PORTLAND, Ore.—Embedded system designers today optimize mainly for performance and footprint, but with the rise of Internet-enabled devices, security has become the third leg of the embedded design process. As a result, embedded design organizations are adding security specialists that can both architect and mentor on implementing best-practices to meet security requirements. This heightened focus on security in embedded systems design is expected to emerge as one of the main themes at next month's ESC Boston.
Real-time operating system (RTOS) specialist Wind River Systems Inc. (Alameda, Calif.), for instance, is collaborating with cyber-space security expert McAfee Inc. (Santa Clara, Calif.) to redefine design methodologies for embedded systems that are virtually immune to hacking. Wind River and McAfee are both owned by Intel Corp.
"For over three decades, embedded systems designers only thought about performance and footprint," said Marc Brown, vice president of tools and marketing operations at Wind River. "Today, however, security has got to be considered from the very start of any embedded design process, and there are lots of security best-practices already established."
Internet-enabled devices have already let the bad guys into cause havoc with machine-to-machine interactions among industrial automation controllers, oil and gas process control computers and environmental sensor networks, all of which are accessible today using a range of devices including smartphones, smart meters, connected automobiles and even medical implants.
Wind River recommends four layers of security, from application programmers interfaces to prevent bypassing security, to certified systems that detect corruption, to white-listed applications that won't execute malware, to encryption and user-authentication to protect data.
Many reported hacks of these devices have already accessed and damaged industrial control systems, including the Stuxnet worm which was discovered last year at the Natanz nuclear site in Iran, where it caused damage to centrifuges enriching uranium. Stuxnet gained access to the Supervisory Control And Data Acquisition (SCADA) system, which in Iran only affected its centrifuges. But SCADA systems similarly control public utilities worldwide and could cause untold destruction to power grids, for instance, if their security is not hardened.
Stuxnet was written by professionals, according to McAfee. But even amateurs are gaining access to embedded systems, according to Wind River, which cited a teenager in Poland who recently modified a television remote to control railway exchanges, causing at least one derailment that injured a dozen people. Likewise, a disgruntled Texas Auto Center employee was reported to have hacked a web-based system to remotely disable the starting mechanisms and sound the horns on 100 connected vehicles. And an infected laptop recently permitted entry into a water treatment plant in Harrisburg, Penn., allowing spyware to bypass security systems there.