Cybersecurity Executive Brief

Issue link:

Contents of this Issue


Page 0 of 1

Sponsored by Cybersecurity burst upon the embedded systems landscape in 2016 when the infamous Mirai Internet-of-Things botnet took down major websites using hun- dreds of thousands of compro- mised IoT devices. 1 Mirai was possible because IoT developers didn't include security high on the list of design requirements for their low-cost, widely deployed products. This was a wakeup call for embedded developers, whose systems were among the first to have to coexist with Industrial IoT (IIoT) devices. Worse, critical embedded systems proved vulnerable to cyber- security attack sooner than anyone had expected. Shortly aer Mirai a U.S. Department of Homeland Security (DHS) Cyber Secu- rity Division team demonstrated a remote hostile penetration of a Boeing 757, using off-the-shelf hardware and soware that readily passed through airport security. 2 And as recently as August of this year, DHS issued an alert warning of hacking vulnerabilities in Controller Area Network (CAN) data busses used on some large aircra. 3 Cybersecurity threats reach beyond aviation: automobile auto- mation of emergency braking, collision warning, and other driver assistance technologies are already widely deployed. Building automation systems have already been subject to "cyber-ran- som" attacks that cost tenants millions of lost operating hours. To complicate things, embedded systems specifications such as DO-178C/278A, dating from 2012, barely touch on today's cybersecurity vulnerabilities, and automotive systems have no governance at all 4 , giving developers little guidance for coex- isting in a mixed-criticality environment where malice may be afoot. As system complexity grows, attack surfaces between interoperating systems increase exponentially, across new bus architectures, HMI, IP networks, data protection, both at rest and in transit. Foiling Cybersecurity Risks at the Source As an embedded systems developer, you can get ahead of cybersecurity problems through vulnerability testing, called penetration testing ("pen testing") in the IT world, and fault injection in the embedded engineering community. A pen test is a simulated attack on a system to detect known vulnerabilities. A library of known attacks, or faults, drives an automated tool that injects each fault and analyzes the Device- Under-Test (DUT) response. This testing uses unmodified bina- ries, so there is no risk of unintentional interference by test rigging. As new vulnerabilities accumulate in the fault library, you re-run the penetration exercise as part of your standard regression testing process. Pen testing is one of the best ways to mitigate cybersecurity risk, because you use it throughout a system's lifecycle: during development, deployment, and aer each modification. One of the most effective ways to deploy pen testing is via simulation engines, such as Wind River Simics. Simics lets you decouple your work from physical hardware, while still retaining the abil- ity to connect physical hardware when required. Simics virtual hardware gives you on-demand access to any target system, supporting continuous integration and automated testing with ASK THE EXPERT SEAN EVOY Product Line Manager, Wind River Tools CYBERSECURITY, IOT, AND EMBEDDED SYSTEMS: REDUCING RISK WITH PEN TESTING

Articles in this issue

view archives of Briefs - Cybersecurity Executive Brief