.
- The Post Quantum Crypto standardization NIST will direct chip company production of security-critical chips
Small targets in the supply chain
Attacks on the supply chain security will grow. Large organizations are dependent on vulnerable smaller vendors. That makes the latter low-hanging fruit, added Simon Linstead, founder of the info.sec.live security community. Vendor management departments being stricter on who can supply products or services, which could affect jobs and economic growth.
“The changes will require manufacturers not only to change their design and introduce additional silicon modules for security but also verify that the tools they are using to generate the silicon design are not compromised as well,” he predicted.
Ransomware isn’t going away
Ransomware gangs made headlines by attacking the supply chain in 2021 but seemed to feel the heat and disappeared under their rocks. That doesn’t mean they are going away. Linstead said ransomware actors will become more hardline as they move away from infrastructure targets. “They will retaliate by destroying or leaking data if the organization doesn’t pay the ransom quickly.”
Linstead said for smaller companies, that can be a death sentence as insurance companies add cybersecurity exclusions or refuse to underwrite policies.
Some semiconductor companies agree and are working on the issue.
“From the vulnerability side, we believe that ransomware attacks are becoming even more of a headache, and we hope to see more attention on the vulnerabilities at the Root and action on HW security enhanced with AI,” said Minna Holopainen, VP communications for Axiado, a company making a security-specific chip powered by their own AI.
A positive note
Significant legislation is arising mandating security in all systems on the local and national levels worldwide. The EU is well ahead of the US on this front, but the US is gaining knowledge. Semiconductor companies are realizing customers are incapable of responsible use and their inaction made things worse. Moreover, public resistance to additional restrictions is dissipating. 2022 should be a very positive year after the last two.