https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Image of microprocessor

Security is the Missing Factor in Embedded Devices

Specialized devices need specialized security -- and traditional solutions simply don’t cut it to keep industrial and critical embedded devices safe from attack.
  • Written by Charlie Osborne
  • 7th June 2017

The emergence of the internet of things and “smart” embedded devices has prompted the need for a completely new approach to security to keep our core services running and protected from cyberattacks.

According to Pedro Abreu, ForeScout chief strategy officer, there are many economic advantages to connecting embedded devices and IoT products to federal equipment, power grids, vehicles and buildings.

However, the use of these devices has created a grey area in security where networks are now becoming connected to antiquated security systems — or devices with no security to speak of.

Once you add an internet-connected component to a critical network, attackers are granted an avenue in which to strike. Unless security is built into the design process of devices embedded in these networks, critical infrastructure may be put at risk.

“Critical infrastructure systems need the same type of real-time monitoring for cyber issues that we have for physical issues,” Abreu told IoT World News. “For example, we have computers constantly monitoring for physical changes to the Hoover Dam, but nothing monitoring its digital network in real-time.”

IoT has grown to include everything from “smart” home lighting to doorbells. Embedded devices, mini computers found in industrial equipment, ATMs, routers, traffic lights and point-of-sale (PoS) systems, to name but a few, are also now part of this shift.

An embedded device is a small system component designed for specific purposes. Traditionally, embedded devices were “dumb” and unable to connect to the internet — but all that has begun to change.

With the development of new internet-based features, they can act as wireless sensors and networking elements for physical security; for example, as sensors which alert operators to motion at night in a corporate building.

Vendors can use these sensors to collect data for use in analytics and monitoring, such as through traffic lights to monitor congestion, or to keep track of changes in an aircraft control panel. However, embedded devices can also be used for automatic functions, such as dispensing medication through smart medical devices.

There are millions of IoT devices currently in use, with 20.8 billion projected by 2020, according to Gartner. The research agency also claims that by the same year, over half of new businesses will incorporate IoT, and protecting these devices will use up to 20% of annual security budgets.

As embedded devices and systems are highly specialized and often require tailored programming skills and specific hardware, protecting these devices is a challenging task — but if left vulnerable, the smallest components can become the avenue for attackers to take down the most critical systems.

We’ve already seen examples of infrastructure and core services being targeted. Any disruption or failures caused by such attacks can send a country into disarray.

Stuxnet, considered the world’s first “digital weapon”, is a Trojan levied against Iran’s nuclear facilities in 2009, causing centrifuges to spin out of control and break down.

In 2015, malware infected Ukraine’s power grid, bringing down the power supply of hundreds of thousands of residents. Korea Hydro and Nuclear Power in South Korea have become recent targets of state-sponsored attackers, and a German steel mill suffered “massive damage” following a cyberattack against critical components in 2014.

In order to break into these systems, attackers will use any leverage you give them — including small, embedded, low-powered sensors connected to industrial networks.

While traditional computer systems and networks have a range of security solutions to choose from, this is not the case with IoT as a whole.

Attempting to run traditional antivirus programs on devices with limited power simply won’t work, or will at least slow the device down and prevent it from performing its desired function. In many cases, embedded devices are optimized to reduce processing cycles and memory usage, and without any additional processing resources, scanning for threats is out of the question.

To make matters worse, embedded devices often run on specialized operating systems such as VxWorks, MQX, INTEGRITY, or stripped down versions of Linux. According to Gunter Ollmann, chief security officer of Vectra Networks, unless there is money to be made, security for these systems — including patch and firmware updates — simply won’t be supported.

“Until there is a profitable market for servicing these architectures, standard desktop security vendors will be absent,” Ollmann said.

However, some vendors believe that traditional security solutions are enough, and won’t go the extra mile. Ollmann says that just installing a host-based Intrusion Detection System (IDS), firewall and antivirus package is “ludicrous”, and not only is this situation “unlikely to improve” in the next decade — vendors are focusing on design elements which place security on the back burner.

“Since most want to use mobile and use wireless communication protocols, they either need to be self-powering or battery powered,” Ollmann noted. “The more sophisticated a computer system is, the more encryption required. Likewise, the longer the WiFi range, the more traffic to send/receive, means the more power is consumed. So in order to maximize power consumption, IoT designers are compromising on security.”

Dan Lyon, senior consultant at Cigital, also raised the problem of economics. Financing the investment into securing embedded devices is what he considered a “primary challenge” vendors face in their quest to “get the device to market at a reasonable price point and in a reasonable timeframe, but still provide reasonable security”.

If an industrial embedded device is compromised, the network the device is hosted by may be exposed to spoofing, manipulation or compromise. Reiner Kappenberger, global product manager at HPE Security, says there is an inherent risk when these devices “need to communicate back to public infrastructure as many do”, which in turn could lead to a jump to other core city systems.

In other words, one small sensor could pave the pathway to take down a full industrial service if strict security controls are not established.

Attempting to cross this security minefield is no easy task for developers. There have been recent attempts to establish IoT and embedded device security standards with ARM and Symantec joining forces last year to develop the Open Trust Protocol (OTrP), an architecture designed to improve the security of connected devices.

However, with so many IoT and smart embedded devices already in use, it may be a case of too little, too late.

If traditional security solutions won't work, industrial device vendors must find alternative approaches to secure their products.

Broader security approaches are required to protect the network as a whole if small components, such as embedded devices, cannot protect themselves. Data-centric methods, such as machine learning (ML), can provide the bridge between traditional security solutions, IoT, cloud and network technology.

Simon Crosby, chief technology officer at Bromium said:

“[Embedded devices] will typically not be able to store large amounts of data or do much processing, and in general, the problem isn’t really about a single device learning about its environment. Instead, the opportunity is to use ML algorithms to quickly process the input from millions of relatively dumb devices, to identify interesting patterns across them.”

As an example, the Georgia Institute of Technology was last year awarded a $9.4 million grant from DARPA to develop ways to protect low-power, embedded IoT devices, such as comparing the 'noise' issued by embedded devices in real-time to those in a database of normal operation signals. If patterns are disrupted, malware may be at play.

This could help protect embedded devices that are already in use, but vendors need to do more to play their part in protecting the core infrastructure we all rely upon.

According to Vectra Networks' Ollmann, the “vast majority”” of IoT devices the executive has studied and reverse engineered have not been secured, and “vendors had not considered how they would add or increase the units' security in the future”.

For consumers, this will not necessarily be an issue if devices will be replaced every few years, but on the industrial scale, such lackluster attention to security can be disastrous. Ollmann noted:

“For example, monitors embedded within the roads and highways for monitoring traffic, whose data is used by traffic control systems, cannot be patched or updated, and would need to be physically replaced which something that wouldn’t occur until 15-25 years of operational use has passed.”

The solution is to increase the importance of security in the product lifecycle. Analytical approaches to network security are important, but if security professionals are brought in to handle security concerns at the early stages, there will be fewer holes for attackers to exploit once products are connected to core networks.

Embedded device security will never be easy. However, increasing the importance of security in the developmental stages and using analytics to both monitor the device and protect the network it is hosted on are required to keep attackers from exploiting the low power and capabilities of embedded devices to compromise far larger — and more critical — targets.

“There is no 'one-size-fits-all' approach to protecting embedded devices,” HPE Security's Kappenberger noted. “Several elements have to work closely together to create a more trusted IoT environment. In traditional IT systems, the old style thinking has been 'If you get breached'. However, this has shifted towards 'you will be breached'. IoT devices have thought about neither of them and they need to move to the thinking that is now part of any IT organization.

“No matter how you protect there will be a breach. Protect the pieces that are most sensitive and relevant throughout the lifecycle of those elements.”

Tags: Article Embedded Computing IIoT/Manufacturing Security Strategy Technologies Vertical Industries

Related


  • Image shows an industrial engineer using tablet check and control automation robot arms machine in intelligent factory industrial on real time monitoring system software. Welding robotics and digital manufacturing operation. Industry 4.0 concept
    Navigating Manufacturing Megatrends With IoT and AI
    How implementation of AI across an automotive factory floor helped increase productivity while providing a six-figure monthly cost-saving due to reductions in scrap and energy consumption.
  • Rivian to Open Second U.S. Electric Vehicle Factory
    The company hopes to start production in its Atlanta plant in 2024
  • IoT Security Firm to Acquire Medical Security Startup
    Claroty is set to acquire Medigate to grow its foothold in securing the Internet of Medical Things
  • Ransomware Attack Could Impact Paychecks
    The Kronos ransomware attack affected the company’s private cloud service over the weekend, knocking it offline just before the holidays

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • IoT Startup Raises $10M
  • FedEx, PepsiCo, Amazon, Ford Headline IoT World Silicon Valley
  • Tapping AI for Intrusion Detection Systems
  • Open Source IoT Development Tools vs. Vendor-Supported Tools

Roundups

View all

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

IoT Product Roundup: Amazon, Synaptics, Urban Control and More

27th April 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

Explore Emerging Tech For Enterprises at @TechXLR8 2022 this June ➡️ Join us from 1-3 June in harnessing the pow… twitter.com/i/web/status/1…

24th May 2022
IoTWorldToday, IoTWorldSeries

Clearview AI has been fined $9.4 million for collecting images of people from social media platforms to add to its… twitter.com/i/web/status/1…

24th May 2022
IoTWorldToday, IoTWorldSeries

Swiss-startup Airyacht is developing an eponymously named vehicle that it says will take the luxury-yacht experienc… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

@Tesla’s #Autopilot being investigated once again following fatal crash in Newport Beach, California. iotworldtoday.com/2022/05/23/tes…

23rd May 2022
IoTWorldToday, IoTWorldSeries

A new Kansas law will enable #driverless deliveries from @Walmart and its partner @Gatik_AI. #AVs… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

Access a world of opportunity in 2022 with @IoTWorldToday ➡️ Now is time to unlock ROI, by accessing a global com… twitter.com/i/web/status/1…

23rd May 2022
IoTWorldToday, IoTWorldSeries

3D Home Printer to Build 72 Residences for National Homebuilder dlvr.it/SQhWSF https://t.co/XJOs70DqzH

19th May 2022
IoTWorldToday, IoTWorldSeries

Microsoft Ramping up Cybersecurity Service Offerings dlvr.it/SQhPR0 https://t.co/nYzaDRnyVY

19th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X