Security is the Missing Factor in Embedded Devices

The emergence of the internet of things and “smart” embedded devices has prompted the need for a completely new approach to security to keep our core services running and protected from cyberattacks.

According to Pedro Abreu, ForeScout chief strategy officer, there are many economic advantages to connecting embedded devices and IoT products to federal equipment, power grids, vehicles and buildings.

However, the use of these devices has created a grey area in security where networks are now becoming connected to antiquated security systems — or devices with no security to speak of.

Once you add an internet-connected component to a critical network, attackers are granted an avenue in which to strike. Unless security is built into the design process of devices embedded in these networks, critical infrastructure may be put at risk.

“Critical infrastructure systems need the same type of real-time monitoring for cyber issues that we have for physical issues,” Abreu told IoT World News. “For example, we have computers constantly monitoring for physical changes to the Hoover Dam, but nothing monitoring its digital network in real-time.”

IoT has grown to include everything from “smart” home lighting to doorbells. Embedded devices, mini computers found in industrial equipment, ATMs, routers, traffic lights and point-of-sale (PoS) systems, to name but a few, are also now part of this shift.

An embedded device is a small system component designed for specific purposes. Traditionally, embedded devices were “dumb” and unable to connect to the internet — but all that has begun to change.

With the development of new internet-based features, they can act as wireless sensors and networking elements for physical security; for example, as sensors which alert operators to motion at night in a corporate building.

Vendors can use these sensors to collect data for use in analytics and monitoring, such as through traffic lights to monitor congestion, or to keep track of changes in an aircraft control panel. However, embedded devices can also be used for automatic functions, such as dispensing medication through smart medical devices.

There are millions of IoT devices currently in use, with 20.8 billion projected by 2020, according to Gartner. The research agency also claims that by the same year, over half of new businesses will incorporate IoT, and protecting these devices will use up to 20% of annual security budgets.

As embedded devices and systems are highly specialized and often require tailored programming skills and specific hardware, protecting these devices is a challenging task — but if left vulnerable, the smallest components can become the avenue for attackers to take down the most critical systems.

We’ve already seen examples of infrastructure and core services being targeted. Any disruption or failures caused by such attacks can send a country into disarray.

Stuxnet, considered the world’s first “digital weapon”, is a Trojan levied against Iran’s nuclear facilities in 2009, causing centrifuges to spin out of control and break down.

In 2015, malware infected Ukraine’s power grid, bringing down the power supply of hundreds of thousands of residents. Korea Hydro and Nuclear Power in South Korea have become recent targets of state-sponsored attackers, and a German steel mill suffered “massive damage” following a cyberattack against critical components in 2014.

In order to break into these systems, attackers will use any leverage you give them — including small, embedded, low-powered sensors connected to industrial networks.

While traditional computer systems and networks have a range of security solutions to choose from, this is not the case with IoT as a whole.

Attempting to run traditional antivirus programs on devices with limited power simply won’t work, or will at least slow the device down and prevent it from performing its desired function. In many cases, embedded devices are optimized to reduce processing cycles and memory usage, and without any additional processing resources, scanning for threats is out of the question.

To make matters worse, embedded devices often run on specialized operating systems such as VxWorks, MQX, INTEGRITY, or stripped down versions of Linux. According to Gunter Ollmann, chief security officer of Vectra Networks, unless there is money to be made, security for these systems — including patch and firmware updates — simply won’t be supported.

“Until there is a profitable market for servicing these architectures, standard desktop security vendors will be absent,” Ollmann said.

However, some vendors believe that traditional security solutions are enough, and won’t go the extra mile. Ollmann says that just installing a host-based Intrusion Detection System (IDS), firewall and antivirus package is “ludicrous”, and not only is this situation “unlikely to improve” in the next decade — vendors are focusing on design elements which place security on the back burner.

“Since most want to use mobile and use wireless communication protocols, they either need to be self-powering or battery powered,” Ollmann noted. “The more sophisticated a computer system is, the more encryption required. Likewise, the longer the WiFi range, the more traffic to send/receive, means the more power is consumed. So in order to maximize power consumption, IoT designers are compromising on security.”

Dan Lyon, senior consultant at Cigital, also raised the problem of economics. Financing the investment into securing embedded devices is what he considered a “primary challenge” vendors face in their quest to “get the device to market at a reasonable price point and in a reasonable timeframe, but still provide reasonable security”.

If an industrial embedded device is compromised, the network the device is hosted by may be exposed to spoofing, manipulation or compromise. Reiner Kappenberger, global product manager at HPE Security, says there is an inherent risk when these devices “need to communicate back to public infrastructure as many do”, which in turn could lead to a jump to other core city systems.

In other words, one small sensor could pave the pathway to take down a full industrial service if strict security controls are not established.

Attempting to cross this security minefield is no easy task for developers. There have been recent attempts to establish IoT and embedded device security standards with ARM and Symantec joining forces last year to develop the Open Trust Protocol (OTrP), an architecture designed to improve the security of connected devices.

However, with so many IoT and smart embedded devices already in use, it may be a case of too little, too late.

If traditional security solutions won't work, industrial device vendors must find alternative approaches to secure their products.

Broader security approaches are required to protect the network as a whole if small components, such as embedded devices, cannot protect themselves. Data-centric methods, such as machine learning (ML), can provide the bridge between traditional security solutions, IoT, cloud and network technology.

Simon Crosby, chief technology officer at Bromium said:

“[Embedded devices] will typically not be able to store large amounts of data or do much processing, and in general, the problem isn’t really about a single device learning about its environment. Instead, the opportunity is to use ML algorithms to quickly process the input from millions of relatively dumb devices, to identify interesting patterns across them.”

As an example, the Georgia Institute of Technology was last year awarded a $9.4 million grant from DARPA to develop ways to protect low-power, embedded IoT devices, such as comparing the 'noise' issued by embedded devices in real-time to those in a database of normal operation signals. If patterns are disrupted, malware may be at play.

This could help protect embedded devices that are already in use, but vendors need to do more to play their part in protecting the core infrastructure we all rely upon.

According to Vectra Networks' Ollmann, the “vast majority”” of IoT devices the executive has studied and reverse engineered have not been secured, and “vendors had not considered how they would add or increase the units' security in the future”.

For consumers, this will not necessarily be an issue if devices will be replaced every few years, but on the industrial scale, such lackluster attention to security can be disastrous. Ollmann noted:

“For example, monitors embedded within the roads and highways for monitoring traffic, whose data is used by traffic control systems, cannot be patched or updated, and would need to be physically replaced which something that wouldn’t occur until 15-25 years of operational use has passed.”

The solution is to increase the importance of security in the product lifecycle. Analytical approaches to network security are important, but if security professionals are brought in to handle security concerns at the early stages, there will be fewer holes for attackers to exploit once products are connected to core networks.

Embedded device security will never be easy. However, increasing the importance of security in the developmental stages and using analytics to both monitor the device and protect the network it is hosted on are required to keep attackers from exploiting the low power and capabilities of embedded devices to compromise far larger — and more critical — targets.

“There is no 'one-size-fits-all' approach to protecting embedded devices,” HPE Security's Kappenberger noted. “Several elements have to work closely together to create a more trusted IoT environment. In traditional IT systems, the old style thinking has been 'If you get breached'. However, this has shifted towards 'you will be breached'. IoT devices have thought about neither of them and they need to move to the thinking that is now part of any IT organization.

“No matter how you protect there will be a breach. Protect the pieces that are most sensitive and relevant throughout the lifecycle of those elements.”