As Australia’s critical infrastructure becomes more interconnected – relying on digital networks, Internet of Things systems and smart technology – developing effective and innovative means of keeping systems secure from cyber attacks has never been more important or more complicated.
The Australian Signals Directorate (ASD) responded to 143 cyber security incidents related to critical infrastructure in 2022-23, showing an increase of 95 incidents since the previous year and highlighting the need for cutting-edge security measures for Australia’s vital systems.
The answer to this issue may lie in a breakthrough cybersecurity technology developed in a collaboration between a team of mathematics researchers from RMIT University’s Centre for Cyber Security Research and Innovation (CCSRI) and a tech startup called Tide Foundation. Tide Foundation Co-Founder, Michael Loewy, said the partnership began when NTT Global, an international services provider, became aware of Tide’s early research.
“NTT is actually a major provider for RMIT and initially introduced us to the university in the context of a particular problem they were looking to solve, which is how do we grant students ownership of their identity and their credentials?
“Because you have this ecosystem where data needs to be ported between universities to employers. How do we do that in a way that’s not creating just a massive cybersecurity or privacy liability and grants ownership in the way that it should?
“Our concept, a technology capable of locking things with keys that no one ever holds, was a new technology able to solve that problem in a new way.” The joint study into the technology, which has been pre-published online by arXiv, was led by Dr Joanne Hall from RMIT’s School of Science.
Dr Hall said everyone needs to be thinking about what they can do to be more resilient against cyber crime. “Maybe ten or 15 years ago, having access to large amounts of data was considered an asset,” she said. “Now it’s considered a liability.”
Data dilemma
In recent years, high-profile data breaches, cyberattacks and instances of unauthorised data access have eroded public trust and highlighted the vulnerabilities associated with the collection and storage of data.
Regulatory bodies worldwide have responded by implementing stringent data protection laws, such as the General Data Protection Regulation (GDPR) in Europe. In Australia, the Notifiable Data Breaches (NDB) scheme, which is governed by the Privacy Act 1988 (Cth), became effective in 2018.
“This means that holding all that data is a legal liability, not just a kind of reputation or consumer liability,” Dr Hall said.
Mr Loewy said the problem is that “every single platform, every solution, every system today has these central points of vulnerability. It might look slightly different in each system, but ranges from your IT team with godlike access to everything to particular aspects of your software stack or supply chain.”
Whether a business is using software from a vendor, or relying on their IT team, or keeping keys with access, there’s always someone who has access to that authority. “And when that authority is compromised, it’s game over,” Mr Loewy said.
“That’s when you see the mass data breach. That’s when you see these horrific breaches of infrastructure, and there will obviously be a lot worse to come.
“We want to remove these Achilles heels by removing the need for blind trust. And the way that you do that is by providing some verifiability, something you can verify is trustworthy and reliable.”
Tide’s new technology, dubbed ‘ineffable cryptography’, offers a solution by allowing data and devices to be locked with keys that no-one will ever hold.
It works by generating and operating keys, in secrecy, across a decentralised network of servers, each operated by independent organisations. Each server in the network can only hold part of a key: no one can see the full keys, nor the entirety of the processes they are partially actioning, nor the assets they are unlocking. By spreading the process invisibly across the network, the keys that would-be hackers are seeking are never exposed.
Paradigm shift in cybersecurity
Dr Hall said there’s a number of components that must work together in a secure system. “You have mathematical primitives and then you have algorithms, then you have software, then you have hardware, then you have a business model, then you have a legislative framework. And we need all of these things to work in tandem.
“So my role has been very far down at the mathematical primitive. “We are using a mathematical primitive that is very different to what is in use in current security frameworks. The algorithms and software that build on top of that are obviously quite different because, like I said, right down at its core it’s completely different.”
Mr Loewy said that the primary principle of the technology is to remove all instances of all-access, ‘godlike’ authority from the system, even from administrators.
“There’s usually something inside of a system, a key, that is granting godlike authority to whatever’s locked inside of it. Our approach is to take the key out of the platform and render it unreachable. Ineffable.
“When required, the key will check, ‘Am I allowed to do that? I’ll unlock that for you, but I’m not going to hand you the key. I’m just going to give you what you need at that point in time’.”
This technology doesn’t require organisations to rebuild their CRM system, ERP system or access control system.
“You take this new capability and integrate it into an existing product, providing you with the security that even if the platform is breached, the authority to that godlike access no longer lives there. It lives outside in a place no-one can access it.”
Addressing threats to critical infrastructure
Ineffable cryptography offers a new approach to cybersecurity for critical infrastructure, which can be especially vulnerable to hacking thanks to legacy systems and its interconnected nature. “An organisation that manages infrastructure for not just themselves, but for all of their customers, they’re sitting on a huge liability,” Mr Loewy said.
“If they get breached, every single one of their customers are now at risk of compromise. And if those are important industrial facilities or big businesses, the impact of that breach is just enormous. No organisation wants to sit on that kind of liability; and every organisation wants to be able to provide a product or service in a way that demonstrates to their own customers, ‘We don’t present a risk to you even if we get breached’.
“Even if you weren’t working with legacy infrastructure and you had a completely new kit, best practices, the most highly trained employees, we’re still talking about human beings. We’re still talking about potentially facing an adversary with near unlimited resources.” Mr Loewy said it’s only a matter of time before that breach happens.
“If we still have these Achilles heels inside the system, it’s only a matter of time before they’re compromised. It’s the current approach to cybersecurity that is failing us, not the individual mistake that is inevitable, which is why we’re introducing a new approach.”
For example, in May 2021, a hacker group used a single compromised password belonging to an account no longer in use to attack the Colonial Pipeline in the US. The hackers accessed the major gas pipeline’s servers and demanded compensation, shutting down operations for five days and causing localised shortages of gasoline, diesel fuel and jet fuel.
Mr Loewy said the cyberattack was a notable event that exemplifies the vulnerabilities of critical infrastructure systems. By removing the “godlike authority” over these systems from anyone’s hands, Tide and RMIT have provided a technology that can prevent similar incidents.
Put to the test
Scientifically validating this technology has been a collaborative effort between RMIT’s own Chief Information Security Officer, top mathematicians and cybersecurity experts in the School of Science and CCSRI. Most recently, a select group of cybersecurity students, supported by the RMIT Cloud Innovation Centre and RMIT’s AWS Cloud Supercomputing Hub (RACE), worked with industry partners to help them test the technology and prove its ability to solve critical infrastructure security challenges in ways that weren’t previously possible.
The Ineffable Cryptography has been incorporated into a prototype access control system specifically for critical infrastructure management, known as KeyleSSH, and successfully tested with multiple companies. “Whether it’s individual devices, whether it’s access to a piece of infrastructure, a switch in a water facility or smart meter, we’re locking everything down with these keys that no one ever holds. Keys no-one can steal, lose, or misuse.
“Every time someone needs to do something, this control system now reaches out to the key and says, ‘hey key, it’s me. Can you make a configuration change? Can you unlock this?’ Whatever the case may be.” Notably, this technology is an Australia sovereign capability, underscoring the country’s capacity to transform the cybersecurity landscape.
“We don’t know what the future holds, but we do know that the future holds cyber crime, and so we do need to be thinking about what is the next thing that we can do to be more resilient against cyber crime? And everybody needs to be thinking about that, and sometimes that means a shift in the way things are done,” Dr Hall said.
You can read the joint study here: https://arxiv.org/abs/2309.00915