What is Embedded System Security?
Embedded systems are those in which a physical device is controlled by computer located inside it. As for any computing device, security for such devices means the ability to ensure their functionality remains as expected even in the presence of a determined attacker. However, for embedded devices, security often has impact beyond the digital world, because these devices can affect the real world if they control moving vehicles, industrial equipment, medical treatment dosages, and more.
Embedded systems security is best achieved by including protective measures into the device’s design. Technical measures should be put in on many levels in a device’s design and implementation, to ensure defense in depth against possible attacks. In addition to preventive measures, multiple other steps such as secure procurement, ongoing vulnerability tracking, disclosure and stakeholder notification policies, and remediation (including possible updates in the field) are required to ensure comprehensive security. Security considerations have to be included in all the other stages of a device’s lifecycle, covering deployment, maintenance, and decommissioning or ownership change.
Other names and definitions for embedded systems include the Internet of Things, Cyber-Physical Systems, and more. However, all definitions agree that connected systems that have sensors, processors and actuators in the physical world need different treatment from general computing systems, such as servers, personal computers, and mobile phones. Increased risk of harm to the real world means that all stages of security analysis and implementation must take into account the physical properties of the devices and applications involved. In addition, the different industries using embedded devices may have their own compliance and standardization needs.