I attended the Community Connections Night for the Electrical and Computer Engineering department last night. The students set up maybe 10 different stands to pitch their projects and highlight some of their student organizations. I’ve been volunteering with this group for almost 10 years now. In these 10 years, I’ve only seen maybe 1 or 2 projects that maybe had a security angle in their project. The security aspect was often dropped late in the semester. However, I knew there were some cool non-security projects, so I was excited to check them out.

The quality and technical complexity of these student projects are amazing. For example, there was a group making their own car that would later compete. The competition was judged on many different aspects like cost, reliability, and of course, speed. They had their steering wheel and control systems out so visitors could activate some of the servos – which is always a great demo.

A student was studying satellite communications and had an SDR demo going. Another two groups were involved in rockets. One of these groups is competing in a NASA-sponsored event. Here, after the rocket launches, a payload must be released from the rocket with a control signal, and the payload must return safely without a parachute. The other student group was just really into DIY rockets for fun.

Another multi-disciplinary group was building a canine exoskeleton. This would act as a kind of robotic physical therapist for dogs. Currently, it takes three vet techs to perform the therapy, and this would reduce it to one. There was another group building another car and finally a group was building a robot that would “play catch” by detecting a ball with computer vision.

Now, most of these projects have been going on for more than one year, so they aren’t necessarily starting from scratch. Even still, some of these teams have 9 or 10 engineers, including electrical, computer, and mechanical, working on the project for a minimum of 9 hours a week.

I was completely blown away by the depth of these projects. But I was initially saddened by the fact that computer security is hidden away in computer science and security couldn’t be further away from the minds of any of the students here. I’ve been thinking about why, despite our efforts, computer security still has massive failures. And despite growing world-wide legislation, it doesn’t seem to me we are improving.

So, an idea came to me, and I’d like to suggest two ways to incorporate security into these types of engineering projects. The first way, after a project completes, bring in a security student. That student must exploit the system and then work with the original engineering team to fix it. So for example, take the rocket team. They are sending an unencrypted, unauthenticated control signal to a rocket to release a payload. They could make a malicious device to release the payload when it’s not ready and perhaps when it’s unsafe, demonstrating the attack. They would then have to work with the engineers to fix this vulnerability.

In doing this, they would discover that the original team, having moved on from a successful prototype, is perhaps uninterested in spending the time to fix the vulnerability. After all, the rocket “works.” The security student can’t fix the problem because she doesn’t have access to the test system, nor access to the original team because well, she came afterwards really. This would perfectly simulate what it’s like to do a penetration test in the real world. And while there are some companies that fix their vulnerabilities, if the product is already realized and “working” the incentive to fix these issues is really not there.

Another way to fix this, would be to add the security student on the team from the beginning. After all, there is already a mechanical engineer, a computer engineer, and an electrical engineer. If this is done, the security engineer could evaluate what the threats are to the project and design them in. Of course, every security feature blocks ease of debug and testing. But this is exactly the challenge also in the real world. The security engineer must work with the rest of the team to secure the highest priority threats meanwhile ensuring the team still crosses the finish line together.

I can’t blame the students here and honestly; I can see how they are more motivated to get the rocket to work then to secure the comms link. But there are people out there who get just as excited to secure the link, after all, security doesn’t work in a vacuum. We need something to secure. But I hope one day to see a program like I outline above because otherwise I think we are training future generations that security in engineering is an afterthought – something to do for compliance or management. In the meantime, I wish all the students well and I can’t wait to see the progress of their projects.