113057078 © Oleg Dudko | Dreamstime.com
Dreamstime L 113057078

Master Embedded Systems Security: A Step-by-Step Guide to Protect Critical Components

Oct. 18, 2023
How can you cover all the bases for embedded systems security? This step-by-step guide takes you through best practices.

Embedded systems security is an essential concern in the modern landscape. Products ranging from aircraft control to washing machines contain and need them to run correctly. Many embedded systems work in real time, providing mission-critical information…which makes the consequences especially dire if they’re targeted by cybercriminals.

An embedded system has the highest likelihood of being secure when everyone involved in designing it takes a methodical approach to reducing vulnerabilities. Here’s how they can do just that.

Take a Security-First Approach

Unfortunately, too many people working to create embedded systems treat cybersecurity as an afterthought. They frequently find problems late in the design process and may struggle to adequately address them before products go on the market.

Shawn Prestridge is a U.S. field-applications engineer manager for IAR Systems, which makes security tools. He estimates only 20%-30% of companies prioritize minimizing security vulnerabilities in embedded systems. Even worse, Prestridge said many people put little to no thought into cybersecurity for their embedded systems or are wholly unequipped to safeguard them against threats.

READ MORE: Linux and Security for Today’s Embedded Medical Devices

Securing a system begins with understanding how cybercriminals will likely target it and which approaches they’ll take when trying to steal data. For example, an adversary that launches a software-based hack could infect the system with malware or perform a brute-force attack. Network-centered attacks, including distributed denial of service (DDoS) or man-in-the-middle attempts, are also possible.

Assess your client’s cybersecurity practices and identify necessary improvements when building an embedded system. Designing a secure embedded system is essential, but preventing attacks also requires client preparedness and an attitude of continuously updating practices and procedures to reflect evolving attack methods.

Once development begins, people should strongly consider using tools that perform code audits on embedded systems. Although these checks can happen manually, they require time and skill to do well. One widely used approach is to let automated tools handle the initial review and then have a development professional see what may have been missed.

People may push back on efforts to emphasize security if it extends the development timeline. However, it’s far better to take cybersecurity seriously from the start than to later discover severe vulnerabilities that could take longer than anticipated to fix.

Isolate Essential Parts of the System

One best practice for embedded systems security is to isolate the aspects a hacker might try to exploit. Successful infiltration of one component would not allow the cybercriminal to gain additional access elsewhere.

Relatedly, people should set dedicated access control measures for each part of an embedded system. Jean-Georges Valle, author of a book about the importance of penetration tests for hardware, clarified how embedded systems never exist in isolation, providing cybercriminals access to the rest of a company’s IT infrastructure. Valle also noted how people often mistakenly think embedded systems are inherently secure, so they forget to follow established methods of keeping out hackers.

READ MORE: Cybersecurity: DDoS Attacks Knock Organizations Offline

People might apply the principle of least privilege to the system as they explore the most effective ways to keep critical components safe. It means users only receive the minimum access privileges required for a desired action.

A secure boot feature is another widely utilized protection mechanism for the vital components hackers may target. The secure boot uses the root of trust (RoT) to verify all code loaded or executed. The RoT is a reliable source within the system and uses cryptographic principles to check the code. It also works in stages, where an embedded system’s state can only progress after validation.

Create Logging and Monitoring Features

Cyberattacks are increasingly frequent and costly. Statistics from 2021 revealed a 17% uptick in the average cost of security breaches. However, improved visibility can help people detect intrusion attempts earlier, potentially reducing the damage and associated expenses.

Building logging and monitoring capabilities into the embedded system can tell users about any unusual characteristics of the critical components. Many designers prefer lightweight and fast loggers that let the system maintain expected performance. Some data loggers offer real-time collection, helping people know precisely when something’s amiss.

However, just collecting the data is insufficient for embedded systems security. People must also develop a process for reviewing the information and investigating anomalies. Some companies have responsible parties receive notifications of anything unusual in the logs. Then, there’s little to no delay in them checking it out and potentially preventing an attack in progress.

Designers and engineers must make clients aware that the embedded systems have integrated logging capabilities and emphasize the importance of analyzing them. Picking out unusual events takes time, but it’s a practical way to increase awareness of cybercriminals and stop their attack attempts.

Use an IDPS

It’s always wise to use an intrusion detection and prevention system (IDPS) in addition to any logging capabilities that strengthen embedded systems security. People can configure the IDPS to handle multiple tasks and alert the appropriate parties to suspected problems.

READ MORE: 4 Tips for Securing Industrial IoT Networks

For example, an IDPS may monitor network traffic according to established parameters. Then, it could take either an active or a passive response. In the latter case, the IDPS would maintain activity logs but leave humans to investigate further. However, an active response might block network activity to thwart or slow cybercriminals’ efforts.

People using an IDPS to safeguard embedded systems must regularly update it to recognize the latest threats. Otherwise, it’ll be easier for attackers to break through the defenses.

Remain Aware of Industry Developments

Cyberattacks are occurring so frequently that even people outside tech development and related sectors know they must do what’s necessary to protect against them. Many IoT products will soon feature specific labels that show they meet cybersecurity standards.

More products focused on embedded systems security are also arriving on the market as vendors see the customer demand for them. It’s also becoming more convenient to update the software used for embedded systems. Many enable over-the-air updates so the products stay current with limited intervention from owners.

Consider how cybercrime advancements could make it easier for outsiders to compromise embedded systems security and proactively reduce that risk. Maintaining appropriate safeguards requires putting yourself in the position of a hacker and considering what they’ll target, then creating preventive measures. Eliminating all threats is impossible, but you can certainly minimize them.

Embedded Systems Security Starts With You

Many of these tips are for people directly involved in building embedded systems. However, even if you only use them, you can do so more securely, maximizing the usage applications for your embedded systems so they support your business.

Voice your opinion!

To join the conversation, and become an exclusive member of Machine Design, create an account today!