Cybersecurity is the protection of networks and information systems and their users from every possible threat, despites the intense focus on securing networks and ruggedizing hardware, it is still not safe to assume that hardware is trustworthy. NATO and European forces in particular now require that a device’s trustworthiness be proven.
Great efforts have been made to develop endpoint security solutions to safeguard software, and there is no question that this should be a top priority, but hardware tampering also poses major risks. This is why efforts to ensure mission-critical device integrity are increasingly targeting the hardware and firmware level.
In a new white paper entitled ‘Securing the Invisible Layer’, Panasonic analyses how the Secure by Design and Zero Trust principles being adopted by NATO and the EU have become strategic priorities, and how they can be applied to the protection of hardware through solutions like TOUGHBOOK Guard.
The invisible back door
The company that developed the TOUGHBOOK range of drop-tested, water-resistant, and dust-resistant laptops and tablets for defence, construction, and emergency services has made great efforts to stay abreast of the latest attack vectors being used by hostile actors who seek to compromise them through cyber attacks. The new white paper not only identifies the potential vulnerabilities that exist within military hardware, but how the risk of a successful attack can be mitigated.
The integrity of firmware – the specialized, low-level software embedded directly into hardware devices to provide essential control, monitoring, and data manipulation – is an issue that has been overshadowed by efforts to prevent networks and software being compromised, but it is now coming to the fore. NATO and European Defence Forces are increasingly aware that hardware and firmware integrity matter in an information environment that is permanently contested.
At every level, from headquarters to frontline infantry, the decision-making process is highly dependent on rugged hardware, secure networks, and digital devices that can be trusted to deliver the right information at the right time, and only to those with the right level of access approval. If the layer beneath the operating system, where the firmware sits, is not as well protected as fiercely as the network and software layer, then it is only a matter of time before that vulnerability is targeted. After all, a chain is only as strong as its weakest link.
Targeting the supply chain
There is growing evidence that state-sponsored actors are increasingly turning their attention to this layer, through a variety of methods. One is supply chain compromise, in which they infiltrate military systems, networks, or equipment by targeting less secure third-party vendors, suppliers, or software providers. Firmware tampering and rogue components can also open back doors that may not be visible to standard endpoint security tools.
Indeed, a recent report from EU cybersecurity agency ENISA has brought the continued use of supply chain compromise into the spotlight as a primary attack vector posing a risk to hardware and firmware components. These attacks are growing in frequency, sophistication, and impact, emerging as a top concern for European cybersecurity.
The targeting of third-party service providers (MSPs) to cascade breaches, exploitation of open-source software, and the critical need for better vendor risk management to protect EU infrastructure are among the report’s key findings. Threat actors are systematically targeting MSPs, software vendors, and third-party IT service providers to gain access to a larger pool of victims across critical infrastructure by targeting logistics, transportation, healthcare, finance and military sectors.
Supply chain attacks are now considered a ‘new normal’ for compromising otherwise secure organizations. To prevent devices becoming open gateways to wider networks as the potential attack surface of military systems continues to expand, a dramatic shift from perimeter-based security to a focus on the entire supplier ecosystem is demanded.
Built-in security
Armed forces across Europe are now accepting that it may no longer be viable to prevent hostile entities from reaching individual devices through cyberattacks, and this point has not been lost on the companies such as Panasonic that provide the ruggedized devices that are used in extreme environments where conventional normal computers would fail.
The new white paper lays out how TOUGHBOOK Guard has been developed to meet the evolving threat landscape and the specific challenges faced by European and NATO forces, and how frontline technology needs to rely on Zero Trust and Secure by Design principles.
These complementary cybersecurity strategies focus on eliminating implicit trust and embedding security from the outset. Zero Trust operates on the ‘never trust, always verify’ principle for every access request, regardless of origin. Secure by Design means embedding security as a foundational requirement during development, rather than adding it later.
Indeed, the EU Cybersecurity Strategy for the Digital Decade clearly states that Zero Trust does not stop at the network boundary and must reach the silicon and firmware that sit under every mission-critical device.
Hostiles recognised that hardware and firmware are the strategic weak link. TOUGHBOOK Guard is proving that they don’t have to be.
To read the full report and access your free copy, please click here
