Cybersecurity is rising in complexity, with more moving parts to consider. As embedded IoT devices become commonplace in all spheres, staying a step ahead of cyberattackers will require secure-by-design hardware- and software-development practices that consider cybersecurity from all stakeholder perspectives and integrate the inputs into the solution.
Cyberattacks against IoT devices can have massive and life-threatening consequences, and the proliferation of larger IoT devices and embedded cyber-physical systems greatly increases the opportunities for incursions. The Mirai botnet, for example, appeared in late 2016 and continues to commandeer unsecured smart devices to create a network of bots capable of launching devastating cyberattacks. And with the unstable global geopolitical situation involving countries known to launch cyberattacks, there is concern that the next massive IoT attack is just around the corner.
The growing awareness of IoT device vulnerabilities has made cybersecurity a growth industry. The global cybersecurity market was estimated at €188 billion in 2022 and is projected to reach €466 billion in 2030, according to a recent study by Grand View Research. Past efforts have focused on software updates and rapid patch development, but there’s a dawning realization that effective cyber defenses must be built into hardware.
Cyberattacks can be addressed at the macro and micro levels. At the macro level, government regulations, industry guidelines, and security standards are the main tools to ensure secure IoT devices are produced, used, and maintained across all aspects of society. Cybersecurity standards will be critical in preventing cyberattacks and minimizing the damage when they do occur.
At the micro level, an IoT device can be secured by protecting its software applications, stored data, networks, and end users from threats; reporting and addressing its vulnerabilities; and planning for post-attack recovery.
Implementing security controls in software alone is insufficient to address the increasingly frequent and severe threats facing digital systems. It will be difficult to rely solely on software updates to maintain the security of IoT devices because of their long lifespan and their expected autonomous use. Security needs to be considered at the hardware level, as secure hardware can provide encryption, authentication, or secure boot at the chip level to protect against physical attacks as well as support secure software.1
Risks can also be reduced by shrinking the attack surface of an IoT device, which includes the USB, Ethernet, and Wi-Fi ports and any device attached to it, such as a switch, mouse, or keyboard.
Some industries have already adopted the ethos of hardware security. A case in point is the internet of military things (IoMT), comprising IoT devices for combat operations and warfare.
As the Russia-Ukraine conflict has made clear, the battlespace has become multidomain and significantly more digitized: Everything from drones, armored vehicles, and even an infantry soldier’s personal equipment is connected. The IoMT’s embedded computing systems generally share the same generic architecture as a personal computer; therefore, they can be exploited using methods that work on civilian computing systems. Jamming devices, electronic eavesdropping, and cyber malware are routinely used by adversaries to compromise the confidentiality, integrity, and availability of the information within a network.
The consequences of cyberattacks on military embedded computing systems can be especially dire. To expose the dangers of cyber vulnerabilities, “ethical hackers” shut down2 the embedded device that collected navigation data from video cameras and sensors on an F-15 fighter jet. Malware that targets military microprocessors and can bypass all anti-malware defense mechanisms has also surfaced. Hardware security will therefore be crucial for IoMT systems to foresee, avoid, and recover from attacks from adversary forces and ensure a successful mission.
Secure hardware is just as critical in civilian aircraft, airlines, and airport systems. Airlines such as Delta3 and aircraft manufacturers such as Airbus4have already come under cyberattack. According to Red Alert Labs, some 59% of airports are implementing cybersecurity measures to defend against common cyber threats, and 43% of airports are specifically implementing IoT initiatives to monitor airport locations. Moreover, the European Union Agency for Cybersecurity (ENISA) has established security practices for software and hardware updates5 to safeguard smart airports.
While it is easier to make a case for hardware security in mission-critical industries, the barriers to hardware security adoption for the non-government-regulated consumer IoT may be much higher.
Pivoting to hardware security is not without its challenges.
From a technical standpoint, hardware is generally less flexible and scalable and more difficult to deploy than software. In addition, debugging hardware is more labor-intensive and time-consuming.
There are also market barriers. For example, according to a survey conducted by the U.K. government’s Economic and Social Research Council (ESRC)-funded Discribe (Digital Security by Design Social Science) Hub, customers may be less willing to pay a premium for a feature or quality — in this case, hardware security embedded in a product — that they cannot identify. In addition, software has a shorter time to market and a lower upfront cost than hardware.
Very often, the lack of awareness and general knowledge about physical security creates uncertainty in the minds of decision-makers. In the same study by Discribe Hub, participants often cited cost, longer and more complex product development, and potential problems in integrating secure hardware modules as barriers to adopting hardware security.
Therefore, Discribe proposed several solutions for overcoming the barriers to adoption. First, the needs of decision-makers must be acknowledged, and the value of hardware security adoption needs to be communicated to them on a case-by-case basis. Second, the gap in the knowledge of various stakeholders in hardware security needs to be bridged to enable the most informed decision. Finally, the stakeholders’ existing skills should be leveraged during the development of the hardware solution.
Developing and deploying improved hardware security will be crucial. But how can the industry make sure innovative solutions continue to propagate?
Alex Leadbeater, who chairs multiple ETSI committees, offered some suggestions in an interview with EE Times Europe. ETSI, the recognized nonprofit organization developing globally applicable standards for ICT systems, advocates for building cybersecurity awareness into a product from the beginning to ensure security by design. Toward that end, it advocates for teaching all stakeholders — coders, engineers, and product developers — about cybersecurity.
“What we’re seeing is that people are making the same mistakes people made 30 years ago in mainstream operating systems,” said Leadbeater. Large OS vendors like Microsoft “fixed these security weaknesses quickly and have not made the same errors again. However, this hasn’t propagated, for example, into the IoT industry from the more established IT industry.”
That’s happening, he said, because secure-by-design practices are not taught in universities as a part of the design ethos, except to those explicitly studying software engineering. The number of university programs in software and product development is on the rise, but while students learn to code, they are not always taught security by design or defensive coding. Students do not learn how devices are attacked; as a result, they do not get to think about security deeply.
“Take something simple like reading an input from a keyboard or sensor,” said Leadbeater. “You can do it in two lines of code. But to do it securely, it takes about 20 lines because you have to fully validate the input from initial reading through to processing and storage.”
Leadbeater supports teaching a lighter version of the cybersecurity skillset in, for example, software development or product management so that all students learn about secure-by-default methodologies. Students do not all need to learn to be cybersecurity professionals, he said, but teaching secure coding and security standards to all involved in the product development process will get people to think about doing things in a standardized way.
Teaching cybersecurity to people already working as hardware or software developers will also be beneficial, posits Leadbeater. Many coders come from diverse backgrounds, with many starting out in non-science or engineering-based fields. Such diversity helps make better products, but it also means that many developers lack cybersecurity experience. All the members of these diverse teams should have some understanding of cybersecurity; some exposure to cybersecurity will establish a baseline for them.
Finally, Leadbeater hopes there will be more intergenerational collaboration among the stakeholders.
Decision-makers are typically from an older generation and have battle-hardened security experience because they have experienced their servers being hacked, seen the red light come on in the data center, and fought off the incoming distributed-denial-of-service attack. For their part, younger team members typically have coding native experience and involvement with open source; as a result, they practice “code first but may worry about security quality later,” Leadbeater said. Security needs to be designed into version 1, not version 50.
Younger generations often are not well represented in standards development groups, including those focusing on cybersecurity. Therefore, the question is how to achieve maximum inclusivity to harness both the experience of older experts and the innovative ideas of younger graduates when developing and implementing security standards.
More widespread teaching of cybersecurity principles is one element in achieving that goal, Leadbeater believes.
1 National Cyber Security Centre. “The Cyber Security Body of Knowledge,” Version 1.0. Oct. 31, 2019.
2 Murdock, J. “Ethical Hackers Sabotage F-15 Fighter Jet, Expose Serious Vulnerabilities.” Newsweek. Aug. 15, 2019.
3 BBC News. “Delta: https://www.eetimes.euPower cut strands thousands of passengers.” Aug. 9, 2016.
4 Coyne, A. “How Airbus defends against 12 big cyber attacks each year.” IT News. April 14, 2016.
5 European Union Agency for Cybersecurity (ENISA). “Securing Smart Airports.” Dec. 16, 2016.
—Sylvia He is a contributing writer to EE Times Europe.
>> This article was originally published on our sister site, EE Times Europe.
- 10 fatal mistakes in embedded systems security
- Redefining firmware security
- Changing industry mindset to tackle fundamental flaws in cybersecurity
- CEO interview: implementing embedded security has to be simple
For more Embedded, subscribe to Embedded’s weekly email newsletter.