https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Image of microprocessor

Security is the Missing Factor in Embedded Devices

Specialized devices need specialized security -- and traditional solutions simply don’t cut it to keep industrial and critical embedded devices safe from attack.
  • Written by Charlie Osborne
  • 7th June 2017

The emergence of the internet of things and “smart” embedded devices has prompted the need for a completely new approach to security to keep our core services running and protected from cyberattacks.

According to Pedro Abreu, ForeScout chief strategy officer, there are many economic advantages to connecting embedded devices and IoT products to federal equipment, power grids, vehicles and buildings.

However, the use of these devices has created a grey area in security where networks are now becoming connected to antiquated security systems — or devices with no security to speak of.

Once you add an internet-connected component to a critical network, attackers are granted an avenue in which to strike. Unless security is built into the design process of devices embedded in these networks, critical infrastructure may be put at risk.

“Critical infrastructure systems need the same type of real-time monitoring for cyber issues that we have for physical issues,” Abreu told IoT World News. “For example, we have computers constantly monitoring for physical changes to the Hoover Dam, but nothing monitoring its digital network in real-time.”

IoT has grown to include everything from “smart” home lighting to doorbells. Embedded devices, mini computers found in industrial equipment, ATMs, routers, traffic lights and point-of-sale (PoS) systems, to name but a few, are also now part of this shift.

An embedded device is a small system component designed for specific purposes. Traditionally, embedded devices were “dumb” and unable to connect to the internet — but all that has begun to change.

With the development of new internet-based features, they can act as wireless sensors and networking elements for physical security; for example, as sensors which alert operators to motion at night in a corporate building.

Vendors can use these sensors to collect data for use in analytics and monitoring, such as through traffic lights to monitor congestion, or to keep track of changes in an aircraft control panel. However, embedded devices can also be used for automatic functions, such as dispensing medication through smart medical devices.

There are millions of IoT devices currently in use, with 20.8 billion projected by 2020, according to Gartner. The research agency also claims that by the same year, over half of new businesses will incorporate IoT, and protecting these devices will use up to 20% of annual security budgets.

As embedded devices and systems are highly specialized and often require tailored programming skills and specific hardware, protecting these devices is a challenging task — but if left vulnerable, the smallest components can become the avenue for attackers to take down the most critical systems.

We’ve already seen examples of infrastructure and core services being targeted. Any disruption or failures caused by such attacks can send a country into disarray.

Stuxnet, considered the world’s first “digital weapon”, is a Trojan levied against Iran’s nuclear facilities in 2009, causing centrifuges to spin out of control and break down.

In 2015, malware infected Ukraine’s power grid, bringing down the power supply of hundreds of thousands of residents. Korea Hydro and Nuclear Power in South Korea have become recent targets of state-sponsored attackers, and a German steel mill suffered “massive damage” following a cyberattack against critical components in 2014.

In order to break into these systems, attackers will use any leverage you give them — including small, embedded, low-powered sensors connected to industrial networks.

While traditional computer systems and networks have a range of security solutions to choose from, this is not the case with IoT as a whole.

Attempting to run traditional antivirus programs on devices with limited power simply won’t work, or will at least slow the device down and prevent it from performing its desired function. In many cases, embedded devices are optimized to reduce processing cycles and memory usage, and without any additional processing resources, scanning for threats is out of the question.

To make matters worse, embedded devices often run on specialized operating systems such as VxWorks, MQX, INTEGRITY, or stripped down versions of Linux. According to Gunter Ollmann, chief security officer of Vectra Networks, unless there is money to be made, security for these systems — including patch and firmware updates — simply won’t be supported.

“Until there is a profitable market for servicing these architectures, standard desktop security vendors will be absent,” Ollmann said.

However, some vendors believe that traditional security solutions are enough, and won’t go the extra mile. Ollmann says that just installing a host-based Intrusion Detection System (IDS), firewall and antivirus package is “ludicrous”, and not only is this situation “unlikely to improve” in the next decade — vendors are focusing on design elements which place security on the back burner.

“Since most want to use mobile and use wireless communication protocols, they either need to be self-powering or battery powered,” Ollmann noted. “The more sophisticated a computer system is, the more encryption required. Likewise, the longer the WiFi range, the more traffic to send/receive, means the more power is consumed. So in order to maximize power consumption, IoT designers are compromising on security.”

Dan Lyon, senior consultant at Cigital, also raised the problem of economics. Financing the investment into securing embedded devices is what he considered a “primary challenge” vendors face in their quest to “get the device to market at a reasonable price point and in a reasonable timeframe, but still provide reasonable security”.

If an industrial embedded device is compromised, the network the device is hosted by may be exposed to spoofing, manipulation or compromise. Reiner Kappenberger, global product manager at HPE Security, says there is an inherent risk when these devices “need to communicate back to public infrastructure as many do”, which in turn could lead to a jump to other core city systems.

In other words, one small sensor could pave the pathway to take down a full industrial service if strict security controls are not established.

Attempting to cross this security minefield is no easy task for developers. There have been recent attempts to establish IoT and embedded device security standards with ARM and Symantec joining forces last year to develop the Open Trust Protocol (OTrP), an architecture designed to improve the security of connected devices.

However, with so many IoT and smart embedded devices already in use, it may be a case of too little, too late.

If traditional security solutions won't work, industrial device vendors must find alternative approaches to secure their products.

Broader security approaches are required to protect the network as a whole if small components, such as embedded devices, cannot protect themselves. Data-centric methods, such as machine learning (ML), can provide the bridge between traditional security solutions, IoT, cloud and network technology.

Simon Crosby, chief technology officer at Bromium said:

“[Embedded devices] will typically not be able to store large amounts of data or do much processing, and in general, the problem isn’t really about a single device learning about its environment. Instead, the opportunity is to use ML algorithms to quickly process the input from millions of relatively dumb devices, to identify interesting patterns across them.”

As an example, the Georgia Institute of Technology was last year awarded a $9.4 million grant from DARPA to develop ways to protect low-power, embedded IoT devices, such as comparing the 'noise' issued by embedded devices in real-time to those in a database of normal operation signals. If patterns are disrupted, malware may be at play.

This could help protect embedded devices that are already in use, but vendors need to do more to play their part in protecting the core infrastructure we all rely upon.

According to Vectra Networks' Ollmann, the “vast majority”” of IoT devices the executive has studied and reverse engineered have not been secured, and “vendors had not considered how they would add or increase the units' security in the future”.

For consumers, this will not necessarily be an issue if devices will be replaced every few years, but on the industrial scale, such lackluster attention to security can be disastrous. Ollmann noted:

“For example, monitors embedded within the roads and highways for monitoring traffic, whose data is used by traffic control systems, cannot be patched or updated, and would need to be physically replaced which something that wouldn’t occur until 15-25 years of operational use has passed.”

The solution is to increase the importance of security in the product lifecycle. Analytical approaches to network security are important, but if security professionals are brought in to handle security concerns at the early stages, there will be fewer holes for attackers to exploit once products are connected to core networks.

Embedded device security will never be easy. However, increasing the importance of security in the developmental stages and using analytics to both monitor the device and protect the network it is hosted on are required to keep attackers from exploiting the low power and capabilities of embedded devices to compromise far larger — and more critical — targets.

“There is no 'one-size-fits-all' approach to protecting embedded devices,” HPE Security's Kappenberger noted. “Several elements have to work closely together to create a more trusted IoT environment. In traditional IT systems, the old style thinking has been 'If you get breached'. However, this has shifted towards 'you will be breached'. IoT devices have thought about neither of them and they need to move to the thinking that is now part of any IT organization.

“No matter how you protect there will be a breach. Protect the pieces that are most sensitive and relevant throughout the lifecycle of those elements.”

Tags: Article Embedded Computing IIoT/Manufacturing Security Strategy Technologies Vertical Industries

Related


  • HPE Edgeline Converged Edge Systems
    Converged OT and enterprise IT in a single rugged system for the edge
  • How Industrial Edge Fuels Real-Time IoT Processes
    IoT processes such as product quality control, have gained new life at the industrial edge for real-time data and response.
  • smart manufacturing
    Smart Factory Technology Upgrades: 5G, Cybersecurity Dominate
    Forrester's An expert says that smart factory technology investments while focusing on solving tangible problems.
  • IoT security
    Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
    IoT security pros can benefit from zero-trust security to authenticate rogue devices that try to connect to a network. Zero trust should be the hallmark of your IoT strategy.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Emerging Edge Cloud Architecture Continues to Shake Out
  • Turning to Rust Development For IoT Performance
  • AI Ups the Ante for IoT Cybersecurity
  • How To Become A Software-Driven Car Manufacturer with an Autonomous Digital Platform

News

View all

Webex Collaboration Banks on Hybrid Workplace Model at Cisco Live 2021

2nd April 2021

Cisco Enlists Networking Automation, CX Cloud in COVID-19 Response

31st March 2021

White Papers

View all

Telehealth and COVID Infographic

30th March 2021

Medical Supply Chain Management with Smart Devices and Sensors

30th March 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Real-Time Analysis of Driver Behavior Using Machine Learning

13th May 2021

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

Embedded IoT World 2021

28th April 2021 - 29th April 2021

The Virtual Industrial AI Summit

29th June 2021 - 30th June 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

How Smart Environments Will Take Shape Post-COVID-19 dlvr.it/RxfPG2 https://t.co/Y6DMWxZf9S

14th April 2021
IoTWorldToday, IoTWorldSeries

IoT Enterprise Deployments Continue Apace, Despite COVID-19 dlvr.it/RxWwsS https://t.co/BSkxdf17vs

12th April 2021
IoTWorldToday, IoTWorldSeries

🥳Happy #IoTDay! How are you celebrating? We're giving $50 off All Access Passes to join our upcoming virtual event,… twitter.com/i/web/status/1…

9th April 2021
IoTWorldToday, IoTWorldSeries

🎉 Announcing #EIOTWORLD sponsor, @InnoPhaseinc — a fabless wireless semiconductor platform company specializing in… twitter.com/i/web/status/1…

8th April 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X