In a pioneering move, cyber-security expert Bruce Schneier approached the risks linked to embedded systems as early as January 2014. Embedded systems cyber-security raised a certain amount of interest in 2015, and will represent an even hotter topic in 2016.
Taking a broad view on what embedded chips mean for the cyber-security specialist, Schneier explains how specialized computer chips manufactured by Qualcomm, Broadcom and other dedicated manufacturers come with particular features (as an OS, usually Linux) and their own bandwidth, to be selected and used by original device manufacturers (ODMs) as the cyber-core of the devices-to-be. When vast industrial processes are involved, the components’ price tend to overweight the software security features, therefore the most used chips come with old, vulnerable software. Relevant patches are rarely applied, while all these devices have the potential to be part of the inter-connected Internet of Things. In conclusion, any vulnerability becomes an entry-point into this vast interconnected system. Multiply this phenomenon with the infinite number of times such devices sell – and you will easily understand the growing concern over embedded vulnerabilities.
How to approach embedded vulnerabilities
Cyber-security already features the subsidiary field of embedded system security. This comprises precisely the activity of vulnerability reduction and continuous protection against any security threats that would affect the software running on the embedded chips.
The past inherent air-gapping conditions that kept these chips from representing active vulnerable points is now gone, and with the new tech connectivity hub closing on being almost global, we can undoubtedly affirm that securing these tiny components since their first appearance into the production chain is critical.
Some of the most renowned cyber-security brands have included among their services dedicated endpoint and embedded devices protection.
On a smaller scale, there are recommendations available for the manufacturers who want to establish the best practices in their facilities, although trying to independently control the vulnerability issue when embedded systems are concerned might not be such a good idea. Nevertheless, doubling a specialized outsourced security service with on premise cyber-security best practices would be a recommended strategy.
We will summarily review both of the approaches.
Professionally tailored embedded system security
Kaspersky Lab offers a dedicated Security System platform “to ensure the safety of information systems that demand enhanced security (…), available as an embeddable OEM component to manufacturers and vendors of comprehensive IT solutions.” The beneficiaries are “entities that work with ERP and electronic document management systems, smart grids, the Internet of Things or even critical infrastructure”, such as the vendors of embedded OS or the system integrators (in what our topic is concerned). The adopted concept is to strictly separate the security features from the functional components of the computer system.
Offering “host-based protection in managed and unmanaged scenarios, without compromising device performance”, Symantec underlines the benefits for the manufacturers and asset owners, such as:
-elimination of zero-day exploits,
-maximization of system up-time,
-intrusions and changes real-time monitoring, and
-secure legacy systems and further patching requirements mitigation.
Part of Intel Security, McAfee also provides a full line of standalone security products for embedded systems composed of 6 different solution-types, tailored for specific cases. The targeted vertical markets in this case range from retail, point-of-sale systems & digital signage to industrial automation and controls.
Another provider of embedded security that has established a name for itself is Infineon. Considering the ubiquitous embedded system in the IoT and M2M (machine-to-machine) context, the company offers “easy-to-integrate, scalable and customizable turnkey solutions” that help industrial entities in preventing operations disruption, business discontinuity and other embedded-related risks for their brand image.
Another dedicated services example comes from Innominate. Their whitepaper considers how virtualization in IT and automation created the virtual machine manager, while specific embedded virtualization presumes “combining native Windows installations with additional unmodified guest systems on a thoroughly partitioned multicore PC platform”. The Innominate security approach translates into partitioning the CPU into two cores and system domains, one for Windows and one for the mGuard® Security Appliance, separating the OS from any intrusion by employing the mGuard® firewall, which requests authorization by a “general static or user-specific dynamic firewall rule”.
Best execution-space practices concerning embedded system security
A relevant article from Embedded recommends the following essential steps in order to raise data protection, by also protecting the interfaces against abuse:
- Implementing a general cyber-security strategy;
- Keeping all untested programs out of the execution space;
- Keeping all data separated and private (no data exposure or unnecessary inter-software communication);
- Clear identification of information and standard routine employed at both ends during content validation;
- Embedded security standards awareness and employment (link to CISQ MITRE standards);
- Following a pre-established strategy for disruption cases, the activity should continue around the issue, while determining the nature of the disruption and continuing with the proper measures.
The long arm of embedded vulnerabilities
When it comes to such tiny components as the computer microchips, maybe some of the pre-automation industry professionals could understandably minimize the risks if they have never met the consequences. Nevertheless, it is better to learn from the mistakes of others, and recent history offers a specific cyber-security breach that remains a valuable lesson for all.
The 2010 Stuxnet case made history for being the first cyber breach to bridge computer-systems with real-life components, and demonstrate how an infected system can affect material elements of great consequences. That particular virus was engineered to exploit a backdoor of the targeted SCADA system employed by the Iranian power stations – and it worked by ruining nuclear hardware. Stuxnet is a reference case for physical assets disruption via digital cyber-war, and it opened a yet unresolved question: how could this physical effect of digital vulnerabilities be avoided? Minimizing the risks is in direct connection with embedded security solutions.
Critical systems would be at least potentially connectable, if not partially connected with other peripheral less-critical systems that might provide weak entry points. There is no defense hierarchy when an entry point is all it takes for an intruder to get into a system – all points should be protected and monitored.
A supplementary informative material on embedded security deployment models, hardening devices and secure communications is accessible here – and it comes with tips and tricks on scalability, establishing a task force and selecting the most capable vendors.