News & Analysis
Comment
intel_chris
As the article shows, securing embedded designs is an important activity. ...
Sanjib.Acharya
The recent incident of security breach into the control and SCADA system was an ...
Embedded systems gaining secure footing
R Colin Johnson
8/24/2011 1:43 PM EDT
Hardening every element of a platform
To guard against these and other new intrusions into embedded systems, every element of a platform needs to be assessed and hardened, according to Wind River—from the underlying hardware to the operating system, middleware and the applications running on top.
"The embedded devices controlling critical infrastructure are becoming increasingly intelligent—evolving from simple standalone devices to complex applications providing autonomous connected control and monitoring," said Brown. "As a result, the best approach is holistic—considering security at every layer—from the silicon and virtualization used, to the operating system, network and communication stacks, to the application layer."
Security threats introduced by faux system updates or by end-user actions—like viruses, worms, trojans and other malware—can be controlled with compartmentalization techniques that separate input-output tasks into an isolated self-testing module that can be reset and cleansed when it becomes infected, thus keeping intruders from accessing underlying control systems.
Chip firmware can support certified operating systems by using a trusted boot procedure. Virtualization can implement compartmentalization, allowing the man-machine interface to run separately from the underlying control systems, creating an impenetrable barrier to intruders. And at the application level, the expertise of cyber-experts like McAfee has moved beyond traditional black-listing of known malware, to pro-active practices like white-listing certified code and gray-listing code from trusted sources.
"In order to deliver stronger security for embedded devices, we are working with McAfee to include both white-listing of certified code and gray-listing that bases threat assessment on reputation," said Brown.
Certified run-time components like certified Linux kernels, certified hypervisors and certified RTOS like Wind River's own VxWorks, along with white- and gray-listed middleware and apps, can help insure that running code has not been corrupted with malware. Depending on budget considerations, additional protection can be also be deployed in embedded systems, such as IPsec for encrypting and authenticating IP packets, and Internet Key Exchange (IKE) for setting up secure associations. Network stacks can also gain the assurance of the Federal Information Processing Standard (FIPS 140-2) as well as by security validation suites from Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) or Wurldtech's "Achilles" Cyber Security and Robustness Certification.
Security will among the featured themes of ESC Boston, the East Coast edition of the embedded systems arenas' big twice-yearly event, set to take place Sept. 26 through 29 at the Hynes Convention Center. The event will feature a technical track on safety and security as well as a keynote address on embedded security by Joerg Borchert, vice president of chip card and security ICs at Infineon Technologies North America.
To guard against these and other new intrusions into embedded systems, every element of a platform needs to be assessed and hardened, according to Wind River—from the underlying hardware to the operating system, middleware and the applications running on top.
"The embedded devices controlling critical infrastructure are becoming increasingly intelligent—evolving from simple standalone devices to complex applications providing autonomous connected control and monitoring," said Brown. "As a result, the best approach is holistic—considering security at every layer—from the silicon and virtualization used, to the operating system, network and communication stacks, to the application layer."
Security threats introduced by faux system updates or by end-user actions—like viruses, worms, trojans and other malware—can be controlled with compartmentalization techniques that separate input-output tasks into an isolated self-testing module that can be reset and cleansed when it becomes infected, thus keeping intruders from accessing underlying control systems.
Chip firmware can support certified operating systems by using a trusted boot procedure. Virtualization can implement compartmentalization, allowing the man-machine interface to run separately from the underlying control systems, creating an impenetrable barrier to intruders. And at the application level, the expertise of cyber-experts like McAfee has moved beyond traditional black-listing of known malware, to pro-active practices like white-listing certified code and gray-listing code from trusted sources.
"In order to deliver stronger security for embedded devices, we are working with McAfee to include both white-listing of certified code and gray-listing that bases threat assessment on reputation," said Brown.
Certified run-time components like certified Linux kernels, certified hypervisors and certified RTOS like Wind River's own VxWorks, along with white- and gray-listed middleware and apps, can help insure that running code has not been corrupted with malware. Depending on budget considerations, additional protection can be also be deployed in embedded systems, such as IPsec for encrypting and authenticating IP packets, and Internet Key Exchange (IKE) for setting up secure associations. Network stacks can also gain the assurance of the Federal Information Processing Standard (FIPS 140-2) as well as by security validation suites from Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) or Wurldtech's "Achilles" Cyber Security and Robustness Certification.
Security will among the featured themes of ESC Boston, the East Coast edition of the embedded systems arenas' big twice-yearly event, set to take place Sept. 26 through 29 at the Hynes Convention Center. The event will feature a technical track on safety and security as well as a keynote address on embedded security by Joerg Borchert, vice president of chip card and security ICs at Infineon Technologies North America.
|
|
|
|
|
Navigate to related information
LarryM99
8/24/2011 10:13 PM EDT
Years ago we worked with a vendor of credit card authorization boxes, the kind used by retail outlets. They not only hardened against the kind of weaknesses described here, but also guarded against cracking open the case and externally sensing credit card numbers or PINs. Embedded systems may also require physical security guards.
Larry M.
Sign in to Reply
Dave.Dykstra
8/27/2011 5:32 PM EDT
Larry is absolutely right. But at least recognizing that there is a security issue and taking action to do something about it is a step in the right direction. Hopefully we'll see more rigorous steps soon.
Sign in to Reply
Sanjib.Acharya
8/29/2011 1:15 PM EDT
The recent incident of security breach into the control and SCADA system was an eye opener for the PLC/DCS and SCADA system companies. I think nobody imagined that their control system could be hacked and the PLCs will be commanded be the hacker's logic configuration. Definitely, security will be the hot topic for the embedded system engineers going forward.
Sign in to Reply
intel_chris
8/31/2011 1:07 AM EDT
As the article shows, securing embedded designs is an important activity. Hacking of these systems which were traditionally insecure is becoming more pervasive. There are resources available for developers and designers at the Intel Embedded Community: http://bit.ly/o0EJnb (Disclaimer, I work for Intel in the Embedded Communications Group.)
Sign in to Reply