What Is It?
Hardware is the physical components of a product or system. This can be the circuit boards and associated components inside an embedded computer or a uniquely created electronic device that fulfils a purpose such as a dialysis machine for example.
Why Assess It?
There are many reasons to conduct a hardware security assessment, five of which are below.
Physical Attack Insight
Offering a service over a computer network is a very different risk profile to shipping a device out to a potential threat actor who has extensive time and freedom to evaluate the security of the device. Conducting a hardware security assessment allows you to understand your risk and demonstrably see how a threat actor would attack your device.
Protect Intellectual Property
Your organisation has put time and effort into developing the device which likely contains intellectual property that is unique to you and needs to be protected. Through a hardware security assessment, you can ensure that your intellectual property is protected appropriately and your device sufficiently withstands any threat actors or competitors attempts to reverse engineer it so they can copy it.
Ensure Safety
Devices are shipped to users and your organisation must meet various standards for electric safety but also for data privacy as well as meet user expectations for security. A hardware security assessment gives you the confidence that you have met the security requirements.
Secure Reputation
The device you have made represents your organisation. It will be in the hands of users, customers and competitors alike and any security weakness will cast doubt over your commitment to security and could undermine your marketing initiatives going forwards.
Attest Product Security
To manufacture a device consists of many stages. It is important that the end result of this process is evaluated to ensure that no artefacts of interest to a threat actor have been left behind, or configuration left unhardened.
The Agility Cyber Approach
Like all our engagements, we want you to get the most out of your hardware security assessment and we do this by:
Depth and Breadth
Before attacking a device we believe in mapping out every input and output to understand where attack paths may lay. Once we have got a foothold into the device by authorised or unauthorised means, we investigate all possible attack possibilities to give you the depth of assurance needed to really attest the security of the device.
Threat Actor Simulation
We do not just review the components of the device. We look at its behaviour and emulate a genuine threat actor who has objectives to meet, ensuring the risks we find are both comprehensively assessed for viability but also ensures we apply creativity to subverting any security mechanisms relevant to the device.
Collaborative
When we conduct a hardware security assessment it is not done in isolation of you, unless that is the objective you have tasked us with. We prefer to collaborate ideas and utilise your teams knowledge to ensure maximum coverage and value during the engagement.
Build Chain Insight
A hardware device has physically come into existence through a process. When assessing the security of the device we investigate how the device was built to ensure that if there is any further security hardening that could be conducted before the device reaches a fully commissioned state, we accurately suggest it.
Ongoing Assurance
Your organisations device will have an expected lifetime and it is important to ensure that you can maintain its security posture over time. For this reason, we check for additional security functions such as if and how the device protectively monitors itself, how device safety mechanisms work, if there is an update process and the integrity of this as well as discovery of any known or unknown risks, perhaps from a supplier’s components remote management solution as an example.
Benefits of Partnering with Agility Cyber
Mutually Invested
Our experts work with you, not against you. There are no egotistical celebrations when a serious issue is discovered, just rapid full disclosure with pragmatic suggestions for effective remediation followed by ongoing support.
Clarity and Simplicity
We always provide clarity, believe in simplicity and value your time. An example is rather than waiting until the engagement starts, we will conduct open source intelligence gathering activities before the scoping meeting to help us understand your organisations position and risk posture thus enabling us to ask better questions, securing you higher value and saving you time.
Full Consultancy
Our team, based in the UK, is technically exceptional but we pair that with business sense to discover, triage and help you remediate the full range of security issues.
Impartiality
We are impartial, we do not sell you products or the latest buzzword laden trending solution.
Outstanding Service
We have an industry leading turnaround, agility is in our name after all. Proposals are shared with you within 24 hours of the scoping meeting. Accurate and complete daily debriefs are given during every engagement. The report is shared within 5 working days at the latest.