Secure Embedded Systems in Industrial Settings
by Embedded Office (comments: 0)
Special risks & security needs in small microcontrollers
In this article, we will review the various security challenges and topics faced by embedded systems in industrial settings with a particular focus on small microcontrollers. Due to their relatively limited processing power and very limited resources regarding RAM and flash memory, these tiny chips may be susceptible to additional security risks.
Although small microcontrollers are characteristically limited in specification and features in comparison to their larger and more powerful counterparts, nonetheless they need to be secure. Some experts advocate similar levels of security to those typically deployed on computer servers, were it technically achievable and economically feasible. Such robust levels of security require processor overhead and, therefore, put upward pressure on costs. Manufacturers are likely, therefore, to rely on research and development to achieve a balance and deliver timely, efficient and reliable solutions.
However, other pressures and dynamics have been at work over recent years within the industry. The Internet of Things (IoT or Industrie 4.0 in German) looks set to continue extending its reach to larger residential buildings and households. Already a central part of the public infrastructure, IoT microcontrollers and embedded code form part of essential systems in highly sensitive areas such as hospitals, power stations, water treatment, communication and transport.
Given the opposing requirements of enhanced security specifications versus competitive costs and market price points, is there a satisfactory middle ground? Moreover, if so, which solutions will be sufficiently safe and secure?
Threats and vulnerabilities
Clearly, embedded hardware systems are as susceptible to security threats as larger systems are — whether widely networked, connected locally or simply stand-alone. Cyber attacks and their disruptive consequences have featured in alarming news reports: in Germany, hackers perpetrated a distributed denial of service (DDoS) attack against Telekom in autumn 2016. Although a relatively primitive digital onslaught, its devastating effects compromised around 900,000 routers.
Similarly, in May 2017, an international cyber attack caused a widespread commotion and significant system downtime in some countries. Within the UK, various hospital accident and emergency departments were forced to close. Their laboratory analysis and information systems were crippled, while inundated doctors had little choice other than to resort to full medical examinations and handwritten prescriptions for the most pressing cases.
Of a more advanced calibre, the Stuxnet computer worm managed to manipulate programmable logic controllers (PLCs). First detected in 2010 and spread primarily by USB sticks, this malware even managed to infect stand-alone local networks and control systems not connected to the Internet. Once inside, the virus propagated and targeted small Siemens PLCs in manufacturing automation, chemical plants, oil pipelines and refineries. According to conspiracy theorists and conjecture from relatively credible sources, the malware could have deliberately wreaked destruction in the uranium enrichment nuclear plant at Bushehr in Iran. The worm exploited multiple zero-day vulnerabilities and sabotaged infected hosts.
Long before the advent of the IoT, industrial manufacturers and hardware and software buyers realised the need to guarantee safety and security through standards and certifications. Nowadays, this clearly applies to the world of microcontrollers. Might these attacks attempt to exploit Achilles’ heels in small but critical systems? Unfortunately, it may already be simply a question of when, now that microprocessors have evolved into multiprocessors with databases and application programming interfaces (APIs).
Let us consider an example of electric passenger trains, where motor logic controllers and steppers manage acceleration and regenerative braking. Even if mechanical brakes act as a safeguard against uncontrolled acceleration, these safety back-ups would probably not prevent sudden and disproportionate braking if a motor controller were programmed maliciously.
To prevent injuries to passengers and damage to such trains, software code and embedded systems in switches, motors and interlocks must be properly signed and checked. In addition, the devices must be configured to run signed code only and to reject unsigned instructions. In the example train analogy, a horrifying picture springs to mind if control signals for acceleration and braking were spoofed or, similarly, if a deceitful all-clear signal meant that the train sped ahead into danger.
Similar principles will apply to driverless cars, currently under development.
Stepping towards solutions
Consequently, industry specialists will have to create, develop and implement adequate solutions. However, if a system component has limited memory and processing power, advanced encryption is not usually possible. One solution is to move the cryptographic task to a device designed to perform these tasks well. Small message encryption using SHA (Secure Hash Algorithm) techniques offers the advantages of low power consumption and a reduced memory footprint.
Alternatively, an architectural approach known as TrustZone provides a security framework to counter threats. TrustZone security technology enables system on a chip (SoC) designers to customise the hardware and software resources. With the chip divided into two worlds, there is a secure world for the security subsystem and a non-secure world for everything else. A digital security perimeter exists between the two.
Additionally, the use of backend security analytics would help to mitigate risks in microcontrollers and subsystems. Data collected could be analysed to form performance baselines for the transport examples previously mentioned, as well as in fly-by-wire avionics, medical equipment, manufacturing plants and point of sale systems — the list is extensive. With such baselines, security analytics would be able to detect anomalies quickly and help to counter insidious, stealthy threats.
Finally, in addition to all the previous measures, any overall approach must be comprehensive for it to be successful. Physical security has a part to play in wider solutions, with access restriction, security monitoring and lockable system or equipment cabinets. The cornerstones of security must not be neglected.
Here, we have looked at some of the key security considerations for embedded systems and small microcontrollers – specifically, why protection is necessary as well as how security methodologies and analytics can contribute to achieving it. These issues take on particular importance in mission-critical applications and core business systems. To protect embedded software against today and tomorrow’s security threats, organisations need to agree on and follow a comprehensive strategy in code development and microprocessor engineering.
For an automatic notification on new blog articles, just register your EMail address.