Dr. Ang Cui, Red Balloon Security: "end-users need to demand more security from device manufacturers"
While cyberattacks are nothing new, together with digital transformation, the volume of cyber threats increased drastically. For this reason, companies are rushing to secure employees’ devices from potential attacks.
Unsecured devices can lead to various consequences, including falling victim to ransomware attacks, a data breach, fraud, and other threats. This can result in losing major amounts of funds or ruining the reputation of the company.
That’s why there are various security measures, such as runtime protection, that businesses can implement to ensure real-time detection and protection of embedded devices.
Cybernews invited Dr. Ang Cui, the Founder and CEO of Red Balloon Security, a company that specializes in on-device monitoring and protection for embedded systems. Cui shared his views on cybersecurity for both individual users and organizations, common threats, and their prevention methods.
Tell us how did Red Balloon Security originate? What has your journey been like?
Red Balloon Security was founded in 2011 when I was working at the Columbia University Intrusion Detection Lab and pursuing a doctorate in computer science. The company landed its first commercial engagement with HP in 2015 and has since worked with the US Department of Defense, Department of Homeland Security, and various commercial and public sector partners to refine and demonstrate its technology. Red Balloon also has participated in DARPA’s RADICS program to improve electrical grid cybersecurity and at the PIADC Research Center on Plum Island, where it worked to enhance building management system security with public and private sector stakeholders.
Can you introduce us to your Symbiote Suite? What are its key features?
Symbiote is a host-based, OS-agnostic technology that is designed to detect and protect against attacks at the firmware level of embedded devices. It works with FRAK, an engine that unpacks, analyzes, and repacks device firmware and injects individual Symbiote payloads into the host firmware. Each Symbiote is tasked with monitoring a small component of the device firmware for any evidence of anomalous activity and can send internal or external alerts within milliseconds of intrusion detection. The technology also aids forensics by fueling a detailed analysis and characterization of any attack via a reporting tool called Aesop. Symbiote provides this on-device, firmware-level security without any compromise of a device’s core functionality.
Since embedded systems are your main focus at Red Balloon Security, could you briefly explain this technology?
Embedded systems are devices, such as sensors, actuators, safety equipment, or automated machines, as well as controllers, such as safety instrumentation systems (SIS), programmable logic controllers (PLC), and I/O modules. All these devices contain computer components you would find in a PC, a SCADA historian, or a router working higher up in a technology stack. Yet most embedded systems devices lack the types of security controls we have come to expect in enterprise IT operations or even in control rooms. Because embedded systems operate next to or within physical processes, the functionality of devices at this level often is essential to maintaining safety and continuity of operation. A cyberattack at this level can easily have the potential to result in severe physical damage to the plant, injuries, or even fatalities, which makes embedded system security one of our highest priorities.
Have the recent global events somehow altered your field of work? Were there any new features added to your products?
Red Balloon’s product offer has been consistent for the past several years. It can be used to protect some of our most mission-critical industrial deployments in industrial control, aerospace, the electrical grid, and automotive components. Many of these segments are on high alert against cyber threats in the current geopolitical climate. We remain convinced that our technology can take the security of these industry segments to a more mature and robust level.
Why do you think so many companies struggle to keep all of their devices under control?
Endpoint security has evolved gradually over the past two or three decades. 20 years ago, cyberattacks on PCs and enterprise-level networks made the case for robust defenses inside any devices that connected directly to the Internet. At that stage, devices in control rooms were thought to be secure because they were not Internet-connected and many believed they were “air-gapped,” which would have made robust on-device security superfluous – if it were true. Once attacks began to reach the control room, we had hard evidence refuting the “air gap” concept, and operators became incentivized to bring sufficient security to this level as well.
Today, we are still making the case for on-device security. It is the next stage in security’s evolution. However, many companies are concerned about the expense of these upgrades, and some still do not believe that attacks at the embedded device level are feasible, despite mounting evidence to the contrary. Also, the sheer number of connected devices being deployed presents challenges of scale: We are connecting devices faster than we can build adequate protections.
Complex supply chains are another factor. Devices may be serviced by third parties that do not exercise sufficient security procedures, which can result in built-in exploits (backdoors) or vulnerabilities at the firmware level.
Talking about individual users, what security measures do you think everyone should take to protect their devices?
End-users need to demand more security from device manufacturers and should expect to bear some of the R&D costs these upgrades will entail. Ensuring sufficient perimeter defenses and access controls are important steps, but even these controls will not deter attacks that exploit permissions and unfold inside the perimeter. That’s why on-device controls are not just a market advantage but an essential feature of modern, in-depth security.
In your opinion, what are the most concerning problems that critical infrastructure businesses face today?
Infrastructure is becoming more complex every year and more connected, due to remote access, more interactions between the IT and OT layers, and other factors. We are in a position to greatly improve the security of critical infrastructure by addressing the gaps at the embedded device level, yet implementation will take time. I am concerned that by delaying the adoption of on-device embedded security, we are squandering time that could be spent on careful, methodical deployments that efficiently resolve engineering challenges. Instead, we may see a rush towards this type of security in the aftermath of serious attacks, which can easily lead to more complicated and problematic deployments.
What security trends do you think will emerge in the near future?
- We will continue to see attacks on embedded devices and OT systems in general (OT-level attacks have been on the increase for several years). It is fair to say that the next frontier of cyberwar will be fought on the embedded device level.
- Eventual recognition that embedded device security is not an “extra value” but an essential component of security in industrial systems.
- Rules of engagement around cybersecurity may change as more independent actors, either of their own volition or at the behest of governments, begin to target critical infrastructure and enterprises with cyberattacks.
What does the future hold for Red Balloon Security?
- We will continue to develop commercial solutions that map to regulations and standards for specific industries (ICS; aerospace; automotive, etc.).
- Along with the cyber research community at large, we will play a larger role in the general conversation that sets realistic standards for security.
- Red Balloon will continue to publish research that brings clarity to the embedded device and firmware security and emphasizes the need for more resources to be applied to training effective firmware engineers and solutions that encompass embedded device security.