Product Security Glossary

Embedded System Security

What is Embedded System Security?

Embedded systems security is a set of practices and procedures that help guard embedded devices against intrusions by cybercriminals.

What is an embedded system?

Embedded devices, including Internet of Things (IoT) devices, are computing devices that are not in the form of a traditional computer, and that can be connected to the Internet or other networks.  Automobiles, medical devices, industrial controllers, printers, smartphones, and many consumer goods now contain embedded devices that are connected to the IoT.  For reasons of privacy, theft prevention, and safety, effective embedded systems security must be implemented.

Why do we need embedded systems security?

Embedded systems present a whole range of security problems.  A compromised system could leak sensitive data, or it could present a safety problem.  Clever intruders can sometimes penetrate an entire corporate network by first compromising and embedded device, such as a network printer.  We need embedded systems security to safeguard against these types of attacks.

What do we need for embedded systems security?

Quite a few things go into implementing proper embedded systems security.  It all must begin in the device design process.  Device manufacturers need to ensure that devices are designed with security in mind, and to not just consider security as an afterthought.   

The first requirement you might think of is to have a secure, encrypted method of communicating with devices.  While implementing proper cryptographic communications protocols is important, embedded systems security entails much more than just that.  Proper authentication is needed to ensure that only authorized personnel can log in.  Security vulnerabilities will pop-up in the software from time-to-time, and we will need to ensure that software patches can get pushed out in a timely manner.  All software updates need to be cryptographically signed to prevent attackers from installing malicious software.  The boot process for each device must be safeguarded, to prevent attackers from replacing the legitimate operating system with something malicious.  Before deploying an embedded device, its firmware should be scanned for vulnerabilities by a reputable firmware scanning service. 

Physical security is also important. Embedded devices should have security measures to protect the device for locale threats. For example, a USB device should not be allowed to be mounted automatically without user interaction. 

Embedded systems security involves more than just the devices themselves.  Security of the network and of the servers with which devices communicate must also be considered.  Whenever possible servers, apps, network elements and anything part of the network should be scanned for vulnerabilities and hardened. Additionally, networks should be set up with basic security features such as firewalls and Intrusion Detection Systems (IDS) that can prevent attackers from gaining access, and that can notify security personnel whenever someone tries to gain access.  The networks security policies should be frequently reviewed and updated to keep up with the constantly evolving threat landscape. 

As you can see, embedded systems security is important.  Everyone who deals with embedded devices should be aware of at least the basic precepts.