Defending the Digital Frontier: Insights for the Evolving Cybersecurity Landscape
Posted 11/20/2023 by Eric Sivertson, VP of Security Business and Mamta Gupta, Director of Marketing Security & Comms Segment
Cyberthreats are accelerating amidst the rise of enterprise digital transformation. In order to keep pace with increased attacks, the cybersecurity market is evolving its standards and protocols to ensure protection in this new digitalized world.
Each October, Lattice recognizes Cybersecurity Awareness Month by hosting critical discussions on the cyber threat landscape. In our latest LinkedIn Live panel discussion, the Lattice team sat down to discuss the cybersecurity market evolution and the strategies developers can put in place to mitigate risk.
Overall Cybersecurity Market Evolution:
We’re seeing a security storm brewing due to the technology paradigm shift that took place over the past two decades. Most prominently, we’re leaving the centralized citadel model for a disaggregated and distributed environment. While the citadel model has historically worked well, new developments like Edge terminals and electric vehicles are exposing electronic systems and creating more firmware vulnerabilities.
Beyond this, there are technical reasons why the citadel model is breaking down. For example, the open radio access network (ORAN) and developing computer networking architectures are sparking the rise of disaggregation and leading to an expanded attack surface. These open disaggregated systems can now integrate a variety of components coming from different vendors, so you can no longer form strong over-arching coverage of an increasingly distributed security environment. Your security architecture must be interoperable and integrated with open standards to enable a more comprehensive picture of your disaggregated attack surface.
Another cybersecurity trend that has been overlooked is synchronization. It’s critical that every part within the overarching system works together properly and securely, otherwise, you’re increasing its vulnerability. In a citadel model, synchronization is typically left unprotected since it is considered within the ‘trusted’ walls of the citadel, so bad actors can easily bypass system controls if they’re able to gain unauthorized access into the citadel.
We haven’t fully adapted to this new world yet, and that’s driving the security storm we’re seeing on the horizon. It’s no longer a question of if, but when, you’ll be attacked. As a result, building cyber resilience to protect these open and disaggregated systems from attack and to quickly recover from one is more important than ever.
Present-Day Overview of the Cybersecurity Landscape
To contextualize this a bit more, let’s take a look at the recent cyberattack on one of the major hotels in Las Vegas. Their system is likely a crossover between an old IT citadel model and a large number of Internet of Things (IoT)-type devices. In this instance, threat actors were able to infiltrate the citadel model network and then start locking down all of its decentralized IoT devices. This example underscored the criticality of cyber resilience because, unfortunately, there will be more successful attacks just like it in the future.
Zero trust is a natural evolution away from the citadel model to help organizations mitigate risk and protect, detect, and recover from attacks. With a zero trust methodology, no two devices trust each other. They are their own protected castle, and everything must be validated before interacting. This helps to withstand attacks and establish a unified line of defense, whether inside the citadel walls or fully distributedly exposed.
There is also a growing urgency for more cross-sector intelligence sharing and federal oversight. For example, the SEC’s new cyber regulations will require public companies to disclose their board’s level of cyber expertise, as well as its involvement in cyber risk management strategy. This is because cybersecurity is a team sport – it requires cohesive buy-in across every layer of the organization from the Board and C-Suite to individual employees.
Lastly, it’s important to recognize the oncoming threat of quantum computers. While they have amazing capabilities to solve some of our world’s greatest problems, they also pose a massive risk to today’s widely used public key infrastructure (PKI) cryptography. The foundation of practically all cryptographic protection is PKI and, as quantum computers increasingly come online around the 2030 time period, these algorithms will be vulnerable to attacks. Shifting to post-quantum cryptography (PQC) will be key to defending against quantum computing attacks.
How Need for Enhanced Security is Driving Regulations and Requirements
New threats and deleterious attacks are emerging at a fast pace and require stricter compliance standards. For example, communications and computing infrastructure has become a part of our nation’s overarching critical infrastructure, so the disaggregated architecture present today must be protected.
To meet the needs of this new architecture and protect critical systems from attacks, new standards are arising to up the ante on cybersecurity readiness. The National Security Agency ( NSA)’s Commercial National Security Algorithm Suite 2.0 guidelines offer more robust and clear protocols as well as increased quantum secure cryptography standards. It’s no longer just a recommended step, it’s now mandatory to be compliant.
It’s not just in the United States. Europe is also undergoing similar changes. For example, the incoming European Cyber Resilience Act (CRA) is mandating hardware-level security for protection against a wide range of attacks. If companies cannot comply with this, they are not allowed to sell their products in the European Union and, if they do, they could be subject to financial penalties.
The Cyber Resilient Protect, detect, and recover mantra is quickly becoming a legal standard in both the U.S. and Europe. We’ll see even more regulations in the coming months and years as greater advancements like quantum computing enter the fold.
Key Products/Solution Strategies for Enhanced Security
Like any new technology that comes online, everyone is enamored with the benefits and convenience, and not necessarily thinking about the security. For example, AI is being talked about everywhere, and we should consider both AI applied to security and security applied to AI. AI applied to security means you’re using the tool to find threats or weaknesses, typically in real time. On the other hand, applying security to AI means using trusted data to train the model. All these large language models need accurate and comprehensive data for training – as you can’t trust an AI model that was built with bad data. Applying security to AI operates under the premise that we know where the data came from, and hence we can trust it.
Another new technology that is forcing cybersecurity capabilities to improve is quantum computers and PQC to protect our systems against quantum computer attacks. Additionally, the new algorithms to protect systems from quantum computers aren’t fully established yet. Hence, we need a crypto agile solution to ensure that, when a new version comes along, security can be easily updated.
An ideal solution for ensuring cybersecurity alongside these new innovations is Field Programmable Gate Array (FPGA) technology. With their programmable nature, parallel processing capabilities, and Root of Trust (RoT) architecture, Lattice FPGAs are not only key solutions for AI and PQC algorithms, but they also contain an innate ability to protect, detect, and recover in real time.
The most important thing to remember in this new age of cyber resiliency is that the new security paradigm is rooted in transparency and openness. The citadel model was a wall – everything was hidden. Now, in order to have the most comprehensive and efficient security, you can’t hide anything. Every time two devices or systems interact, both must prove their identity and clearly show their functions.
Lattice can be a key partner for customers who are looking to future-proof their business. Our diverse solution stack portfolio and FPGAs can help developers protect information, intellectual property, products, and more.
Some key Lattice products include the Lattice Sentry™ solution stack, a solution geared towards datacenter services that provides a turnkey approach to protecting, detecting, and recovering servers in real time; the Lattice ORAN™ solution stack, ideal for the Telecommunications industry and ORAN infrastructure to help secure the wire; and Lattice SupplyGuard™, a RoT solution stack that provides developers with end-to-end supply chain protection to ensure no information, IP, or material is shared or compromised.
As the cyberthreat landscape continues to develop, ensuring you have the proper tools in place to meet new standards is critical.
Register for the virtual Lattice Developers Conference on December 5-7, 2023 to learn more about the latest trends, challenges, and low-power FPGA solutions. To learn more about how Lattice FPGAs and solution stacks can help you bolster and maintain cybersecurity, reach out to our team today.