Evaluation Engineering - 22

CYBERSECURITY

A Capt'n Crunch Whistle, made famous by John Thomas Draper, also known
as Captain Crunch, an American computer programmer infamous for his past
exploits as a phone hacking (phreak) pioneer. The tone from the whistle would
fool the phone company's tone-driven switching system into allowing free
long-distance calls.
© 1971markus

AG: Well, there's a lot of detailed ones, but at the high level, there's
a couple categories that I would throw the challenges into. One
is just the technical challenges. Building security is complicated
and has to be done very, very carefully. Any little flaw can be
discovered and exploited by hackers. And we've seen that. I
mean, Cisco's got as deep of an engineering team as anybody,
they've got tremendous resources and tremendous expertise,
and they had a flaw in their Secure Boot implementation that
some researchers discovered and found a way to exploit and it
was a pretty difficult flaw to fix. It wasn't something that'd be
easily updated with a simple software update.
So the technical challenges are significant. Hackers are very
resourceful. They're really good at reverse engineering code and
finding any little flaw and doing fuzz testing. And again, if you
implemented one area great, and missed something else and
left a flaw there, then they'll go exploit that. Right, they're really
good at finding that low-hanging fruit.
So there's the technical challenges. And the approach there
is don't try to do security all by yourself, right? Find people
with expertise, leverage partners, leverage people who have
expertise in security in the IoT space. The other two categories
are the business challenge and regulatory challenges. The business challenge is just basically making sure that you've got the
right resources allocated to solve the problem, making sure
that, management has approved the budget that's necessary
to really do the job right.
Sometimes it can be a significant budget, and sometimes it's
not easy to get the additional budget for security approved. So
there's that piece. And then the third one is, well, there's kind of
regulatory. And what I mean by that is, what standards do you
need to be worried about? Are there specific regulations you
have to meet? Are there specific industry regulations you have
to meet? What jurisdictions are you going to sell into?
So, you're kind of navigating different industry and legal
standards and regulations, another challenge that has to be
addressed, so if you're selling into California, and if you're building a device, California has passed some legislation saying that
you have to have reasonable security. You can't have default

EVALUATION ENGINEERING NOVEMBER/DECEMBER 2020

passwords and hard-coded passwords and things like that. So
at a minimum, you need to make sure that you've met that
requirement. If you're in the medical space, you've got FDA cybersecurity guidelines that you have to follow. But the good
news on this front is we are starting to see some organizations
that are defining security requirements for different products
in different markets and different solutions.
One example of that is a group called ioXt that is creating
a validation process for specific products. They have defined
security profiles for different products. So with that, there's a
defined set of requirements and processes to kind of help provide some very good guidance for a company that is building a
product. Another one that's emerging and that we're actually
participating in is, something called Project CHIP, which is part
of the ZigBee Alliance.
CHIP is Connected Home over IP. And what we've got there
is Apple and Google and Amazon have come together, and
they're trying to define their interoperability standards. So if
you have some devices for each of the vendors, they'll easily
work well together in the home, but in addition to it being an
interoperability standard, they are looking very closely at the
security. So they're going to have validation processes and
testing houses as well, that will test security and interoperability in that context.
So, there are organizations that are starting to address the
security challenges. It's not necessarily regulatory, it could be
regulatory or standards compliance, and so it is, it's more standards compliance. But we need to have devices that have been
approved by that group, which if it's successful, could really have
a pretty broad reaching impact, because you do have the major
players in the smart home market engaged. So it really could
kind of turn the direction of the industry in that vertical market,
towards building devices that are not just highly interoperable,
but also have well thought-out security.
EE: Okay then. So now having mentioned a good partner, why
don't you then tell us about your organization, a little bit of
its history and where you insert yourself with value add in
the stream?
AG: Sectigo is a company that has a very, very long history in
providing certificate of authority solutions or and services in
the IT world. So it actually has its roots in the old Comodo CA
business. It was spun out from Comodo as a standalone certificate authority company about three years ago, and rebranded
as Sectigo. And one of the things that everyone in the business
of issuing identities for websites, business applications, emails,
has recognized, is that IoT is one of the new growth areas.
There's huge numbers of IoT devices coming online. Those
devices need to have identities, or you need to be able to know
for sure which one is which, that they're really authentic, and that
each device is who they say they are. And PCI PKI and digital
certificates are an important way of doing that. I joined Sectigo
about a year and a half ago, when they acquired Icon Labs, the
company that I had co-founded. And Icon Labs provides, and

Evaluation Engineering

Table of Contents for the Digital Edition of Evaluation Engineering