Bench Talk

Decentralized Security for Embedded Systems

(Source: ArtemisDiana / stock.adobe.com)

It’s evident that networked embedded systems need robust security measures, but most embedded engineers are not security experts. To protect against a wide range of threats, they need guidance on the nature of these threats and a multi-layer defense strategy that stretches from securing hardware design to implementing encryption protocols.

This need has led to a decentralized security framework based on zero-trust principles and emphasizing the CIA triad—confidentiality, integrity, and availability.

Vulnerabilities in Edge Devices

In most cases, organizations lack a comprehensive understanding of the full scope of edge device deployments. The Internet of Things (IoT) places many devices beyond traditional security perimeters, where they are inherently vulnerable. Devices are often situated in remote locations, making effective management and security difficult, and IT departments typically have limited oversight of edge devices, so monitoring becomes a challenge.

Furthermore, embedded device design teams often have limited testing resources, so vulnerabilities may go unnoticed. This risk is particularly high for the many designs that rely on third-party libraries and frameworks. Flaws in these components tend to be well-known and frequently exploited, especially for open-source solutions.

Similarly, failure to keep firmware up to date can leave devices vulnerable to exploitation. There is a dilemma here as firmware often receives less attention than software—but at the same time, holes in firmware can become entry points for unauthorized access and malicious code execution.

Unfortunately, even the most updated systems can be easily compromised if authentication and authorization mechanisms are weak. Flaws like poor credential and session management can leave devices vulnerable to brute-force password guessing and session hijacking attacks. Similarly, poorly designed APIs can be easy entry points for denial-of-service (DoS) and other attacks.

Finally, limited computational resources on edge devices restrict the scope of potential defenses and make them vulnerable to overload attacks. This risk highlights the importance of ensuring that edge devices have adequate resources to handle spikes in demand and are resilient against resource exhaustion attacks.

To combat these threats, the CIA triad outlines three principles:

• Confidentiality of code and data. Encryption is fundamental to achieving this goal, but not all encryption techniques are suitable for embedded systems due to the resource constraints of edge devices. Hardware accelerators can alleviate this burden by supporting common cryptographic workloads such as the Advanced Encryption Standard (AES), a widely popular symmetric encryption algorithm, and RSA, an asymmetric encryption algorithm used in SSL/TLS certification.
  
  Trusted Platform Modules (TPMs) are invaluable to keep encryption keys secure. Among other functions, TPMs can securely store sensitive data like keys, passwords, and digital signatures within a hardware enclave that is extremely difficult to access or manipulate.

• Integrity data and operations. TPMs, for example, play a key role in ensuring data and operations remain unchanged and trustworthy by verifying the authenticity of firmware and software using digital signatures. This enables secure boot and guards against malware injections. Additionally, TPMs can be used to detect tampering by monitoring changes in hardware components, contributing to a more robust security posture.
  
  Additionally, an intrusion detection system (IDS) can help guard against the manipulation of data or functionality, but the demands of an IDS exceed the capabilities of a typical edge device. As a result, IDS is usually implemented at the network level.

• Availability for system uptime and functionality preservation. This encompasses measures like error correcting code (ECC) memory and watchdog timers that can help avoid catastrophic failures. Similarly, software mechanisms like exception handling and self-tests can also be used to detect and recover from errors.
  
  In some cases, it is necessary to employ redundant hardware so that any failures can be handled without interruption of operations. Software redundancy can provide similar capabilities, for instance, by duplicating software keys in multiple virtualized environments.

Of course, not all threats occur in the digital domain. The physical design of edge devices must also keep security in mind. In addition, backup systems and recovery plans should be in place for rapid restoration in case a system is compromised.

Comprehensive Strategies to Secure Edge Devices

Implementing measures that meet these goals requires carefully balancing security, resource limitations, and operational needs. Engineers can adopt proven security methodologies tailored for embedded systems to meet this challenge. These include:

1. Security by design: Security should be included in all stages of development, from system architecture to design details. Aspects to consider include regulatory and standards compliance, a secure product development lifecycle, and a defense-in-depth strategy.
    
2. Zero-trust architecture: At its core, this model assumes that the infrastructure is under constant threats, including within enterprise-owned systems. A robust solution includes three primary strategies—enhanced identity governance, logical micro-segmentation, and network-based segmentation.
    
3. Segmentation and isolation: The goal is to separate critical systems, making it difficult for attacks to move laterally within the network. Micro-segmentation restricts all network packets except those that are permitted. Containerization isolates applications and their dependencies, contributing to confidentiality and integrity by limiting access to sensitive information.

These approaches align well with the CIA triad design principles, providing engineers with effective tools to enhance the security of their edge devices. By adopting this framework, designers can minimize the risk to their systems and protect entire infrastructures from attack.