Security is a major subject in modern computing which has developed as the Internet has become more widespread.
We will see, however, that in the case that interests us (embedded / IoT) the security problems may not be linked to connectivity but to the simple fact of using embedded software integrated into hardware. The spectrum of IT security is very broad, from business strategy to network security not to mention stack overflow attacks and other “exploits”. The reader interested in a general approach to computer security can refer to the numerous sources available including the excellent work by Laurent Bloch and Christophe Wolfhugel published by Eyrolles.
IT and OT
The subject that interests us, however, does not only concern the IT (Information Technology) part for which the security risks are mainly linked to the hosted data. Industrial systems integrate hardware equipment (OT for Operational Technology) which can also be attacked. OT systems have evolved towards firmware – most often standard operating systems – whose complexity increases the risk of failures and attacks. However, updating OT systems – in order to maintain them at a good level of protection – is much more complex than that of IT systems for which the procedures have been approved and automated for a long time. As a result, the number of attacks and incidents involving OT equipment has increased significantly in recent years.
Safety vs Security
The security of embedded systems (well before the marketing term “IoT”) is of course predominant in the historical fields of industrial computing (military, space, transport, energy) where the term operational safety is also mentioned. The concepts of security and safety have some points in common but also some differences that we will quickly explain. Security involves all the protections put in place against possible threats. In so-called “critical” embedded systems, this concerns failures that can lead to serious problems or even loss of life. As a result, the design of these products (and the associated software) follows very strict standards such as DO-178 in the case of aeronautics. The environments used (tools, programming languages, operating systems) are therefore very specific. 6 As an example we can cite the SCADE development environment or the Polarsys working group linked to the Eclipse foundation, without forgetting the Ada language and its derivative Spark. In the case of security, the goal is to limit threats rather than protect against them. To take the concrete example of consumer equipment (telephone, TV decoder, IVI system), the latter use more general operating systems (such as QNX, GNU/Linux or Android) and are not subject to certification. These systems are, however, modified (or “hardened”) in order to improve their resistance to attacks by using security layers that we will discuss later in the document (cite SELinux and Smack on Linux kernel-based systems). However, the difference between the two concepts is not necessarily so obvious since in the English language, we will sometimes speak of secure software for secure software in the sense of critical embedded software.
The IoT market is evolving
The IoT market has evolved greatly in recent years. Ten years ago, this market was confidential and the solutions for developing such systems were artisanal. Since then, technology has evolved a lot, we have seen the birth of several hundred IoT platform solutions (more than 600 according to IoT Analytics). These IoT platforms (generally vertical) face competition from large cloud service providers such as AWS , Azure , GCP (it should be noted that GCP abandoned the IoT field in August 2023). These suppliers offer a plethora of services to assemble, an essential qualitative industrial offer.
Want to go further ? Download our free white paper to find out how to protect yourself from potential attacks.