Abstract
The digital society has a significant reliance upon the secure operation of systems and machinery, including the hardware present in personal and industrial devices. The volume of cyber-physical threats is rising, and their complexity and sophistication have demonstrated that attackers have both the intent and ability to exploit vulnerabilities in hardware security as part of digital products and services. The A review of academic research on regulatory frameworks pertinent to hardware security has been conducted. It shows that while progress has been significant, with new legislation, standards and regulation on hardware security, the approaches taken by policy makers have been disconnected.
Despite of hardware security being a recognised area within the overall domain of cyber security, as well as the presence of long-established and more recent standards for demonstrating aspects of security in related design and implementation of hardware-based products and security solutions, it remains an area of potential vulnerability. Common areas of weakness have been found to include a lack of use of secure mechanisms, available in the platforms, a lack of adherence to good practice in system design, and lack of tamper detection capability. The report provides a taxonomy of hardware-related threats and highlights a variety of guidance and standards that have relevance in this space.
Two sector specific cases which that are explored in more detail address the challenges of highly regulated environments, i.e. automotive and Fintech industries. The automotive sector is distinct in the view of cybersecurity being intertwined with safety, as the loss of human life is at stake. On the other hand, Fintech emerged as an area which is highly compliance driven and meeting the regulatory needs is ingrained as a ‘cost of doing business’ and ‘loss avoidance’. Both sectors are common in terms of technology being ahead of the regulatory efforts by governments, which are slow in realisation but have a profound effect on industry player in increasing their security efforts and investment.
Feedback from the stakeholders in governance risk and compliance has been integrated into the analysis. It emerges that hardware-focused cybersecurity innovations are overshadowed by cost considerations in favour of fast-to-market solutions. In relation to Cheri/Morello adoption, integrating new solutions could be delivered via discussions with industry associations/regulatory bodies and UK government agencies currently reviewing regulatory interventions in hardware assurance levels and security by design.
Despite of hardware security being a recognised area within the overall domain of cyber security, as well as the presence of long-established and more recent standards for demonstrating aspects of security in related design and implementation of hardware-based products and security solutions, it remains an area of potential vulnerability. Common areas of weakness have been found to include a lack of use of secure mechanisms, available in the platforms, a lack of adherence to good practice in system design, and lack of tamper detection capability. The report provides a taxonomy of hardware-related threats and highlights a variety of guidance and standards that have relevance in this space.
Two sector specific cases which that are explored in more detail address the challenges of highly regulated environments, i.e. automotive and Fintech industries. The automotive sector is distinct in the view of cybersecurity being intertwined with safety, as the loss of human life is at stake. On the other hand, Fintech emerged as an area which is highly compliance driven and meeting the regulatory needs is ingrained as a ‘cost of doing business’ and ‘loss avoidance’. Both sectors are common in terms of technology being ahead of the regulatory efforts by governments, which are slow in realisation but have a profound effect on industry player in increasing their security efforts and investment.
Feedback from the stakeholders in governance risk and compliance has been integrated into the analysis. It emerges that hardware-focused cybersecurity innovations are overshadowed by cost considerations in favour of fast-to-market solutions. In relation to Cheri/Morello adoption, integrating new solutions could be delivered via discussions with industry associations/regulatory bodies and UK government agencies currently reviewing regulatory interventions in hardware assurance levels and security by design.
Original language | English |
---|---|
Number of pages | 54 |
Publication status | Published - 31 Aug 2021 |