Back to news

How SEMPRE Works to Demonstrate Security by Design

SEMPRE
Dec 9, 2024
Announcement

CISA’s Secure-by-Design Pledge: Making Security a Primary Mission

The CISA Secure by Design pledge is a set of principles established by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to encourage technology manufacturers to prioritize security throughout the product lifecycle. Launched in 2023, this initiative arose in response to the growing frequency and sophistication of cyberattacks targeting both software and hardware vulnerabilities. The pledge emphasizes embedding security as a fundamental aspect of product design rather than treating it as a secondary effort. The guiding principles include reducing the burden on end users to maintain security, embracing transparency via bidirectional communication on known vulnerabilities and risks, and building resilient systems that can withstand cyber threats. By adhering to these guidelines, manufacturers aim to create more secure, reliable, and trustworthy technologies, thus fostering a safer digital ecosystem. The pledge reflects CISA’s mission to strengthen national cybersecurity by advocating for proactive collaborative efforts across the public and private sectors.

The SBD principles outline best practices for product manufacturers to create inherently secure products and reduce risks for their customers. These principles focus on promoting security at every stage of the development lifecycle and ensuring accountability. The main principles include:

  1. Taking ownership of security outcomes: Manufacturers are encouraged to prioritize customer security and adopt practices that minimize vulnerabilities from the outset.
  2. Embracing transparency and accountability: Companies should openly share their security practices and engage with stakeholders to maintain trust.
  3. Leading from the top: Executives and leaders must champion secure development, ensuring it becomes a core organizational value.

The guidance also emphasizes reducing exploitable vulnerabilities, eliminating default passwords, and promoting systematic patching to mitigate risks. The aim is to shift the responsibility for security from end-users to developers and manufacturers, fostering a more resilient cyber ecosystem.

Principle 1: Securing Delivered Products by Design

In general, owning security outcomes stems from hardening both software and hardware when initial specifications or options do not provide a suitably secure platform, enabling included security features or adding additional security features to support end user requirements and compliance, and ensuring that insecure configurations (default settings) are minimized or eliminated from the start.

  • Hardware and Software Hardening
    • SEMPRE’s software products are developed using a comprehensive software development lifecycle (SDLC) in which security is integrated every step of the way. Security steps are integrated into the CI/CD pipelines, providing code scanning for security vulnerabilities, secrets detection and management, and dependency scanning to ensure included libraries are as secure as possible. Memory-safe languages are used wherever possible, and where technological limitations exist SEMPRE plans to move to memory-safe languages as soon as possible.
    • Cryptographic credential management is secured using both software and hardware, with encryption keying material stored in an industry-standard software vault, itself governed by master keys stored in hardware cryptographic modules (TPMs). Additionally, with the potential for SEMPRE nodes to be deployed in difficult-to-access or otherwise restricted locations, tamper resistance is an important design aspect factored into SEMPRE node hardware. To accomplish this, all SEMPRE nodes contain a variety of sensors intended to detect any attempt to gain access to the system even if the node is powered down such as in transit or storage. Though specific technologies may or may not be included according to the specific form factor, SEMPRE nodes employ combinations of cameras, dead band switches, magnetic sensors, ultrasonic detectors, spatial triggers, and accelerometers to detect physical tampering. Detected events trigger SEMPRE’s custom-designed hardware, which includes PLST (Poly Laminate Spacial Trigger™), to lock down the system based on user specifications and requirements, up to and including full restriction in the highest security and confidentiality environments.
    • SEMPRE conducts continuous security evaluation by conducting penetration testing and analysis at each step of the product integration lifecycle. By testing products both before and after the production phase, SEMPRE tracks the evolution of vulnerabilities from theoretical to practical, both on internal and external components, minimizing the inclusion of vulnerabilities in the end product. Issues discovered during penetration testing are remediated as soon as possible.
  • Additional Security Features
    • SEMPRE requires encryption of all communications. Nothing is ever sent in the clear, with TLS (Transport Layer Security) required. SEMPRE utilizes current OpenSSL technologies with post-quantum capability, ensuring encrypted communications remain as future-proof as possible by preventing interception attacks. By supporting all NIST-approved post-quantum and traditional encryption algorithms, SEMPRE’s products allow for both pure post-quantum and hybrid (a combination of traditional algorithms, such as RSA (Rivest-Shamir-Adleman), with post-quantum algorithms, thus easing the transition into Post-Quantum Cryptography or PQC) for key exchange and digital signature. In addition, SEMPRE products support post-quantum node-to-node communications using secure VPNs.
    • Multi-factor authentication is required for administration of the node. In addition to requiring MFA for corporate applications, SEMPRE Node Manager ensures that security is maximized for node administration by requiring MFA.
    • SEMPRE employs AI-based network detection and response technology, ensuring that active attack detection and response time is minimized. In addition, comprehensive auditing is in place, ensuring forensic analysis can be as thorough and informative as possible.
    • SEMPRE nodes are controlled via a separate satellite-based network. Utilizing an out-of-band control plane not only provides additional security by isolating node administration and control from user traffic, it protects user data from compromise and user experience from degradation. This also protects the node itself from compromise by malicious entities as the user-facing network is electronically isolated from the control interface.
    • SEMPRE requires multiple authorizations to perform hardware, software, and network changes to the nodes. Adopting the military principle of surety (otherwise known as the two-man rule) SEMPRE minimizes the risk of compromise by rogue actors by requiring at least two authorizations to perform administrative or configuration changes. This is a prime example of adopting non-traditional access control measures to provide a substantial improvement in effective security posture.
  • Securing Default Configurations
    • SEMPRE does not reuse passwords or configurations across individual product instances. Passwords are, wherever possible, securely stored and accessed only in-memory, minimizing human interaction and thus potential information leakage. By using the hardware cryptographic modules, SEMPRE can generate and use per-instance unique passwords.
    • SEMPRE adheres to zero-trust design principles, following the DoD Zero Trust Reference Architecture. This ensures that all components, both software and hardware, are verified and authenticated at each level of interaction.

Principle 2: Embracing Transparency and Accountability

Transparency in the context of security means two main things – being up front and open with the customers and end users about the real and practical security considerations in your products and also taking responsibility for both communicating security risks and failures, both known and unknown, as soon as possible. While public disclosure is generally uncomfortable, it is often necessary and can foster an environment of collaboration between the product owner and the customer with the goal of providing a maximally stable and secure product.

  • Software (SBOM) and Hardware Bill of Materials (HBOM)
    • SEMPRE’s hardware system security starts at the system design level, and a critical but often overlooked aspect is supply chain security. To this end, we strive to make all SEMPRE systems Trade Agreement Act (TAA) compliant. This means all products must be manufactured or substantially transformed in the United States or a TAA designated country. Each item that we currently consider incorporating into the system needs to have its country of origin verified. It is SEMPRE’s goal to go beyond TAA and eliminate non-compliant material altogether. To this end, SEMPRE maintains comprehensive bills of material for integrated hardware.
    • Software BOMs are generated in three phases. In the first phase, the operating system (base image) and its supporting packages are itemized according to vendor specifications. In the second phase, third-party software packages used for additional support functions or requirements are itemized. In the third and final phase, the first-party software is itemized according to the repository platform’s SBOM generation, which includes all third-party dependencies used in the creation of the software.
    • Hardware BOMs are initially generated by the design engineer and are reviewed by SEMPRE’s supply chain to insure that all components specified are TAA compliant. Once this is confirmed, an official BOM can be entered into the Fishbowl software package that is used by SEMPRE to support all production efforts. During the course of design, layout and debug, this initial BOM may be updated by engineering and re-verified by supply chain until it is finally released for production. At that point all production component orders will be made through the Fishbowl system.
  • Vulnerability Disclosure and Reporting
    • Itemized SBOMs leverage vulnerability exchange metrics that assess the likelihood and ease of exploiting vulnerabilities, including factors like complexity of attack, required privileges, and access conditions. This helps to prioritize patching and mitigation efforts. HBOMs leverage VEX frameworks to detail vulnerabilities in hardware components, including potential attack vectors (firmware, microcode, or hardware design flaws) and exploit scenarios. By including VEX information in the HBOM, we can more fully understand the severity of vulnerabilities and properly assess their impact on the overall security of the system.
    • SEMPRE is committed to adopting a vulnerability disclosure policy that authorizes testing against all products offered, both software and hardware, and conditions for those tests, providing non-retaliatory legal safe harbor for actions performed consistent with the policy, and allows for public disclosure of vulnerabilities after a set timeline within industry standards based on the NIST Risk Management Framework (RMF). SEMPRE, in response, commits to performing root-cause analysis of discovered vulnerabilities and, to the greatest extent feasible, take actions to eliminate entire vulnerability classes by providing security remediations to customers.
  • Security Roadmaps
    • SEMPRE commits to publishing a security roadmap outlining the security components of existing software and hardware architectures, testing, verification, and validation efforts included to date, and future plans to continue improving the security of its products.

Principle 3: Leading from the Top

SEMPRE adopts security at the corporate level, aiming to lead by example as not only do we want to produce the most secure software and hardware products as possible, we want to secure our corporate infrastructure with the same intensity. This involves establishing security as mission critical before even entering the design phase, and it includes ensuring every employee, technical and non-technical, maintains a level of understanding of security risk and how that awareness impacts both internal and external company assets.

  • Infrastructure and Network Security
    • SEMPRE takes a layered approach to network security. The most basic design assumes that all other security mechanisms can be subverted or defeated, and thus each component and each slice of the architecture must be individually secured to the greatest extent possible. Each individual system and server, whether physical or virtual, is individually secured and firewalled. Each interaction between servers is assumed to take place over an unsecured channel, and thus we secure the connections using TLS to enforce authorization, integrity, and privacy. In addition, physical network protection devices, including firewalls and intrusion protection systems, protect the SEMPRE architecture by providing a secure perimeter.​
    • However, building on the zero trust model, we assume that no system is safe. SEMPRE employs anomaly detection mechanisms as a layer of defense against intrusion. These systems analyze logs, data, and network traffic to both proactively and reactively defend against potential network intruders. As each node hosts different applications and might be reliant upon a different network infrastructure, each node uses a continuous machine learning-based approach to identify a baseline for activity. Taking this approach enables a highly unique approach in which every single SEMPRE node has a specific activity baseline with which to measure against.
    • Containerized applications are an integral part of the SEMPRE node system. Containers are used for both system support purposes and for customer (end user) applications. Regardless of which technology is used, containers present unique challenges from a security perspective. Vulnerabilities may exist within the containerized applications themselves as well as within the container technology and orchestration systems required for integration. SEMPRE’s approach to container security follows industry standard best practices. Containers are not reachable via public networks like the Internet. External communication requirements can be supported through a secured intermediate host, with firewall protections required on both the intermediate host and the container itself. Additionally, containers themselves are analyzed and secured as though they were standalone systems.
  • Security Documentation
    • SEMPRE maintains up-to-date documentation of all security measures. This includes the following:
      • System security plans (SSPs) covering physical infrastructure, hardware, software, IT policies, personnel security, risk management, training, and compliance.
      • Comprehensive penetration testing reports from both internal and external sources.
      • Hardware and software architecture security protocols (design and development).
      • Hardware and software patches and remediations for identified vulnerabilities.
      • Training records for all employees.
  • Staff Training and Awareness
    • SEMPRE provides regular training for all employees related to cybersecurity both as a matter of best practice and also to maintain compliance with government standards. Additional training, as required by particular contracts and customers, is provided as well, and certification is both required and provided. SEMPRE also promotes continuous cybersecurity awareness through regular communications regarding security incidents, both internal and external. This includes formal standards and practices and regular awareness updates on critical security topics. These are listed below:
      • Password Management
      • Email Security
      • Safe Internet and Remote Work Practices
      • Asset and Device Security
      • Data Loss Prevention / Data Protection
      • Social Engineering, Emerging Threat, and Threat Intelligence / Awareness
      • Incident Reporting
    • SEMPRE follows the principle that consistently educating your staff on cybersecurity best practices and emerging threats, you empower them to be proactive in protecting your organization's digital assets and reducing the risk of security incidents.
  • Incident Reporting and Response
    • For purposes of clarity, a security Incident is broadly defined as a violation of computer security policies, acceptable use policies, or standard computer security practices. Incidents can result in negative consequences such as misuse of confidential or proprietary information, disrupting the functionality of the company’s IT infrastructure, and providing unauthorized access to the company’s networks and data.
    • The process to be followed after probable or certain detection of a security incident is listed below, in chronological order.
      1. Pause: Do not turn off the computer or disrupt the environment. Attempting to fix the situation may make it worse, make forensic analysis difficult or impossible, or both.
      2. Document: Attempt to retrace your steps, documenting to the extent known the steps taken that led to the incident. This could execution of a malicious binary, clicking on a malicious link, or use of an unauthorized external disc or device.
      3. Report: Contact IT Security and/or the Help Desk to report the incident. Be as clear and specific as possible in recounting precisely what happened and how.
      4. Respond: IT Security will conduct a thorough analysis of the incident, including a root cause analysis (RCA) and a determination of what changes, if any, should be made to existing security policy and configuration to prevent recurrence.

Related articles

Genesis Systems Demonstrates Uninterruptible Water-From-Air Technology at Tyndall Air Force Base

Genesis Systems

The Army’s Dream of Vastly Simplified Networking is Starting to Come True

Defense One

Interview: Getting The ‘Anywhere Edge’ With SEMPRE

Overt Defense