Semiconductor integrated circuits, commonly known as computer chips, are the powerhouses that run virtually all electronic devices and computers, including everything from mobile devices and personal computers to aircraft flight controls and entire power grids. In order for these devices and systems to work, chips must be free from defects and malicious circuits.
Unfortunately, increased consumer demand has sped up the globalization of chip manufacturing, with the majority of chips being manufactured overseas. The globalization of chip manufacturing and the fact that most U.S. chip buyers, including the U.S. DoD, are procuring from this global pool have created a widening array of opportunities for miscreants to insert malicious circuits during the chip manufacturing process.
Malicious software can be created and deployed by virtually anyone at any time via software or Internet traffic, but malicious hardware in the form of computer chips can only be introduced during the manufacturing process by someone with the knowledge and access to alter the chip.
Introducing malicious changes during the actual manufacturing process is often not effective as these changes often compromise the chip to the extent that it doesn’t pass quality inspections. For that reason, most malicious changes occur during the design phase, which is the process where areas of the chip are mapped out to carry out certain tasks. Once introduced, malicious hardware can remain dormant for months or even years before being used to launch an attack.
Attacks can be triggered in a variety of ways. Some are initiated by an event, such as a particular calendar date, or location, such as a GPS position. Alternatively, attackers can hide a trigger within external data and send it when they are ready to attack. Overt attacks can cause a device or system to completely fail and shut down or to run with obvious impairment. Covert attacks are designed to give the appearance that the device or system is continuing to operate normally while carrying out malicious actions in the background or introducing corruptions in data. Covert attacks might also open the door to allow the deployment of malicious software at a later date.
Many chip manufacturers have nonexistent or insufficient security measures in place and generally fail to view this threat as meaningful. Therefore, the first hurdle to preventing hardware attacks is awareness of the real and significant threat of these types of attacks. If malicious hardware shuts down cell phones, it’s an inconvenience, but if it overrides the GPS coordinates of planes in flight, or brings down the U.S. DoD defense systems, it could be a tragic disaster.
One solution to preserving the integrity of chips is to change the design process itself so that access and information is compartmentalized and limited only to those who are directly involved in each particular phase of design. This could lead to changes within manufacturing companies as well as the ways in which they use outsourcing and third party vendors.
Developing more robust testing processes that can detect malicious changes in chips before they are installed in products and systems could also help prevent hardware attacks. Current testing protocols are designed to reveal accidental flaws, not carefully constructed and hidden deliberate flaws. As a safeguard, developing methods to thwart or kill an attack once it’s launched can prevent malicious chips from doing any significant damage. Defense processes that are built into the chip would monitor the chip’s behavior and quarantine any portion of the chip that isn’t behaving normally.
Cybersecurity is a broad field that encompasses those who install, configure, and maintain secure networks; those who develop software and other products to enhance security; and those who design and engineer hardware. The emerging awareness of hardware’s vulnerability to cybercrime has the potential to create opportunity for hardware-related positions, such as computer hardware engineers. According to the U.S. Bureau of Labor Statistics (BLS), hardware engineer jobs are expected to increase by almost 10 percent from 2010 to 2020.
Computer hardware engineers design, develop, and test equipment such as computer chips and circuit boards. Most engineers have at least a bachelor’s degree in computer engineering, but those who want to pursue a cybersecurity specialization might want to obtain an a specific degree in cybersecurity, such as the Master of Science in Information Assurance and Cybersecurity. This program focuses exclusively on cybersecurity, giving students in-depth knowledge and training on how to recognize, evaluate, and mitigate a variety of potential threats.