Introduction
Industrial automation consists of two parts: networking and interconnection of devices, and the design and manufacturing of embedded devices. The development of the Internet of Things (IoT) poses challenges to the interconnectivity and information security of factory, industrial facilities, and service equipment. Previously, when devices were not connected to the internet, everything was safe; now, with connectivity, either the device connectors are mismatched, or hackers are coming in. This article is the first part of “Two New Points in Automation: Changes Brought by IoT,” focusing on embedded device security, while the interconnectivity of devices will be discussed in the second part.
01
Embedded Devices and Security Awareness
An embedded system is a device that includes hardware and built-in software, capable of independently completing a function or a set of tasks, many of which store important information. Currently, embedded devices have become primary targets for hackers, as many components and machines driven by embedded devices must connect to the internet during operation, providing opportunities for network hackers to intrude. For example, if an attacker hacks into a self-driving car, it is equivalent to hijacking the vehicle, allowing the hacker to control the car and steer it off the normal driving path, with potentially disastrous consequences. Therefore, embedded system security is not just a matter of financial loss; it can also be a matter of life and death.
The traditional concept of embedded device security focuses on system reliability, stability, and usability. However, the new concept of embedded device security involves the risk of devices being hacked, data being stolen during transmission, or data security and system stability during remote upgrades and maintenance. Although embedded engineers are aware of national encryption standards and use encryption ICs, they often lack the overall design capability for embedded device security.
In the IoT environment, there are four misconceptions about embedded device security: first, that having a corporate firewall is sufficient; second, that remote updates of embedded software can prevent attacks; third, that embedded devices are not targets for hackers; and fourth, that PC antivirus software is adequate. In reality, corporate firewalls and PC antivirus software cannot fully protect factory or retail devices because these devices use industry communication protocols (such as CAN bus, 485 lighting communication protocols, etc.) that are not covered by firewalls. Once connected to public WiFi, they can be vulnerable to attacks. Although remote software may prompt for updates, operators may not execute the updates, making embedded devices susceptible to hacking, which has become a significant topic in IoT security.
Many embedded products use specialized operating systems and industry communication protocols, such as Android or a lightweight version of Linux. In most cases, these devices are optimized to minimize processing cycles and memory usage, leaving little additional processing resources available. Given the uniqueness of embedded systems, PC security solutions rarely run on most embedded devices. With almost no firewalls in embedded systems, most embedded devices can only rely on simple password authentication and security protocols to ensure system security, necessitating more effective security measures to ensure the safety of embedded systems.
According to Data Bridge Market Research, the market size of embedded systems is expected to reach $127.5 billion by 2027, with a compound annual growth rate of 5.70%. Embedded systems are driving innovation across a wide range of applications, including IoT applications, autonomous driving, visual technology, mobile payments, and artificial intelligence. We see that as technology advances, the associated threats are also increasing. Attacks on embedded devices are becoming more frequent, ranging from hacked vehicle anti-theft and control systems to secure payments, secure authentication, and content and data protection.
02
Technical Reasons for Embedded Security Risks
Embedded devices require third-party hardware and software components to function properly, especially open-source software, and these components often lack rigorous security testing. In fact, these components may contain malware or be vulnerable to malware attacks, posing potential threats to the entire system. Furthermore, the standardization level protecting the IoT industry is relatively low, with no established security standards, making it difficult for manufacturers to assess the security of the components they use. Therefore, developing secure devices is one of the main challenges in embedded system security.
The lifecycle of embedded devices is typically much longer than that of personal computers or consumer electronics, often requiring continuous use for many years, making it challenging for engineers to defend against potential security threats that may arise over the next decade with existing technological means.
Market feedback indicates that even when prompted by devices, only about 38% of users regularly update their security software. Therefore, corresponding security strategies need to be fully considered from the design stage and integrated into the system, such as providing customizable and secure code updates to manage patches or correct software defects regularly.
Embedded hacking is easily replicable. Embedded system devices often use the same processor or the same mainboard scheme, allowing for mass production, with potentially thousands of identical devices on the market. If a hacker successfully attacks one device, that attack can be replicated across all devices. Therefore, a trustworthy embedded security strategy is best combined with layered security features to create a stronger defense mechanism.
03
Evaluating from Four Perspectives
· First, assess potential threats and vulnerabilities
Analyze the product lifecycle, evaluate the impact of developers, hardware manufacturers, software suppliers, telecom operators, users, and any stakeholders on the final product’s security, identify all possible software and physical attack points and their likelihood, and develop technical specifications with security requirements.
· Second, design a reliable software architecture based on requirements
Make full use of middleware and virtualization technology for component partitioning, and allow multiple operating systems to run on a shared platform.
· Third, select tools and components
The security of the software development platform chosen for embedded systems is crucial; it must comply with international or regional security standards. The selection of system hardware is equally important; all circuit boards, sensors, and peripherals purchased from manufacturers and distributors should meet the security standards required by the solution.
· Fourth, conduct security testing
The security testing of hardware and software components in embedded systems should not be overlooked and should be a mandatory option independent of other system testing functions.
04
Planning from Three Protection Targets
Software protection, data protection, and device protection are the targets of embedded security, but they must be planned synchronously from both the physical and digital layers.
Compared to ordinary digital solutions, providing appropriate security levels for embedded systems requires protection at both the physical and digital layers: on one hand, devices should resist illegal external intrusions and physical damage, such as using shockproof casings and installing surveillance cameras; on the other hand, software must withstand hacker attacks and data leaks.
Therefore, embedded software companies need to use a combination of digital security mechanisms to protect system security at all stages, including initialization, operation, and updates. The following points should be emphasized in the design:
Software Protection: Ensure that the entire software architecture is protected against unauthorized changes.
Data Protection: Ensure that unauthorized users cannot access information stored on the device, such as implementing authentication, strong passwords, and encrypted connections with the device.
Device Protection: Ensure that the device itself is not subject to external physical damage. This can be achieved using robust materials, electronic locks, surveillance cameras, and other peripherals. Some processors or mainboards now have the capability to detect physical intrusions in the device casing.
When discussing embedded system security, the security of many embedded devices is often focused on software. In reality, no matter how strong your software security is, if the hardware is not “hard,” the device is still vulnerable to attacks. Hardware security in embedded systems can be achieved through measures such as key management, encryption, and hardware function isolation.
There are numerous solutions in the security field available on the I Love Solutions website:
· Solution One
Solution Title:Low-Power Battery IPC Camera
Click to view details>>
· Solution Two
Solution Title:2 Million Video Conference USB Camera Module
Click to view details>>
· Solution Three
Solution Title:2 Million Pixel Starlight Night Vision USB Camera Module
Click to view details>>
· Solution Four
Solution Title:Timely Monitoring Global Positioning Smart Security Logistics Lock Electronic Solution
Click to view details>>
· Solution Five
Solution Title:Fingerprint Lock Solution
Click to view details>>
Conclusion
Typical companies providing comprehensive embedded security solutions include Infineon, NXP, TI, STMicroelectronics, Maxim, Renesas, McAfee LLC, Broadcom, and Advantech, as well as domestic companies like Suzhou Guoxin and Guomin Technology. They employ various technologies in the IoT market, some of which are adaptations of existing security solutions, such as Trusted Platform Modules (TPM) and Trusted Execution Environments (TEE), NFC embedded security elements, and authentication ICs. Others are adaptations based on the demands of the IoT market, such as embedded SIMs and secure microcontrollers.
Moreover, a crucial component of embedded system security is cryptographic algorithms and hardware architecture, which must meet extremely low memory and processing requirements, Trusted Platform Modules, and standardized security protocols. Since most embedded devices are outside corporate IT systems, security functions must be integrated into these devices to enable them to defend themselves independently. Therefore, we should consider security requirements from the earliest design stages of embedded systems and select software tools and hardware components based on these requirements, as these hardware and software characteristics will largely determine the future security capabilities of embedded systems.
