New Approach to Secure Critical Infrastructure

Infrastructure Magazine - March 2024

INEFFABLE CRYPTOGRAPHY: A New Approach to Cybersecurity for Critical Infrastructure

As Australia’s critical infrastructure becomes more interconnected relying on digital networks, Internet of Things systems and smart technology developing effective and innovative means of keeping systems secure from cyber attacks has never been more important or more complicated.

The answer to this issue may lie in a breakthrough cybersecurity technology developed in a collaboration between a team of mathematics researchers from RMIT University’s Centre for Cyber Security Research and Innovation (CCSRI) and a tech startup called Tide Foundation.

The Dilemma

Whether a business is using software from a vendor, or relying on their IT team, or keeping keys with access, there’s always someone who has access to that authority. “And when that authority is compromised, it's game over,” Mr Loewy said.

“That's when you see the mass data breach. That's when you see these horrific breaches of infrastructure, and there will obviously be a lot worse to come. “We want to remove these Achilles heels by removing the need for blind trust. And the way that you do that is by providing some verifiability, something you can verify is trustworthy and reliable.”

Tide’s new technology, dubbed ‘ineffable cryptography’, offers a solution by allowing data and devices to be locked with keys that no-one will ever hold.

Paradigm Shift in Cybersecurity

“We are using a mathematical primitive that is very different to what is in use in current security frameworks. The algorithms and software that build on top of that are obviously quite different because, like I said, right down at its core it's completely different.”
Dr Joanne Hall, RMIT University.  

Mr Loewy said that the primary principle of the technology is to remove all instances of all-access, ‘godlike’ authority from the system, even from administrators.

“There’s usually something inside of a system, a key, that is granting godlike authority to whatever’s locked inside of it. Our approach is to take the key out of the platform and render it unreachable. Ineffable. “When required, the key will check, "Am I allowed to do that? I'll unlock that for you, but I'm not going to hand you the key. I'm just going to give you what you need at that point in time."

This technology doesn’t require organisations to rebuild their CRM system, ERP system or access control system. “You take this new capability and integrate it into an existing product, providing you with the security that even if the platform is breached, the authority to that godlike access no longer lives there. It lives outside in a place no-one can access it.”

Addressing Threats to Critical Infrastructure

Ineffable cryptography offers a new approach to cybersecurity for critical infrastructure, which can be especially vulnerable to hacking thanks to legacy systems and its interconnected nature.

“An organisation that manages infrastructure for not just themselves, but for all of their customers, they’re sitting on a huge liability,” Mr Loewy said. “If they get breached, every single one of their customers are now at risk of compromise. And if those are important industrial facilities or big businesses, the impact of that breach is just enormous. No organisation wants to sit on that kind of liability; and every organisation wants to be able to provide a product or service in a way that demonstrates to their own customers, ‘We don't present a risk to you even if we get breached’.

Put to the Test

Scientifically validating this technology has been a collaborative effort between RMIT’s own Chief Information Security Officer, top mathematicians and cybersecurity experts in the School of Science and CCSRI.

Most recently, a select group of cybersecurity students, supported by the RMIT Cloud Innovation Centre and RMIT’s AWS Cloud Supercomputing Hub (RACE), worked with industry partners to help them test the technology and prove its ability to solve critical infrastructure security challenges in ways that weren’t previously possible.

The Ineffable Cryptography has been incorporated into a prototype access control system specifically for critical infrastructure management, known as KeyleSSH, and successfully tested with multiple companies.

“Whether it's individual devices, whether it's access to a piece of infrastructure, a switch in a water facility or smart meter, we’re locking everything down with these keys that no one ever holds. Keys no-one can steal, lose, or misuse.”
Loewy said.  

Notably, this technology is an Australia sovereign capability, underscoring the country’s capacity to transform the cybersecurity landscape.

Read the full story here