Security Risks on Embedded Systems?

In regards to security infrastructure; Information Security, CyberSecurity, and Network Security come to mind. “Cyber security is much more concerned with threats from outside the castle. Where network security is worried about what is going on within the castle walls, cyber security is watching who is trying to pass through the gate or breach the parapets.” states the article ‘What’s the Difference Between Network Security & Cyber Security?’  from https://www.ecpi.edu/blog/whats-difference-between-network-security-cyber-security. Digging deeper in specifying attacks we have Alternative Environments; one alternative environment in which this paper will discuss further is ‘Embedded Systems’.

What is embedded systems? From a high level, this expansive summary seems to work “Abstract—Embedded systems are the driving force for technological development in many domains such as automotive, healthcare, and industrial control in the emerging post-PC era. As more and more computational and networked devices are integrated into all aspects of our lives in a pervasive and “invisible” way, security becomes critical for the dependability of all smart or intelligent systems built upon these embedded systems.” as written in the article ‘2015 Thirteenth Annual Conference on Privacy, Security and Trust (PST)’ published at Budapest University of Technology and Economics, Hungary by Dorottya Papp; retrieved at http://www.cse.psu.edu/.

One particular embedded system threat example to discuss is, within the Air Force, embedded systems face significant cyber risks. “The Air Force relies heavily on embedded systems for tasks such as aircraft flight control, control surface actuation, radar or electronic warfare system operation, munitions interfaces and spacecraft system control, to name a few. The board noted that vulnerabilities to such systems can be introduced anywhere from the start of the supply chain through maintenance, as well as by direct attacks or through radio frequency signals, noting that these vulnerabilities exist despite the fact that embedded systems lack Internet connections.” exclaims Mark Pomerleau in the article titled ‘Study: Air Force embedded systems face significant cyber risks.’, from https://defensesystems.com/articles/2015/08/27/air-force-embedded-systems-cyber-threat.aspx

The Science Advisory Board offered 10 remedies for the Air Forces inherent risks in regards to their embedded systems; here are 6 of them  “1. Ensure software integrity by employing digital signatures/code signing, and require future systems to cryptographically verify all software/firmware as it is loaded onto embedded devices. 2. Mandate the inclusion of software assurance tools/processes and independent verification and validation using appropriate standards as part of future contracts for all USAF systems. Use best commercial code tools and languages. 2. Employ hardware/software isolation and randomization to reduce embedded cyber risk and improve software agility even for highly-integrated systems. 3. Improve and build USAF cyber skills and capabilities for embedded systems. 4. Adapt Air Force Life Cycle Management Center cyber-resiliency requirements process to embedded systems. 5. Protect design/development information. Implement security procedures sufficiently early that protection against exfiltration and exploitation is consistent with the eventual criticality of the fielded system. “ prescribed Mark Pomerleau in his same article regarding. Other methods to protect embedded systems include; Tamper protection, Creating a TPM, add extra signals from one MCU output port to an input port; as described in the article ‘How Hackers Will Attack Your Embedded System and What You Can Do About It’ by Warren Miller at http://electronics360.globalspec.com/.