The Centre for Secure Information Technologies (CSIT) based at Queen’s University Belfast has announced a £5 million investment in improving hardware security. The Research Institute in Secure Hardware and Embedded Systems (RISE) is the fourth cyber security institute in the UK. It has been backed by the Engineering and Physical Research Council (EPSRC) and the National Cyber Security Centre (NCSC).
The unit will be headed by Professor Maire O’Neill. O’Neill currently heads up cryptography research at Queen’s University. In a comment on the announcement O’Neill said: “There is huge demand for hardware security research and innovation. As CSIT is renowned for its high-quality research in this field, and its emphasis on commercialisation of research, we are delighted to host RISE.
“RISE is in an excellent position to become the go-to place for high quality hardware security research. A key aim is to bring together the hardware security community in the UK and build a strong network of national and international research partnerships. We will also work closely with leading UK-based industry partners and stakeholders, transforming research findings into products, services and business opportunities, which will benefit the UK economy.”
While Queen’s University Belfast is heading the project, the University of Cambridge, University of Bristol and the University of Birmingham are also involved. RISE will also create an advisory board and look for industry partners to help fund it and presumably guide the direction of its research.
What is this all about?
Over the last decade we have witnessed the rise of the smartphone, the tablet PC, the Internet of Things and the arrival of robotics. This has reshaped the landscape and increased reliance on computer hardware. As we move closer to the mass use of autonomous vehicles, hardware has become a new battleground with cyber attackers. In the last week, chip giant Intel, whose hardware is at the heart of most computers and servers, has admitted to a major security flaw in some its products.
The threat is that this hardware can be taken over by attackers and potentially used to cause mass disruption and even death. One area that is of concern to some in the security field is the risk of an autonomous vehicle being taken over and used as a weapon. Other risks that have been identified are disruption in critical national infrastructure. There is already enough evidence from hacking events to show that these are more than just theoretical issues.
RISE will be looking at how hardware is designed. It will want to see how it can provide a framework for the production of security hardware that can be cost effectively produced. There are models that it can begin to look at. ARM already has an architecture that it is offering to a number of industries, including healthcare, where it can update the entire hardware and software stack. It claims that this is secure against attack and it will be interesting to see if RISE looks at this as a possible exemplar project.
What does this matter?
Our lives are increasingly dependent on computer-based systems. Few of these have proven to be safe from attack by cyber criminals and hackers. Part of the problem is that of longevity of design. The older the technology the more risk of it being hacked. This is because hackers learn new techniques over time that were not considered a risk factor previously. When it comes to hardware, longevity is key. You might change your phone, tablet or laptop regularly but they are the exception.
Hardware in white goods like fridges, washing machines and dishwashers will be in place for up to two decades. Many of those manufacturers are making their products Internet ready without knowing what the risks are. The same is true of sensors and healthcare devices. These also have a 20+ year lifespan. Replacing everything with more secure systems is too expensive and time-consuming. It will be interesting to see how much of the work RISE does results in new solutions for existing hardware. One also wonders how quickly they will start issuing security advisories as their research uncovers new flaws.
The big question here is funding. For RISE to be successful it will need to fund a lot of serious and complex research. It has allocated an initial £5 million and started to look for paying industry partners. In this, it is competing with a lot of other projects also after vendor cash. With backing from EPSRC and NCSC will RISE be able to unlock vendor cash? If it does, all is good. If it doesn’t, this could require the UK government to step in. This is not a project that should be allowed to fail.