Key Strategies for Embedded Systems Security

Miguel Perez Miguel Perez, OEM Product Manager, Digi International
January 20, 2023

Hardware engineers are often experts at designing connected products within electrical and RF constraints to meet the requirements posed by the CE mark, the FCC, and other regional and international certification bodies. Embedded systems security, however, is a separate discipline and closely tied to new device designs, requiring not only advanced knowledge of how to mitigate security vulnerabilities in system design, but the ability to manage new and emerging threats as they occur. 

Today, managing cybersecurity threats is critical in the full lifecycle of connected products — and cyber safety has therefore become as important as electrical or RF safety as a best practice.

In this article, we outline what’s changed around cybersecurity for embedded products, why there is little time left to respond to new regulations, and why engineers should consider a comprehensive solution to manage the challenge. The clock is ticking already!

What Is Embedded Systems Security?

Embedded systems bug concept

Connected devices are equipped with embedded computing systems that allow them to run independently. They are often deployed outside of traditional network infrastructures protected with firewalls and other security tools, which means having integrated security features is critical. Embedded systems security is the holistic result of physical security measures as well as software and programming in a device’s integrated system.

These security measures may include, among others:

  • Physical protection and surveillance to prevent access to connected devices.
  • Encryption on data stores to prevent unauthorized access to protected information.
  • Robust communication security protocols and authentication features that control access and device connections.
  • Proactive and automated firmware and operating system updates to keep devices secure.
  • Relentless monitoring and analysis of endless new vulnerabilities and exposures.

Ultimately, these measures should eliminate and remediate known weaknesses and protect a connected device’s hardware, software, and network links from unauthorized access. Embedded systems are comprised of a combination of compute resources and integrated software designed to carry out a specific function. A key challenge for developers and end users is that there are constraints — including limited memory and storage — that make it difficult to design in embedded security features that will work in the field for the complete lifetime of the product, bearing in mind the overwhelming number of new threats that incessantly emerge nowadays.

Embedded Systems Security: A Fast-moving Target

Hitting the target image

There is arguably a perception in the broader embedded devices market that designing for cybersecurity is good practice — but that cybersecurity is not as critical as electrical safety and electromagnetic compatibility, or that it is a problem left to the end-device customer. There are exceptions, such as medical devices, where cybersecurity has been at the front and center for recent years. Transactional systems such as ATM and lottery machines have also required robust embedded security for some time, though the moving target of evolving threats has made it difficult, in practice, for these systems to maintain resilient security over time.

To meet future requirements and provide more marketable products that are not at risk out of the box, OEMs building wireless products across all vertical industries will need to address cyberthreats with hardened devices, embedded cybersecurity technology, and ongoing monitoring and remediation.

Embedded Systems Security Vulnerabilities

Examining bits and bytes image

Attack strategies that can impact security in embedded devices are broad, unpredictable, and growing. These threats run the gamut from extortion of money and intellectual property through phishing, distribution of malware, tampering with the function of connected systems such as vehicles, and even instigating an infrastructure collapse, for instance, temporarily affecting power or potable water supply.

Successful attacks may rely on just one insecure system crack and that entry point could be the most innocuous embedded component. So, how do hackers exploit operating system vulnerabilities?

There are many forms in which these attacks can be administered: 

  • Denial-of-service (DoS) attacks
  • Denial-of-sleep (DoSL) attacks
  • Application-based intrusions
  • Physical tampering
  • Brute-force attacks
  • Digital eavesdropping
  • Privilege escalation attacks

Let’s talk about strategies for addressing cyberthreats in embedded designs.

Tips to Strengthen Embedded Systems Security

Embedded security concept image

The first key to thwarting tampering in computer security is to identify potential vulnerabilities. For example:

  • Device theft is one way cybercriminals access improperly secured data.
  • Out-of-date operating systems can leave device settings and functions vulnerable to attack or the injection of malicious code.
  •  Outdated hardware components can increase the risk of unauthorized access to protected networks, which not only puts data from local devices at risk but also your entire data and IT infrastructure.
  • Poorly secured applications on embedded devices can allow access to encrypted data that wouldn’t normally be accessible to unauthorized users. Likewise, malware could escalate in privileges, monopolizing computing resources until leaving said devices completely unusable.

The next step is to build in the ability to manage new and emerging threats. Some best practices include:

  • Restrict how devices access critical systems: With a secure embedded system-on-module, you can adopt enterprise-grade encryption to secure all your IoT device connectivity. Using these integrated building blocks also simplifies software development while still supporting custom applications.
  • Follow industry best practices for embedded systems design: To avoid design security issues in hardware and software on IoT devices, organizations should prioritize long-term resilience and simplify device management by following industry best practices for embedded design principles.
  • Implement digitally secure firmware updates: Organizations can implement over-the-air (OTA) firmware updates for remote devices already deployed in the field via secure network connections. Embedded devices must be able to receive, load and authenticate factory-signed update images before replacing the current version.
  • Prevent stack or buffer overflow in embedded software: Cybercriminals can try to take advantage of the limited memory and storage in embedded systems, using stack or buffer overflows to forcibly replace executable code with malicious viruses or files. You can protect embedded systems from these attacks by integrating processors that must authenticate any code interacting with hardware at runtime.

Preparing for New Embedded Systems Security Regulations

Compliance and regulations image

Industry and government are catching up to the aggregate risk picture. That includes supervisory bodies around the world who are steadily introducing cybersecurity regulations to apply to embedded and connected IoT devices.

New regulations from General Data Protection Regulation (GDPR), Radio Equipment Directive (RED) for cybersecurity, National Institute of Standards and Technology (NIST), and others are a step shift away from the typical EMC or safety standards engineers are used to. 

For example, in the EU, Article 3.3 clauses (d), (e), and (f) of the RED contain a range of non-electrical safety measures aimed at embedded hardware and software cybersecurity. All three articles come into force in August 2024 and products released after that date will need to be compliant.

The challenge in complying with the new regulation is two-fold. First, whereas RF and electrical safety regulations typically involve clear specifications that a hardware engineer can test and measure with lab equipment, cybersecurity practices can be much harder to pin down to design specifications. This is in part because the regulations don’t necessarily tell you exactly which steps or security best practices to employ, and in part due to the sheer number of attack strategies — and they will continually emerge.

The second challenge in complying with specific embedded cybersecurity regulation is the accelerated pace of change. Regulation is coming into place so fast and new threats appear so quickly that engineers are struggling to adapt within the confines of set production cycles that can easily be five years, with finished and tested products that can remain in use for decades. 

Managing the Changing Requirements for Embedded Device Security

Embedded developer team image

Engineers that are used to picking components based on a spec list can find cybersecurity a fresh challenge because it can be difficult to determine exactly what’s required from hardware vendors. That said, on-chip hardware and software security features are established as must-haves. Think about secure boot, digital signatures, protected ports, tamper detection, and encryption, for example.

How can embedded designs adapt to a changing cybersecurity landscape? One key is the ability to actively manage devices once they’re deployed, including updating core firmware functionality remotely when needed in a controlled and planned manner.

That means connecting devices to a flexible yet robust cloud platform for monitoring as well as establishing the ability to push device updates over the air to rapidly address novel security threats — as well as any bug fixes, enhancements in functionality or performance. 

Large manufacturers can design online portals to accomplish these goals and can also afford to maintain them — and some have already done so. It is, however, intensive to set up and run and product developers can struggle to make a start.

How the Digi ConnectCore Ecosystem Can Help

Digi ConnectCore Security Services badgeAt Digi we’ve been at the forefront of embedded systems security for many years. And we are continually innovating new methodologies and services to support OEMs in delivering ongoing comprehensive cybersecurity safety for embedded devices.

The Digi ConnectCore ecosystem of wireless and wired embedded system-on-modules offers an integrated solution for embedded device security — enabling developers to not only incorporate best practices in embedded systems security during the design phase, but to monitor device behavior and security threats in deployed devices and roll out firmware updates at any time to respond to fresh cybersecurity challenges.

Digi ConnectCore® Security Services are a collection of services and tools that enable customers to maintain the security of devices during their entire product lifecycle. This ensures customers can solve the ongoing challenge of keeping products secure after their products are released.

These services enable the analysis and monitoring of a custom software bill of material (SBOM) and binary image, running on Digi ConnectCore SOMs, for security risks and vulnerabilities. To help remediate identified issues, the services include a curated vulnerability report highlighting critical issues, a security software layer including patches for common vulnerabilities and consulting services.

Design, Build, Go to Market… and Support a Secure Product Lifecycle

The embedded security lifecycle

New embedded security requirements and emerging cybersecurity risks require a solution-driven approach that augments OEM design skills with a third-party security solution that drives cybersecurity at the product design level, and throughout the lifetime of the product.

Turn to Digi’s robust embedded systems and ongoing security monitoring and management to safeguard your embedded systems now and for the future. 

Next Steps

 

Watch Our Recorded Interview
Learn about rapidly integrating voice control in embedded designs

Related Content

The Latest Developments in IoT Device Security The Latest Developments in IoT Device Security Staying on top of governmental regulations can be a challenging task for any business, particularly for organizations that... RECORDED WEBINAR Embedded Systems Cybersecurity Regulations: How Legislation Is Responding to Security Threats Embedded Systems Cybersecurity Regulations: How Legislation Is Responding to Security Threats Embedded system cybersecurity laws are emerging that require developers of products with connected products to fully integrate... READ BLOG Embedded System Security, Lifecycle Management and Recurring Revenue Embedded System Security, Lifecycle Management and Recurring Revenue Developers of embedded systems are increasingly being expected to provide integrated and ongoing cybersecurity management with... WATCH VIDEO Designing Secure, Compliant Medical Devices with Digi ConnectCore Solutions Designing Secure, Compliant Medical Devices with Digi ConnectCore Solutions Today, medical device manufacturers are facing new regulations that require built-in cybersecurity as well as ongoing security... WATCH VIDEO Digi ConnectCore Cloud Services Digi ConnectCore Cloud Services The world of IoT is changing, and today OEMs building connected products are expected to build in the capability to perform... WATCH VIDEO Digi ConnectCore Security Services Digi ConnectCore Security Services The Digi ConnectCore® ecosystem of system-on-modules, tools, libraries and services enables rapid development of commercial... WATCH VIDEO Unboxing the World’s Smallest System-on-Module: Digi ConnectCore MP157 Dev Kit Unboxing the World’s Smallest System-on-Module: Digi ConnectCore MP157 Dev Kit Getting ready to prototype your next connected product? The Digi ConnectCore® platform of developer building blocks, tools, and... WATCH VIDEO Digi ConnectCore 93: The Next Generation Digi ConnectCore 93: The Next Generation Digi ConnectCore® 93 is the first system-on-module in the next generation of Digi ConnectCore solutions — the Digi ConnectCore... WATCH VIDEO Emerging Medical Device Cybersecurity Legislation Emerging Medical Device Cybersecurity Legislation Today governments are making a more proactive move from best practice guidance to enforcement by turning that guidance into law. VIEW PDF Digi ConnectCore: Complete OEM Platform Digi ConnectCore: Complete OEM Platform The Digi ConnectCore® OEM platform is a complete solution suite of embedded modules, developer tools and services designed to... WATCH VIDEO Embedded Market Opportunities for OEMs in the EV Charging Industry Embedded Market Opportunities for OEMs in the EV Charging Industry The electrical vehicle charging market is exploding today, due to the ongoing development of the infrastructure network to... RECORDED WEBINAR Press Release Digi International Launches Digi ConnectCore® Services, Offering Software Foundation that Enables Manageability and Security of Digi ConnectCore Family of SOMs READ PRESS RELEASE Digi Embedded Yocto 4.0-r1 LTS Announcement Digi Embedded Yocto 4.0-r1 LTS Announcement In this blog post we will highlight the latest updates and improvements in DEY 4.0-r1 LTS. We invite you to discover the most... READ BLOG System-on-Modules System-on-Modules Best-in-class, secure, reliable embedded SOM solution with integrated wireless connectivity VIEW PRODUCTS EV Charging Station Design – OEM Market Opportunity and Solutions EV Charging Station Design – OEM Market Opportunity and Solutions The electric vehicle market is growing rapidly, which means there is a huge need for EV charging stations. OEMs and independent... READ BLOG Digi ConnectCore 8 Family Digi ConnectCore 8 Family Module Choices, Compatibility and Easy Scalability VIEW PDF Digi Wireless Design Services Digi Wireless Design Services Design and Engineering Services for Product Development VIEW PDF Three Ways to Accelerate Wireless Design Certification Three Ways to Accelerate Wireless Design Certification It’s time to build your prototype and get your product into production, right? Yes, but first you want to think about... READ BLOG Build vs Buy: Navigating the Choice Build vs Buy: Navigating the Choice In this white paper, we help you to evaluate the best way to optimize your IP and make the right build-vs.-buy decision to meet your goals. VIEW PDF Digi ConnectCore for Healthcare Applications Digi ConnectCore for Healthcare Applications Making Connected Healthcare a Reality for Clinics, Hospitals and Homes VIEW PDF