Embedded systems aren’t what they used to be. Whereas once isolated in their own environment, embedded systems within the likes of heavy machinery, vehicles, industrial equipment and even medical devices, are now more interconnected and externally connected than ever before.
The growth of the Internet of Things (IoT) is driving new market demands and technology trends like ubiquitous connectivity, consolidation of functions, and automation. While these trends offer opportunities, they also present challenges for embedded system manufacturers. As these devices become more connected and complex, the attack vectors and attack surfaces increase exponentially. This leaves manufacturers of embedded devices struggling to stay ahead of the pervasive and growing threat of cyberattacks.
The challenges of cybersecurity are inherent in embedded systems on both the software and hardware fronts. According to Forbes, “Traditional IT security does not work with IoT devices, because their processors are often too small for firewalls, they can use multiple communication channels and connectivity types and can have easily accessible online interfaces that are a goldmine for malicious actors.”
My recent white paper, The Past, Present and Future of Cybersecurity in Embedded Systems, explores embedded systems of the past, which were simple and generally isolated from the outside world. The paper looks at how present-day systems are becoming increasingly complex and interconnected and examines some of the potential threats of the future. The whitepaper primarily focuses on today’s embedded systems which can control more features within a device through automation, contain sensitive information, and have become inherently more susceptible to cyberattacks. Together, these factors put much more pressure and responsibility on embedded system designers and manufacturers to protect both the systems and their end users.
The building blocks for a secure system include encryption, communication, lifecycle management, identity management, threat defence and software updates. This all starts with the security design as it allows the development teams to define mechanisms for all layers (hardware, drivers, OS, middleware and user applications). The design should have mechanisms to detect and respond to different types of threats that might arise from inside and outside the system. it must also consider mechanisms to securely communication, update, and authenticate.
The paper explores the types of vulnerabilities that will put systems at risk, and provides data compiled using BlackBerry® Jarvis™, a cloud-based, binary static application security testing (SAST) solution, along with other independent sources. The Jarvis assessment uncovered vulnerabilities in commonly used automotive industry software, showing that insecure software accounts for approximately 70 percent of them. Further, programming errors that can lead to buffer overflow—a vulnerability that can cause data exposure, data loss and possibly control over the system—are at the top of the list of exploits that take advantage of the insecure software.
Embedded System security involves an overall culture change for any organization, which starts at the product concept phase and goes all the way to postproduction and maintenance. This can mean a major cultural shift for most organizations. But specific cybersecurity standards are being developed to help guide the shift. And there are recommended processes you can use when adopting a security culture and strategy within your development team.
The paper contends that the embedded operating system is the foundational piece for cybersecurity in any embedded system as it is generally the centerpiece of cyberattacks. It discusses three of the basic mechanisms that any embedded operating system should include. These mechanisms are often called the Three Musketeers, as they can help reduce the risks associated with insecure software that can lead to buffer overflows.
Read the white paper to learn how security has evolved from the early days of embedded systems, to get insights on how it should be progressing, and to gain a better understanding of vulnerabilities and mitigation techniques to better manage security risks within your embedded systems today and into the future.