Right now, someone may be watching you through your computer’s webcam as you read this post. (Those chips you’re eating are making him hungry.) Elsewhere in your facility, a competitor is listening to the internal launch of a revolutionary new product through the microphone of a laptop computer sitting in the room.
“No, no, that can’t happen,” you’re thinking. “We have hardware security.”
Well, think again, because only recently has a standard been written that has the sharp teeth required to protect against security threats that sneak through the backdoor of computer peripherals.
On February 13, 2015, the National Information Assurance Partnership (NIAP) released the latest version of the Protection Profile for Peripheral Sharing Switch version 3.0 (PP 3.0), which includes security enhancements for modern peripheral switching technology. Major improvements have been made in PP 3.0 that enable new security capabilities and address secure use of new and enhanced technologies, as described below.
The definitions of the threats and functions to prevent/propagate attacks have been updated.
Protection against threats needs to evolve as the threats become more advanced. The previous Protection Profile dealt with the pre-2000 IT environment. At that time, firewalls could stop all external attacks. Advanced Persistent Attack did not exist, and peripheral devices could be trusted.
In PP 3.0, standards are defined to defend against these evolving, advanced threats and provide assurance that the switch will not propagate attacks if they occur. These standards require the following:
- Higher isolation between computer ports from digital and analog leakages.
- Optical data diodes to enforce unidirectional data flows.
- Much stronger protection for USB ports.
- Complete isolation of power domains to prevent signaling attacks.
- Analog audio diodes to prevent audio eavesdropping (TEMPEST levels).
- Emulation of display EDID, keyboard and mouse to avoid direct contact between computers and shared peripherals.
- Much stronger anti-tampering and tamper resistance.
- Strong protection from social attacks and malicious USB devices (such as BadUSB).
- Non-volatility requirements.
- Secure administrator access and log functions.
- Much deeper protection for video signals.
Security must be included in the initial design.
In the previous Protection Profile, non-secure KVMs could be reinforced to become secure and pass the evaluation. In PP 3.0, security must be designed into the product. This provides more focus on security than seen in previous Peripheral Sharing Switch Protection Profiles.
Product range has increased.
Customers across the globe are using the newest and most comprehensive technology to meet their complex needs. NIAP has listened to these needs and has written PP 3.0 to support a vast number of new products that can be tested for use in secure environments. These products include:
- Regular KVM switches
- KVM combiners
- Video wall processors
- Matrix KVM
- KM switches with cursor tracking
- Isolators and filters
- USB gateways
- Multi-domain smart-card and biometric readers
Stronger testing replaces Evaluation Assurance Levels (EAL).
NIAP has made a radical move from relying on EAL to indicate product security strength, to highly detailed testing specification in the PP 3.0. In previous Protection Profiles, products having EAL 4 (mid-level) were not necessarily more secure than products having EAL 1 (the most basic level). This was due to the nature of CC* testing – the EAL only said that you tested what you claimed. This problem caused NIAP to remove EAL from PP 3.0.
The level of testing in PP 3.0 is much higher than EAL 5 products within the previous Protection Profile. Thirty times more testing is required in PP 3.0 than there has been in previous Protection Profiles. New testing in PP 3.0 covers areas such as deep packet inspection and TEMPEST level isolation in critical areas such as audio.
Future-proof technology is added.
The previous Protection Profile was optimized for VGA video and PS/2 peripheral protocols, which are rarely in use today. PP 3.0 includes support for the most modern KVM technology including:
- USB (USB 1.1, 2.0, 3.0 and Type C).
- HDMI and DisplayPort video.
- MHL to support mobile devices and not only computers.
PP 3.0 is internationally recognized.
The previous Protection Profile was not widely adopted outside the United States, with many countries developing their own requirements over the years. This caused a lack of standardization in the security of Peripheral Sharing Switch products. In comparison, PP 3.0 is a true joint international effort. It passed through agencies and certification bodies in Canada, UK, Australia, Japan, Germany, France, Italy, Spain, Poland, Greece, Turkey, Israel, NATO and Brazil.
Emerson Network Power played a key role in developing PP 3.0 by serving in the Technical Community and writing key pieces of the requirements. By understanding the direction in which the Technical Community was heading, Emerson has been able to design new products that will meet PP 3.0 and is in the process of developing documentation to deliver to NIAP for initial testing. These products are slated to be released in April and will include a number of variants that we have developed for the first time.
Emerson is committed to supporting the security of critical IT systems across the globe and will continue to support NIAP in any future improvements to the Protection Profile. You can learn more about the Emerson portfolio of secure remote access offerings at EmersonNetworkPower.com/AvocentKVM.
* Common Criteria for Information Technology Security Evaluation, referred to as Common Criteria (CC).
Before coming to Emerson, I led the development of major IT security/resiliency programs for a vast range of DoD and federal energy clients at Booz Allen Hamilton.