From your Facebook page to global financial markets to nuclear power plants, modern life demands robust security for electronic information systems. Yet threats are everywhere, and never stop mutating.
Safe electronic communication "is not just a technology problem," said Ramesh Karri, co-principal investigator. "Cybersecurity is also a problem of policy, business and risk-management, psychology, human rights, and so on.”
Karri, professor of electrical and computer engineering at NYU's Tandon School of Engineering, works with Nasir Memon, CCS principal investigator and professor of computer science and engineering at NYUAD, and a team of faculty members, postdoctoral students, and Ph.D. candidates.
Their work is based on a shared vision that “security is multi-dimensional," Karri said, "but we are strongly rooted in the region. We do more than research; we also engage with stakeholders, and do a lot of outreach."
Working With the Industry
Outreach begins with an advisory board that connects researchers directly with Mubadala Development, Etisalat, the Emirates Identity Authority, the Emirates Nuclear Energy Corporation, the Abu Dhabi Water and Electricity Authority, the consultancy Booz Allen Hamilton, oil agencies, and others.
"Academics are always thinking a few steps down the road," Karri said, "whereas companies worry about dousing fires every day. So if we work with them, that's where magic begins to happen. Every government department has security issues: oil and gas, desalination, transportation. Working together is the mantra."
One recent core project, Karri explained, was the creation of a "test bed, a simulation. We had a (virtual) city emulating a smart grid, with oil and gas systems, transportation, and buildings. We can show cyberattacks at various levels – the network level, hardware level, 'social engineering' attacks, and so on. All the participants can come around this test bed, each with their own expertise" to develop integrated solutions.
Power plants, airplanes, ships … have embedded systems everywhere. Back when these were first designed and installed, there were no security problems, because most of them were not connected to the Internet. Now, it's hard to protect systems from hackers.
Social engineering refers to non-technical aspects of hacking, Karri explained. "Security runs from chips to systems to humans. No matter how elaborate your security, it won't matter if your password is ABCD."
Memon's work goes beyond engineering alone. With psychologists and others from American University of Sharjah and schools in India, "we're looking at aspects of human behavior," he said. "We showed how certain personalities resonate to certain types of phishing messages, in Abu Dhabi, India, and New York City. Certain patterns emerge across cultures: Women are more likely to be trusting of a message, and if it has a sense of urgency or authority, then conscientious people fall for that more than others."
Memon also works in digital forensics, a field far more challenging in real life than it sometimes looks in television dramas. Starting with a single photograph, Memon and others are developing a system to identify the camera that took it — and then detect other photos made with the same camera. "It's like identifying bullets fired from the same gun," he said. The potential forensic advantages are evident.
In the "arms race" of cybersecurity, it's very hard to find where to start, added Michail Maniatakos, assistant professor of electrical and computer engineering, who focuses on industrial control systems (ICS). "Power plants, airplanes, ships, have embedded systems everywhere. Back when these were first designed and installed, there were no security problems, because most of them were not connected to the Internet. Now, it's hard to protect systems from hackers."
The good news, he said, is that "PCs and mobile phones are catching up, because you change these devices every two or three years and defenses are built in. But most nuclear power plants are 30 years old."
Security by Obscurity
Siemens, General Electric, and other vendors of off-the-shelf ICS devices, Maniatakos noted, "never give you access to the design files for their cybersecurity, so you never know how good it is. This is 'security by obscurity' — trying to make the system safe by never revealing information. That's the opposite of what you should be doing. You should really expose everything to the attacker, and if your system is secure there's nothing the attacker can do."
Corporate secrecy is a serious problem, he said. "How can governments protect valuable facilities such as power, water, nuclear power installations, when they are run by private companies? You have governments pushing for ICS security, but with solutions given to them by vendors. They don't collaborate very well. We're trying to come up with new technology and new techniques. But we give it to a utility and the utility says 'go to the vendors', and the vendors say 'we have our own solution for that'."
Government secrecy can also impede cooperation. "Some things we never hear about. Many governments keep secret the cyberattacks they've suffered, to hide the weakness of their infrastructure."
Across the whole "threat landscape," Maniatakos said, "malicious insiders are the biggest danger. People typically attack the software, but there are also ways to attack the hardware, through supply-chain vulnerability, for example."
Making a Microchip
Supply-chain security is where Ozgur Sinanoglu is working, trying to develop a truly trustworthy microprocessor chip. Abu Dhabi is certainly the right place for this project: An arm of government-owned Mubadala owns GlobalFoundries, the world's second-largest fabricator of microprocessor chips.
That connection is bringing a significant step forward, Sinanoglu explained: "We've been working for four or five years — through research, publications, and patent applications – to develop a truly trustworthy chip. But it's always been at the simulation level. Now, with GlobalFoundries, we're going to actually produce a chip."
Making circuits that can be trusted is a major challenge. Modern chips are designed by big teams, and then mass production is often outsourced, sometimes to China. There's always a danger, Sinanoglu noted, "of somebody injecting something malicious into the chip" — compromising "secure" systems before they're even assembled.
We used a logic-encryption key, and a team from Princeton University showed they could break it. They discovered the key. So we've been working on a defense ... This kind of exchange of ideas is really rewarding.
One concept under study involves encryption – designing chips that won't work until a secret "key" is applied. Keep the key away from the fabricator and you've defeated that security threat. "We've made assumptions and simulations but now we can really test it," said Sinanoglu, associate professor of electrical and computer engineering.
Maniatakos, too, finds that his work takes him beyond academia. He's laying the groundwork for projects with the Petroleum Institute and the Abu Dhabi Water and Electricity Authority, to see if monitoring mechanisms already present in embedded devices in older industrial control systems can provide a new level of security.
"A lot of systems are built to do one thing, unlike your laptop or your phone. That one thing is what we can use to detect anomalous behavior. We create a coded profile of the device; we know it’s good known operational state,” and track deviation from normal behavior.
Much of their work is shaped by a basic reality of the field, that cybersecurity is, as Memon said, " a discipline in which there is an adversary. Teaching people how to design for that is difficult. It's essential to give cybersecurity professionals some exposure to situations where they are competing."
That's why "red-team-vs.-blue-team" competitions are common in this field. For example, Sinanoglu noted, "we used a logic-encryption key, and a team from Princeton University showed they could break it. They discovered the key. So we've been working on a defense; we think we just did it. This kind of exchange of ideas is really rewarding."
Cybersecurity challenges are many and varied, progress is slow, and while computer users generally are increasingly aware of security risks, much remains to be done. And it's not easy to measure progress in this fast-changing field.
"It's a little more subtle than saying 'we just improved cybersecurity', said Karri. He mentions patents, papers, and improved user awareness as useful gauges. NYUAD has filed "about a dozen" patents in the field.
The impact of scholarly papers can be hard to assess, however. And "transferring technology is hard; that's where we still have to make some progress."