An Eye-Opening Look at Embedded Security (or not)
2017-04-07 Terry Gaul
“In an eye-opening embedded systems safety and security survey conducted by the Barr Group, 28 percent of respondents said the systems they work on could cause injury or fatalities and 60 percent of the respondents said their systems were connected to the Internet. Disturbingly, even when their systems could be dangerous and were on the Internet, 22 percent of engineers said security was not a design requirement on their project.”
The statement above was made by Curt Schwaderer, Editorial Director, of Embedded Computing Design, in his article commenting on the results of the Barr Group’s third annual global survey of 1,700 professional embedded systems designers.
Eye-opening indeed.
The Barr Group concluded that “there are potentially deadly embedded systems that are not designed with appropriate levels of care as well as systems that could be more secure. There is, thus, much work to be done in the embedded systems design community to achieve a safer and more secure world. Fortunately, a lot of what needs to be done is well understood and easy to implement; what appears to be lacking is motivation.”
I couldn’t agree more. Embedded system designers are under extreme pressure to commercialize connected IoT devices rapidly to keep pace with the tremendous growth of the market. However, we know firsthand from speaking with our customers that security is not always a priority in the development phase. In fact, not many embedded designers are experienced in the nuances of code encryption, integrity protection, and other critical software security mechanisms required to protect Internet-connected devices. It is not reasonable to expect that a very good embedded system developer is also a very good software security expert. The two disciplines don’t necessarily go hand in hand.
The recent cyberattacks on IoT devices, such as CCTV video cameras and digital video recorders, have served to heighten awareness of the vulnerabilities and public safety issues that can be caused by insecure IoT devices. The security threats are just as great in the IIoT, where critical infrastructure can be compromised. But, as the Barr Group’s survey suggests, increased awareness has not necessarily motivated the embedded developer community to consider the available state-of-the-art security mechanisms that currently exist and collaborate with security experts who know how to implement them.
Under the cloud of increasing cybersecurity threats, it is clear that a security by design approach is a necessity for any embedded system development project, whether it be for an IoT device or an Industrial IoT controller or system. The bottom line is that consumer safety is paramount.
There are several great motivational resources available for download today that will help put IoT and IIoT security into perspective: Trusted Computing Group’s Architect’s Guide: IoT Security white paper, Wibu-Systems’ Licensing and Security for the IoT white paper, and the Industrial Internet Consortium’s Industrial Internet Security Framework Technical Report. All are free to download.
Contributor
Terry Gaul
Vice President Sales USA
Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.