The security of connected objects

In the field of embedded systems and the IoT (Internet of Things), security issues go well beyond connectivity concerns. In fact, they are often linked to the very use of embedded software integrated into hardware. The spectrum of IT security is vast, covering everything from corporate strategy and network security to stack overflow attacks and other 'exploits'. For those looking for a general approach to IT security, there are many sources available, including the excellent book by Laurent Bloch and Christophe Wolfhugel published by Eyrolles.

IT and OT security

Our subject does not only concern IT (Information Technology), where security risks are mainly linked to hosted data. Industrial systems also incorporate hardware (OT for Operational Technology) that is vulnerable to attack. OT systems have evolved towards firmware, often standard operating systems, which increases the risk of failure and attacks. However, updating IoT systems to maintain a good level of protection is much more complex than updating IT systems, where procedures have long been established and automated. As a result, the number of attacks and incidents involving IoT equipment has risen sharply in recent years.

Safety vs. security

The security of embedded systems (well before the marketing term "IoT" appeared) is of course predominant in the historical fields of industrial IT (military, space, transport, energy), where the term operating safety is also used. The concepts of security and safety have a number of points in common, but also a number of differences, which we will quickly explain. Safety involves all the protections put in place against possible threats. In so-called "critical" embedded systems, this concerns failures that could lead to serious problems or even loss of life. As a result, the design of these products (and the associated software) follows very strict standards such as DO-178 in the case of aeronautics. The environments used (tools, programming languages, operating systems) are therefore highly specific. Examples include the SCADE development environment, the Polarsys working group linked to the Eclipse foundation, not forgetting the Ada language and its Spark derivative.

When it comes to security, the aim is to limit threats rather than to protect against them completely. To take the specific example of consumer equipment (telephones, TV set-top boxes, IVI systems), these use more general operating systems (such as QNX, GNU/Linux or Android) and are not subject to certification. However, these systems are modified (or 'hardened') to improve their resistance to attacks by using security layers that we will discuss later in the document (such as SELinux and Smack on Linux kernel-based systems). However, the difference between the two concepts is not necessarily so obvious, since in English we sometimes use the term 'secure software' for software that is secure in the sense of critical embedded software.

The evolution of the IoT market

The IoT market has evolved considerably in recent years. Ten years ago, this market was confidential and the solutions for developing such systems were homemade. Since then, the technology has evolved considerably, with the emergence of several hundred IoT platform solutions (more than 600 according to IoT Analytics). These IoT platforms, which are generally vertical, are competing with major cloud service providers such as AWS, Azure and GCP (it should be noted that GCP abandoned the IoT field in August 2023). These providers offer a plethora of high-quality services that are essential for the industrial market.

Security of embedded systems: a customer-centric perspective

For companies involved in the development or use of embedded systems and IoT devices, understanding and addressing security challenges is crucial. Not only do these systems form the backbone of many modern infrastructures, but they are also increasingly targeted by cyber-attacks due to their critical role. Here, we take a closer look at customers' specific security concerns and strategies for mitigating the risks.

Customer concerns about the safety of on-board systems

1. Data integrity and confidentiality: Customers are very concerned about the integrity and confidentiality of the data processed and transmitted by their IoT devices. Ensuring that data remains intact and confidential is paramount, especially in sectors such as healthcare, finance and critical infrastructure.
2. Reliability and availability of systems: For customers, the reliability and availability of their systems are non-negotiable. Any interruption can lead to significant financial losses, damage to reputation and, in critical sectors, threats to human life.
3. Compliance and regulatory requirements: Many industries have strict regulatory requirements for data security and confidentiality. Customers need to ensure that their systems comply with these regulations to avoid legal penalties and maintain consumer confidence.

Responding to safety concerns: best practices

1. Regular updates and patches: Keeping embedded systems and IoT devices up to date with the latest security patches is crucial. However, as mentioned earlier, this is more complex for IoT systems. It is essential to establish a robust update mechanism that minimises downtime and ensures security.
2. Implementing robust authentication and authorisation mechanisms: Using robust authentication and authorisation mechanisms can prevent unauthorised access. Multi-factor authentication (MFA) and role-based access control (RBAC) are effective strategies for strengthening security.
3. Data encryption: Encrypting data, both at rest and in transit, ensures that even if data is intercepted or accessed without authorisation, it remains unreadable and secure.
4. Intrusion Detection and Prevention Systems (IDPS): Implementing intrusion detection and prevention systems can help detect and prevent unauthorised access or anomalies in the system, providing an additional layer of security.
5. Security audits and penetration tests: Regular security audits and penetration tests can identify vulnerabilities and areas for improvement, helping customers to proactively address potential security issues.

Conclusion: the way forward

As the IoT market continues to grow and evolve, the importance of security in embedded systems cannot be overstated. For customers, meeting these security challenges is not just about protecting data and systems; it's about ensuring the trust and security of their operations and customers. By implementing robust security measures and keeping abreast of the latest threats and solutions, businesses can effectively navigate the complex embedded systems security landscape.

For those wishing to explore further how to protect themselves against potential attacks, we invite you to download our free white paper, which offers comprehensive information and strategies for securing your systems.