Securing embedded edge devices

Implementing embedded edge security through confidentiality, integrity, and availability.

The rapid expansion of the Internet of Things (IoT) has dramatically increased the attack surface of many sectors, including manufacturing, transportation, healthcare, and energy. Compared to the recent past, there are far more systems at the network edge, and these systems are often positioned outside conventional security perimeters. All this makes such devices inherently vulnerable to cyber threats.

This new threat landscape has given increasing importance to the confidentiality, integrity, and availability (CIA) triad—a security framework grounded in zero-trust principles, security by design, and threat intelligence and monitoring. This article discusses a decentralized security framework based on these principles. But first, it is worth surveying the threats facing embedded and IoT edge devices.

Types of threats for IoT and embedded edge devices

Embedded edge devices often operate at the boundary between the local network and the more comprehensive internet and play a critical role in initial data processing and last-mile connectivity. Due to their operational interfaces and the workloads they execute, these devices face unique security challenges, such as the following:

• Limited Integration: The variety and scale of embedded edge devices can make it challenging to incorporate them into existing security systems, leading to gaps in protection.
• Firmware vulnerabilities: Despite being a vital part of any computing system, the security of firmware is often overlooked. Unpatched security flaws and insecure update mechanisms can be exploited to gain unauthorized access, privilege escalation, and the execution of malicious code.
• Third-party component vulnerabilities: IoT infrastructure often relies on libraries and frameworks, which allow attackers to exploit vulnerabilities if these components are not kept up to date. This can be particularly problematic for open-source solutions because vulnerabilities in these solutions tend to be well-known and frequently exploited.
• Vulnerable APIs: These can be entry points for SQL injection and distributed denial-of-service (DDoS) attacks, which is particularly challenging for devices that connect to cloud services.
• Poor Testing: In low-volume markets, allocating testing resources can be challenging, leading to unidentified weaknesses.

Three objectives: Confidentiality, integrity, and availability

Designing security for embedded systems presents a complex challenge, which is compounded by the inherent constraints of these types of devices, such as limitations on size, weight, and power (SWaP). To address these challenges effectively, the industry has adopted a secure embedded system development methodology for embedded systems: the CIA triad.

Confidentiality, integrity, and availability are essential policy guidelines for safeguarding embedded systems and their information assets from unauthorized access, modification, and disruption. Let’s consider the implications of each element of the CIA triad.

Confidentiality

Sensitive information within embedded systems, such as proprietary application code and critical surveillance data, must be safeguarded from unauthorized disclosure. Encryption is fundamental to achieving this goal, but not all encryption techniques suit embedded systems.

Embedded edge devices are typically resource-constrained, so encryption should not overly burden the system. Often, this means relying on hardware accelerators that offload cryptographic workloads from a host processor, which makes it paramount to understand the cryptographic algorithms that a given accelerator supports. Commonly supported cryptographic engines on integrated or discrete hardware accelerators include the Advanced Encryption Standard (AES) symmetric encryption algorithm and the Rivest-Shamir-Adleman (RSA) asymmetric encryption algorithm used in SSL/TLS certifications.

Of course, encryption is only useful as long as cryptographic keys remain secret. One way to protect cryptographic keys and overall system integrity is through Trusted Platform Modules (TPMs), which provide hardware-based security functions. TPMs securely store sensitive data like keys, passwords, and digital signatures. They play a crucial role in secure boot by verifying the authenticity of code using digital signatures during boot-up, preventing unauthorized modifications, and blocking malware injections. Additionally, some TPMs can detect hardware tampering by monitoring changes in various hardware components, contributing to a more robust security posture.

Integrity

To be secure, a system’s operation must remain unaltered by malicious actors. TPMs again play a significant role by protecting devices from being commandeered by bad actors.

However, intrusion detection systems (IDSs) can also help verify that data remains unchanged and trustworthy. The challenge is to build IDSs that fit within the memory capacity of embedded devices. To get around this limitation, administrators often prefer to implement a network-based solution that monitors traffic for suspicious activity across many devices.

Remember that edge systems are often deployed in locations with limited physical security. For such systems, the mechanical design of the device must be sufficiently robust to preclude easy access to internal components, which means performing tasks such as disabling or destroying debug ports and pins during the manufacturing process.

Availability

An edge system’s mission-critical objectives must not be compromised. This involves guaranteeing that authorized individuals can access the system and its resources as needed. For embedded systems, much of this comes down to fault tolerance and redundancy.

The main goal of fault tolerance is to ensure the continued operation of a system, even if some components fail. This can be done through hardware such as error-correcting code (ECC) memory, which automatically compensates for single-bit errors. Another option is watchdog timers that reset the system if it becomes unresponsive. Software mechanisms like exception handling and self-tests can also be used to detect and recover from errors.

In many cases, fault tolerance is best accomplished through redundancy. Critical systems often incorporate duplicates of core components like processors, memory, and power supplies. Redundancy can also be achieved in software, for example, by running multiple instances of the same operating system or software stack in separate virtualized environments.

Regardless of the techniques applied, no system is truly invulnerable. Thus, it is wise to implement backup systems and recovery plans to quickly restore functionality in the event of a compromise.

Challenges of Implementing CIA Principles

Several challenges need to be addressed while implementing the CIA principles. A comprehensive approach is required—one that requires consideration of the following factors:

• Limited connectivity: Identifying and responding to security incidents is difficult when connections are slow or unreliable. Furthermore, latency and bandwidth limitations can slow software and firmware updates.
• Large horizontal landscape: Traditional perimeter-based security (like firewalls) doesn’t translate well to the edge. Devices may operate in remote locations with limited connectivity, hindering centralized management, monitoring, and incident response. Instead, edge devices often rely heavily on local security measures, which may not be as robust and up-to-date as those managed centrally. Plus, the number of devices and networks involved makes it difficult to ensure that every potential entry point is secure.
• IT/OT convergence: Operational technology (OT) systems, traditionally isolated for safety, merge with IT networks. This introduces new vulnerabilities at the intersection that are beyond technical matters:
  • OT and IT often have different security priorities and practices, necessitating collaboration and harmonization of the two approaches.
  • OT and IT organizations often have different cultures, and it should not be assumed that the groups will understand each other.
  • Successful collaboration may require cross-disciplinary training and the formation of teams that understand both perspectives.

Addressing these challenges with specific, targeted strategies is crucial for improving the security of embedded systems and edge devices. By doing so, organizations can ensure the confidentiality, integrity, and availability of their data and services against the backdrop of an evolving cybersecurity landscape.

Tips for securing embedded systems

Despite the challenges associated with implementing CIA strategies, specific design methodologies, such as the following, can enhance the triad by ensuring that security is integrated directly into the system architecture.

• Security by design: This proactive and comprehensive strategy prioritizes device and information security throughout all stages of development, from system architecture to detailed design. Aspects include regulatory and standards compliance, a secure product development lifecycle, and a defense-in-depth strategy.
• Zero-trust architecture: At its core, this model assumes constant threats within the environment, including within enterprise-owned systems. A robust solution typically includes three primary strategies: enhanced identity governance, logical micro-segmentation, and network-based segmentation.
• Robust encryption and data privacy: These measures involve encryption of communication channels, implementing secure storage solutions, and utilizing safe data transfer protocols. Additionally, firmware over-the-air (FOTA) upgrades enable remote updating to address security weaknesses.
• Segmentation and isolation: Separating critical systems makes it difficult for attacks to move laterally within a network of connected edge devices. Micro-segmentation can be used to separate workloads, enabling the development of more granular and flexible policies tailored to meet specific security needs. This approach restricts all network packets except those that are permitted. Furthermore, containerization is crucial in isolating applications and their dependencies, contributing to confidentiality and integrity by limiting access to sensitive information.
• Threat intelligence: After deployment, continuous monitoring and orchestration of the entire edge infrastructure is key for security. System activity should be monitored for unusual activity, and responses should be prepared for an ever-evolving vulnerability landscape.

All these security approaches are related to the CIA triad, each contributing to the principles of confidentiality, integrity, and availability in different ways.

Beyond the CIA triad

Integrating these features from the design stage and building on top of that CIA foundation make it possible to securely manage thousands of deployed devices through cloud-based and edge-native software solutions.

Depending on the target industry, overcoming the challenges associated with CIA strategies requires adherence to industry standards, compliances, legislation, and regulation. Investigating these at the beginning of your system design is critical to ensuring streamlined development and certification—not to mention maintaining a robust device security posture once units are deployed in the field.

Of course, cybersecurity is not a static field. Adopting various security approaches throughout the development lifecycle of embedded hardware and post-deployment orchestration facilitates the protection of the entire infrastructure. Ultimately, this security hygiene can ensure the seamless operation of far-edge applications for years or decades.

By Brandon Lewis for Mouser Electronics.