What Is FIPS & Why Should You Care About It?
Will Knehr
When it comes to cybersecurity, there are a lot of opinions out there as to what constitutes a cyber secure system or device. Odds are, if you ask a vendor how cyber secure their products are, they will likely say “our cybersecurity is great!” But should you believe them? How can we know if a network-based product is truly secure from the vast majority of threats?
One way is to rely on a third-party organization that employs some of the brightest minds to think about this and every day. The National Institute of Standards and Technology (NIST) is such a group, and it has created a collection of approved encryption algorithms known as the Federal Information Processing Standards (FIPS). The goal of FIPS is to ensure computer security and interoperability for U.S. government agencies and contractors.
So why is that interesting to us? Well, if the cybersecurity standards of FIPS are good enough for the NSA, FBI and the DoD, then perhaps they’re good enough for your business, too!
FIPS wasn’t just created in a vacuum either; it takes its best practices from many other technical groups like the American National Standards Institute (ANSI) and the Institute of Electrical and Electronics Engineers (IEEE), as well as the International Organization for Standardization (ISO) to name a few. So, when someone says they are FIPS certified at a certain level, it’s possible to know exactly how cyber secure they are. After all, facts are much preferred to opinions when it comes to all things cybersecurity.
Evolving With The Times
One of the best things about FIPS is that it is an evolving list of standards. We know how fast technology changes, and as new exploits are found, we must change our methods. An example of that is Triple DES or 3DES which was one of the most prominent forms of encryption in the nineties, itself an evolution of the original Data Encryption Standard (DES) created by IBM engineers in 1975.
When 3DES was compromised a few years ago, it was removed from the FIPS authorized algorithm list. This ability to keep pace with the times is critical to keeping things secure. For example, you might hear that a network security camera is FIPS 140-2 Level 3 certified. That’s a recent version of the FIPS standard which lays out security requirements for cryptographic modules utilized in a security system protecting sensitive information.
Just what we want right? The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3 and Level 4.
Looking for quick answers on security topics? Try Ask SDM, our new smart AI search tool. Ask SDM →
It’s possible to send a product to an independent lab and have it tested and verified against the FIPS standard just like UL certification for electrical safety. That takes the guesswork out of the equation when it comes to the relative cyber resiliency of a device.
The most recent version of the standard is FIPS 140-3, which came out in March 2019. You might rightly assume that this version of FIPS is the mandated new standard? It’s not, however, and the reason is that “it’s complicated.” The latest FIPS 140-3 standard says the MD5 hashing algorithm is no longer secure. The problem is that many current systems use MD5 to ensure that files, digital signatures, and passwords are protected from being cracked or tampered with.
It’s in use on a global scale. So, the government is dragging its feet about enforcing the new standard because a lot of critical applications would be banned. Sometimes evolution can take time to implement. However, FIPS 140-3 compliance is a target that any new products in development should be aiming for. Many of i-PROs AI cameras are already FIPS 140-3 compliant, for example.
The Secure Element
Part of the state of the art behind protecting IoT devices, like network cameras, is utilizing a secure element. A secure element is a tamper-resistant integrated circuit chip that can be used to generate and store cryptographic keys. It’s small, fast and easily deployable in edge devices.
For example, i-PRO uses the EdgeLock secure element and those FIPS 140 compliant encryption algorithms we mentioned come preloaded and configured in that secure element, enabling it to generate secure cryptographic keys right inside the camera. By providing a secure platform for storing and processing this sensitive data, the secure element helps to protect users from a wide variety of attacks and tampering.
Another great thing about a secure element is its ability to lock third-party apps, too. This enables a secure open platform approach where third-party plugins can be installed on a camera without concern that they might compromise cybersecurity. It’s worth mentioning that not every camera contains a secure element, and some manufacturers charge extra for models that include them. They might also charge you to install third-party certificates as well. So, it’s good practice to add that capability to your must have list of features when evaluating products.
‘Rely on Facts’
When it comes to cybersecurity, it’s important to rely on facts from a third-party organization with groups of peer-reviewed data scientists and mathematicians that do nothing but think about security all day, every day. New threats emerge that can easily render what was once a tried-and-true method of security to the latest liability.
For that reason, it’s important that cybersecurity standards are built to evolve. FIPS is a curated collection of approved encryption algorithms that can ensure that network security devices are secure. It’s a freely available standard that anyone can use to build and deploy a cyber secure network device. I recommend adding it to your must have features list.
