Getting serious about security
Most embedded systems designs are no longer islands unto themselves. They're now connected to a network and are thus open to access of all sorts. More than ever before, the prudent developer must pay attention to protecting his or her designs from a growing variety of security attacks, from algorithmic, protocol, microprobe, environmental, timing, to just plain, old buggy-code exploitation.
A good place to immerse yourself in the latest security techniques is the Embedded Systems Conference at the 2013 DESIGN West April 22-25 in San Jose, Calif. The conference includes two tracks on security: the Safety, security and hacking embedded systems track and the Black Hat Summit. Of the many classes available, these look especially intriguing to me:
- Retrofitting security into existing embedded devices (ESC-338);
- Hack or be hacked! (ESC-413);
- Power analysis attacks for cheapskates (BH-202); and
- The M2M risk assessment guide (BH-301).
[Click here to register for DESIGN West 2013, April 22-25 at the San Jose McEnery Convention Center. Options range from an All-Access Pass -- which includes Black Hat (security) Conference Session to Free Expo Admission].
A second source of information and help is Embedded.com, where over the past ten years we have built up a knowledge base of design and development articles, blogs, and resources on the topic of security. The most recent of these are included in this week's Tech Focus Newsletter on "Dealing with embedded security threats."
For many years, the issue of securing embedded devices in the many industrial and gas, water, and electric power utility plant environments has been an ongoing concern of Embedded.com columnist Jack Ganssle in such articles as: "Is the SCADA infrastructure secure?" and "Embedded SCADA security follow-up," as well as "Embedded cyber-risks."
Recent events have reinforced his concern. No longer are such hacks and intrusions done by teenagers or maladjusted adults who do it for the fun or challenge of it. Such activities are now sponsored by corporations seeking information about their competition, countries subverting their adversaries, individuals and organizations intent on stealing IP and other data, and diverse political and religious groups with radical agendas.
While a growing number of embedded developers are now convinced that the security threat is real and of more serious concern than in the past, the companies they work for and the customers who buy their designs are less so.
Let's be honest. While expressing concern for security, many high tech companies who should know better let other things intrude, especially when it impacts design complexity, cost, and performance. To corporate accountants, avoiding complexity, reducing cost, and improving performance directly impact the bottom line. But security only provides indirect benefits which are sometimes hard to quantify – except when it is too late, after a hack.
But as the contributions to this week's Tech Focus newsletter illustrate, implementing the appropriate security measures does not have to be expensive or complicated. However, what it does require is a better understanding of the issues and tradeoffs involved and the alternatives available.
In addition to the newsletter contributions, here are my Editor's Top Picks from Embedded.com's archive of security related articles that I think will help:
Q &A: Protecting against side-channel attacks
An introduction to elliptic curve cryptography
Enhance system security with better data-at-rest encryption
Boost MCU security and performance with hardware accelerated crypto
Physically securing critical data with non-imprinting memory and AES
Best practices: improving embedded operating system security
A framework for considering security in embedded systems
And again, for the most up-to-date hands-on information about embedding security into your embedded systems, DESIGN West in April is the place to go. Click here to register for DESIGN West 2013.
Embedded.com Site Editor Bernard Cole is also editor of the twice-a-week Embedded.com newsletters as well as a partner in the TechRite Associates editorial services consultancy. He welcomes your feedback. Send an email to firstname.lastname@example.org, or call 928-525-9087.
See more articles and column like this one on Embedded.com. Sign up for the Embedded.com newsletters. Copyright © 2013 UBM--All rights reserved.