Security in Edge Embedded devices

Security in Edge embedded devices

All devices are today connected and the days with devices with no connection to outside world are gone. Devices are having IP -address and whenever they have connection to any network they will be connected. This is true for small devices equipped with MCU (Micro Controller Unit) and CPU (Central Processing Unit). Also, you can connect the devices locally with example via ports like USB. Companies who are doing simple devices like intelligent lamps, switches, basic security cameras etc. need to take security seriously and have devices protected. Same goes for all possible embedded devices in automation, medical, prosumer and wide range of professional devices. The most common breaches for devices are still the standard passwords left in the place like user “admin” and password “1234”. The other common way is happening via open ports in devices like physical interfaces or virtual ports or backdoors. So, end of the day it is usually the human neglecting to change the password or in other ways revealing the information to non-authorized parties.

Why the security is important?

It is expensive to have the breach in your systems. Patching devices later is costly and having major impact in the business. Devices can be located all around in the world and the OTA (Over the Air) updates may not have been implemented. Example hijacked security cameras have been used for DoS (Denial of Service) attacks where millions of cameras have been used to prevent a service. In worst case some devices are starting to malfunction and will cause physical harm to people. This can lead to extensive costs in compensation of damage and permanent damage to the company’s reputation. We have already seen companies to go bankrupt due to the security breach. Therefore, companies need to take security very seriously and need to plan that already early in design phase.

How to build device secure?

One good way is to follow security standards like IEC 62443 which is for industrial IoT devices.

Quote from NXP:

“Cybersecurity for industrial IoT systems based on best practices for the technology, processes, and users of these systems. Implementing these standards can prevent attacks or mitigate their effects. IEC 62443 defines requirements and processes for implementing and maintaining electronically secure industrial automation and control systems

Each step up in security level is needed to protect against more sophisticated threats with greater resources and greater motivation to compromise the system. In this context, developers evaluate what they are protecting, and who they are protecting it from to determine the appropriate security level.”

What you can do?

Good way to start is to use so called fuses which will be burned in the device and allowing it only to run the authorized software. The other important thing are cryptographic keys created with algorithm. It is like a lock, so you need to have matching key to open the device for doing some changes. You can also have TPM (Trusted Platform Module) chip on your system which is securing your system. TPM is today example necessary if you want to run latest windows 11 operating system. Other important point is having the communication between embedded device and external world to be only by authorization and secure.

Operating system is playing big part

As there is software running on the device the software also should have as little attack surface as possible. So, build no unnecessary communication channels or services which can make the device more vulnerable. For this reason, is not good idea to run full Linux distribution or Windows image in the embedded system. Also, the internal communication and memory of the device must be protected with encryption. Making sure that you can make secure OTA updates is also highly recommend so that you are able to patch devices when needed.

Where to start with

1. Select the trusted vendors who can offer the secure solutions from hardware level
2. Discuss with people who knows how in practice knows how to build secure devices
3. Define your strategy for cyber security during the whole life cycle of the product
4. Follow the industry security standards
5. Audit yours and your supplier’s security
6. Continuously monitor the security situation and update your standards and systems
7. Keep learning about the latest threats and follow key players in the market

You do not want to be in the situation like very many people and companies have been. Extorted by cyber criminals, reputation loss due to the damage of the company and its services, huge compensation payments to victims of your products etc.

As the final quote I would emphasize that security starts from design. It is vitally important to start thing the security from beginning. Better to be safe than sorry.