The importance of security considerations in cyber-physical systems is growing due to the increase in connectivity of smart edge devices that communicate via the Internet (e.g. remote operated systems, autonomous vehicles and machines or medical testing devices). More and more often, such systems become the target of cyber-criminal activities. When a system gets breached, consequences can be severe, ranging from sensitive data getting leaked to human lives being in danger, when safety-critical systems malfunction. In the following article, we guide through the design process for a secure embedded system using 7 steps based on our practical experience.
System security is more than just a technical necessity. If done correctly, it is a complex task that needs to be tackled with great care and a comprehensive approach by experts. Challenging questions that need to be answered include:
For a system to be reasonably secure, several attributes have to be considered and ensured in accordance with the acceptable risk level (i.e. the combination of probability and impact of a risk scenario). A commonly used model is the CIA triad showing the three most crucial attributes of security:
The ideal approach is to include security considerations from the beginning and integrate suitable measures in the system design to safeguard data and functionality. However, the following process can also be applied to legacy systems.
The first step is to define the scope and boundaries of the system. This includes a detailed description of the system, its interfaces, use cases, interacting personnel and the environment the system is embedded into.
The next challenging task is defining and selecting appropriate norm(s) for security risk assessment and security implementation in the ever-evolving landscape of security related standards in the field of embedded system. The most recent and most applicable up-to-date standard series is IEC-62443, which targets industrial communication networks, security for industrial automation and control systems. However, other industry-specific norms and regulations might also be applicable. Hence, the task is to select the appropriate set of standards for the respective product and the assessment at hand.
In the course of the design process, we offer our customers a detailed Security Risk Assessment according to the applicable norms, e.g. NIST SP-800-30, IEC-62443-4-1, ISO IEC 27005 or AAMI TIR 57. The purpose of the risk assessment is to identify risks to determine what events could happen that have a harmful impact on the system. Important questions that must be answered are the following:
Based on the results as well as the previously determined system scope and description, our security experts determine risks and evaluate them together with the customer’s product team in in our structured Security Workshop. Each risk is assigned a probability and an impact to determine the risk level. Based on this prioritization, the objectives / strategies / measures are then defined in order to mitigate the risk to an acceptable level in accordance with the given norms and standards.
Mission Embedded provides guidance and accompanies you during this process. As a result, we thus provide you with the conceptional foundation to establish a secure environment and to reasonably secure your product.
In a Security Profile tailored to your application the implementation of the objectives and strategies defined in the Risk Assessment are detailed and technical requirements are specified. I.e. what will be implemented and how it fits together. In this detailed concept specification, we ensure that all previously specified targets/objectives are met.
An exhaustive overall analysis of the security objectives would go beyond the scope of this article. The image below aims to demonstrate the complexity of security considerations and processes. The Mission Embedded experts are happy to help you with any questions you may have.
Based on the Security Profile, Mission Embedded establishes a chain of trust for the complete system or application (i.e. a linked path of validation and verification from a trust anchor down to an end-entity certificate). Depending on the system security scope the implementation activities might address several phases in the product lifecycle – from supply chain and production to maintenance processes.
For the devices themselves, secure hardware (processor, trusted platform module) is the foundation for safeguarding a system and ensuring the integrity and authenticity of the bootloader as well as the dedicated application. Building on the chain of trust, Mission Embedded secures the system and its interfaces by verifying and safeguarding the file system, encrypting communication channels, or protecting sensitive information. This hardened system efficiently protects data, functionality, and services from unauthorized third parties.
Examples for the implementation of other Security Profile objectives may include unique device identification, credential management, key management and PKI (public key infrastructure), device authentication, remote device update, over-the-air updates, secure data exchange.
Penetration tests (strategic hacking attempts) are then carried out either by Mission Embedded or, if requested, by an independent third party in order to verify all implemented measures and to ensure that system security complies with the latest state of the art.
The results and artefacts of all previous steps are finally compiled into a Security Trust Case documenting
This is the basis for the final security approval. Our expert team is also happy to support you during the approval of your product – or we can even take care of the whole certification process for you. Mission Embedded’s well-proven and tested security process provides a roadmap to approval and secure system.
Security is not a one-time job during system development or certification, but rather a continuous process throughout the entire lifecycle of a system. The Mission Embedded lifecycle team can monitor the system for possible emerging vulnerabilities ensuring a rapid incident response to security gaps, e.g., with a timely rollout of updates.