DARPA has formalized its search for the answer to one of the cybersecurity community’s most pressing questions: how to secure an everything-connected-to-everything-else Internet of Things.
Late last week, the agency posted a Broad Agency Announcement to the Federal Business Opportunities website introducing its Leveraging the Analog Domain for Security program, a project that seeks security best practices for the increasingly simple elements of IoT networks, such as those found in home automation and industrial control systems. These devices, called Embedded and Mission Specific Devices, are often limited by low computational ability, lack of consistent connectivity and simplistic hardware. These factors make security efforts more difficult than those standard in desktops and handhelds, which are — in theory at least — fortified by secure hardware, layered software defenses and regularly-updated operating systems.
Without ample security measures, experts fear that an expanding IoT could create massive vulnerabilities across nearly all technologically-integrated spectrums. With interconnected systems, even one small security gap could create massive ripple effects.
Specifically, LADS “seeks to enable a new protection paradigm that separates security-monitoring functionality from the protected system, such that even a full compromise of the latter cannot lead to compromise of the monitoring logic.” By isolating the weakest links in the overall system chain, LADS intends prevent the downfall of large systems through simple hacking methods.
Given the inherent limitations of EMSDs, the task is easier said than done. DARPA has identified a number of preliminary suggestions, including potential efforts to “associate the running state of a device with involuntary analog emissions from said device across one or more physical modalities, including, but not limited to, electromagnetic emissions, acoustic emanations, power fluctuations, and thermal output variations.”
LADS is comprised of three phases, with the first focusing on basic cybersecurity techniques and the subsequent two addressing issues of increasing complexity. It anticipates numerous contract awards for the first phase, for which $36 million have been allocated. DARPA aims to establish a functional cybersecurity solution by mid-2020.