Cybersecurity Executive Brief

Issue link:

Contents of this Issue


Page 0 of 1

Cybersecurity burst upon the embedded systems landscape in 2016, when the infamous Mirai Internet of Things botnet took down major websites using hundreds of thousands of compromised IoT devices. 1 Mirai was possible because IoT devel- opers didn't include security high on the list of design requirements for their low-cost, widely deployed products. This was a wake-up call for embedded developers, whose systems were among the first to have to coexist with Industrial IoT (IIoT) devices. Cybersecurity, IoT, and Embedded Systems: Reducing Risk with Pen Testing Ask the Expert Worse, critical embedded systems proved vulnerable to cybersecurity attack sooner than anyone had expected. Shortly after Mirai, a U.S. Department of Homeland Security (DHS) Cybersecurity Division team demonstrated a remote hostile penetration of a Boeing 757, using off-the-shelf hardware and software that readily passed through airport security. 2 And in 2019, DHS issued an alert warning of hacking vulnerabilities in Controller Area Network (CAN) data buses used on some large aircraft. 3 Cybersecurity threats reach beyond aviation: Automobile automation of emergency braking, collision warning, and other driver assistance technologies are already widely deployed. Building automation systems have been subject to "cyber ransom" attacks that cost tenants millions of lost operating hours. To complicate things, embedded systems specifications such as DO-178C/278A, dating from 2012, are challenged to adapt to today's fast-moving cybersecurity vulnerabilities. As system complexity grows, attack surfaces between interoperating systems increase exponentially, across new bus architectures, HMI, IP networks, and data protection, both at rest and in transit. Foiling Cybersecurity Risks at the Source As an embedded systems developer, you can get ahead of cybersecurity problems through vulnerability testing, called penetra- tion testing ("pen testing") in the IT world, and fault injection in the embedded engineering community. A pen test is a simulated attack on a system to detect known vulnerabilities. A library of known attacks, or faults, drives an automated tool that injects each fault and analyzes the device-under-test response. This testing uses unmodified binaries, so there is no risk of unintentional interference by test rigging. As new vulnerabilities accumulate in the fault library, you rerun the penetration exercise as part of your standard regression testing process. Pen testing is one of the best ways to mitigate cybersecurity risk, because you use it throughout a system's lifecycle: during development, deployment, and after each modification. One of the most effective ways to deploy pen testing is via simulation SEAN EVOY Product Line Manager, Wind River

Articles in this issue

view archives of Briefs - Cybersecurity Executive Brief