Designing Security into Embedded IoT Systems

By Dominik Merli | July 30, 2024

Internet connectivity, digital business models and data-driven services, remote access, and data analytics all contribute to needs and challenges across nearly every industry. Domink Merli, author of the new book, Engineering Secure Devices: A Practical Guide for Embedded System Architects and Developers, explores ways to design security measures into embedded systems.

Most modern products need some kind of computer integrated into them—more specifically, they usually require an embedded system, an electronic system including a processing unit, memory, and input/output interfaces that are embedded within a larger mechanical or electronic system. The application domains of embedded systems are extremely wide. They’re used in controllers, sensors, and actuators in industrial automation, transportation, and critical infrastructure systems. Communication and network hardware like routers, switches, and base stations are based on them too. In the consumer market, products with embedded systems include smart washing machines, intelligent heating systems, and gaming consoles.

Compared to personal computers (PCs) and server systems, these devices often face constraints, like the need to keep down manufacturing costs or run on hardware with low to moderate computational power, in addition to the rather limited options for input and output capabilities. Embedded systems are used in very specific, sometimes critical areas, and they usually operate with few user interactions, if any. Further, these devices are built from a wide range of hardware, firmware, and operating systems in use across different products, manufacturers, and industries.

On top of those limitations, adding security requirements to the equation doesn’t make the life of an embedded systems engineer easier. The development of security measures for these devices, their specific application environments, and their constrained resources lead to challenging tasks for architects and developers. In many cases, embedded systems also face physical attackers, which are a more powerful attack model in comparison to remote access on cloud or web services, for example.

The state of embedded system security

If we look at different application domains and industries, the state of security measures in embedded systems varies greatly. For example, smart card solutions for pay-TV were confronted with fraud cases as early as the 1990s. If people could circumvent the scrambling and shuffling algorithms, they were able to watch pay-TV for free. In addition, if attackers succeeded in cloning those smart cards, they could sell them at a lower price, leading to a loss in revenue for the original provider. Since the business model was under pressure, the security awareness of these companies was relatively high, and corresponding investments and developments in smart card security were prioritized.

Another field of embedded systems in entertainment exhibits a similar pattern: gaming consoles. The natural interest of console manufacturers is that only original game media can be played on their devices. If attackers succeed in running cloned discs, the business model suffers. After the reverse engineering community gained interest in analyzing game consoles, the industry responded with increased security mechanisms. As a result, they reached a solid state of embedded system security that requires attackers to invest in a lot of resources, expertise, and sophisticated tools to successfully bypass protection measures.

However, in other application areas of embedded systems, the components don’t have such mature security features. In 2016, this became quite obvious with the discovery of the Mirai malware that exploited hundreds of thousands of Internet of Things (IoT) devices, mainly IP cameras and home routers, turning them into botnets that performed enormous distributed denial-of-service (DDoS) attacks against websites. Further, the compilations of vulnerabilities dubbed Ripple20 and Amnesia:33 showed various weaknesses in TCP/IP stacks for embedded systems in 2020. According to estimates, more than 15 million devices were affected, from medical to building automation to industrial control systems (ICS).

Devices used in industrial automation and critical infrastructures, where robustness and reliability are crucial, also have long security to-do lists. Although the Stuxnet incident reports in 2010 were a wake-up call for industrial automation manufacturers, the market still has a significant lack of well-protected devices. In 2022, a collection of vulnerabilities in operational technology (OT) components was published under the name of OT:ICEFALL. The authors characterized the security engineering failings as “insecurity by design” because the analyzed products missed even the most basic security controls.

Emerging requirements, laws, and standards

As strange as it sounds, without these incidents, vulnerabilities, and attacks, only marginal security awareness would probably exist. However, since we’ve seen many of these issues during the last 20 years while at the same time online connectivity, digital services, and data analytics grew increasingly relevant to companies, cybersecurity “suddenly” has become a requirement—for example, in the procurement process.

This doesn’t mean customers immediately show deep and comprehensive security knowledge, but they increasingly demand risk analyses, protection measures, or a (random) collection of standards to be fulfilled by product manufacturers. From my experiences in the industrial context, this sometimes initiates communication between customers and manufacturers to find a compromise between the practical need for security and the associated costs, which can be a reasonable and fruitful discussion for both parties.

Governments, on the other hand, are increasingly concerned with developing national laws and signing international agreements pushing for basic security requirements that every product on the market should fulfill. In Europe, the Cybersecurity Act (CSA) of 2019 aims to establish a security certification framework for all products and services sold in the European Union, and the Cyber Resilience Act (CRA) of 2024 regulates cybersecurity requirements for products with digital elements. The European Standard ETSI EN 303 645 already defines baseline security requirements, especially for consumer IoT products. In the U.S., President Biden’s Executive Order 14028 from May 2021 takes a similar line and aims to improve cybersecurity in IoT devices and software solutions. The National Institute of Standards and Technology (NIST) already provides recommendations for cybersecurity labeling of these products.

In parallel, consortia in various industries try to agree on common security standards in their fields. A prominent example is International Electrotechnical Commission (IEC) standard 62443, targeting ICS security and the Industrial IoT (IIoT). It combines security requirements for operators, system integrators, and component manufacturers, which allows for a unified and interrelated security view of industrial systems.

This article is the introduction to Dominik Merli’s new book, Engineering Secure Devices: A Practical Guide for Embedded System Architects and Developers (No Starch Press), which explores the strategies that embedded systems architects and engineers, IoT developers, students, and others need to implement security features, test embedded systems, and understand the value of security features for IoT products. Through a series of case studies and design strategies, Merli’s book explores foundational knowledge related to providing a secure development life cycle and how cryptography is used and details the basic physical and logical building blocks for embedded system security. Dr. Dominik Merli is a professor for IT security at the Augsburg Technical University of Applied Sciences and head of its Institute for innovative Safety and Security.

Like this article? Check out our other Iot and Security articles, our Industrial Market Page, and our 2024 Article Archives

Subscribe to our weekly e-newsletters, follow us on LinkedIn, Twitter, and Facebook, and check out our eBook archives for more applicable, expert-informed connectivity content.

Dominik Merli
Latest posts by Dominik Merli (see all)
Get the Latest News
x