Can we improve cybersecurity by learning from how the human body defends itself against attacks by viruses and bacteria? The partners involved in the self-healing project team responded positively to this question in the Shared Research Programme (SRP) Cybersecurity. In the new Partnership for Cyber Security Innovation (PCSI), the experts are looking for even more effective solutions that appeal to the imagination.
Defence against cyberattacks is high on the agenda of large organisations such as banks, energy companies, telecom companies, government institutions and transporters. The problem is that they are in danger of losing the rat race. Every time the attacker comes up with something new, the target has to find a defence mechanism. And as soon as new protection is found, the attacker comes up with a way to crack it.
Looking back, Bart Gijsen from TNO says, "We wanted to break that rat race. And we were inspired to do this by a mechanism of nature: the contest between the human body and viruses and bacteria. In the SRP Cybersecurity we decided to study the parallels between the defence mechanisms of the human immune system and the ICT side of cybersecurity."
"Once in a while the human body replaces its own biological cells"
Process of renewal
A fundamental difference between ICT systems and the human body is disposability. Depending on the organ, this happens faster or slower, but once in a while the human body replaces its own biological cells. The immune system also uses this principle. If it expects cells to be infected with a virus, a renewal process quickly begins.
"It’s not something that occurs in ICT," Gijsen states. "The adage is: it works, so keep off it and let it run as long as possible. That's why we explored the mechanism of disposability as one of the first questions: how could you also use modern ICT technology to achieve an automatic renewal process in ICT infrastructures for cybersecurity?"
Disposability and decentralisation as main differences
One of the participants in the project team is Rogier Reemer of Achmea. Reemer works as an enterprise architect, but because he originally graduated as an immunologist, he is able to bring in specialist knowledge. "Disposability is indeed the most important difference. But what also plays an essential role is the fact that the human body works in a decentralised way." Reemer explains: "Central security software runs on a computer network. As soon as the attacker hacks a laptop, it is cut off and the rest of the laptops are safe. But in the human body, every cell runs its own scans. If a cell is infected, it turns itself off and gives a warning signal to all the other cells, i.e. without external control."
"In the event of abnormal behaviour, a container is immediately terminated”
The challenge, therefore, is to build a system that is decentralised and self-repairing. Gijsen: "In a proof-of-concept we built a self-regenerating ICT environment in which the containers, kind of virtual computer servers, renew themselves on a regular basis. We did this by adding functionality to the existing software platform Kubernetes."
The next step was to detect the moment at which a container begins to exhibit abnormal behaviour. The researchers succeeded in this as well. Instead of waiting until the timer for a specific container expires, the container is immediately terminated in the event of abnormal behaviour. By adding anomaly detection, the self-regenerating system also becomes adaptive.
"We have shown that self-healing is not a pipe dream," says Gijsen. "You can actually use it to create an architecture that automates cyberdefence to a much higher degree than is currently the case. This is a fundamental mechanism within the arsenal for defeating attackers and enabling defenders to do their job properly."
"Over the last 50 years, we have witnessed rapid technological development," adds Reemer. "That is fantastic. I enjoy such progress. But it is a shame not to look at the billions of years of life and systems that have been developed around us. While we can't take everything on board, there's a lot that can be learned from them."
"The bigger the foundation, the safer we can make society"
Focus on new short-cycle innovations
What’s the next step? Reinder Wolthuis is programme manager at TNO for both the completed SRP Cybersecurity and the new PCSI. "Together with ABN AMRO, Achmea, ING and de Volksbank, we are focusing on the next innovations in cybersecurity. In order to align the innovations more with current developments, we are opting for short-cycle innovation and an agile way of working."
The partners select relevant themes on a quarterly basis and, on the basis of these, the PCSI starts innovation projects. Wolthuis: "Think for example of automated honeypots, with which you entice attackers in so as to learn more about their behaviour. We are going to develop an advanced honeypot that has all the characteristics of a real organisation, so that the attacker is misled in a sophisticated way."
Wolthuis is keen to get in touch with organisations that want to join the PCSI. These are large organisations from all sectors with a mature security department that, just like the banks, want to be a core partner. But also smaller parties that want to participate in the PCSI ecosystem in the form of contributing specific knowledge or exploiting results.
“The bigger the foundation, the safer we can make society. As a core partner, you invest time and money. What you get in return is a large volume of research into the problems we face, a say in the issues and immediate access to the results."