Embedded security - digital security is in the details

Computer systems installed in IoT devices, vehicles or machines, where they often perform essential tasks in terms of functionality and security, should be particularly secure - but are they? Embedded systems and the associated security challenges are not new. In the wake of new (EU) regulations, however, embedded security is once again moving more into the focus of security experts. Prof. Dr. Dominik Merli from Augsburg University of Applied Sciences spoke to the Cybersecurity Topic Platform about the current challenges in the field of embedded security.

What are embedded systems and why is their protection so important?

Embedded systems are special computer systems. Among other things, they are integrated into machines, vehicles and IT systems and perform specific functions. They are often very specialized and designed for a specific task. These include, for example, control systems in the automotive or manufacturing industries, medical devices or even classic network components.

This also shows why the security of an embedded system is so important. After all, they are often used in critical environments. If an embedded system is faulty or vulnerable, this can have serious consequences. The corresponding product no longer functions correctly and, in the worst case, can endanger human lives.

Embedded security is often discussed in connection with security-by-design. Ideally, then, security requirements are already taken into account during the development of the product. But can security also be "retrofitted"

Yes and no. Manufacturers who distribute security updates retrofit quasi regularly. However, if no provision for secure updates was made during development, retrofitting is also correspondingly difficult. In the case of embedded systems, it also plays a role that these products are usually subject to a certain cost pressure and are designed to fulfill only their specific purpose. If, for example, the possibility of a secure boot process was not taken into account in the original design and a correspondingly cheaper microcontroller was used, this security feature cannot be retrofitted later.

Fundamental points are set for the IT security of a product during development. Therefore, security-by-design is an extremely important principle. However, it must also be clear that a product can be affected by new security vulnerabilities at any time, which must then be promptly patched.

What are currently the biggest challenges in the topic of embedded security?

Many component manufacturers are currently faced with new security standards and regulations, such as IEC 62443 in automation technology, the Cyber Security and Cyber Resilience Acts at the EU level, or UN R155 in the automotive industry. More and more companies understand that this requires great effort and cannot be solved with a short penetration test.

The challenge is twofold. On the one hand, development processes must be designed securely, for example using Part 4-1 of IEC 62443. This ranges from threat and risk analyses to secure development environments and continuous vulnerability management. On the other hand, products must be technically upgraded to a higher level of security, for example with regard to a secure identity, secure communication, and built-in monitoring measures.

Who do you see as responsible for safer systems and ultimately safer products? First and foremost, the manufacturers themselves, or rather legislative bodies that prescribe regulations?

That is a difficult question. I think that legislators prescribe a basic level of security features is absolutely sensible. However, if cyber security is driven by legislation, manufacturers sometimes forget that security is not only necessary to comply with laws, but also to mitigate their own risks and those of their customers. I'm noticing more and more that customers are demanding more compliance, for example with IEC 62443, so they are playing an important role as drivers in terms of security at the moment. However, the coordination between customer and manufacturer in terms of necessary security measures and their price is often lengthy and very individual.

Pro-active investments in a secure development process and strong security features for products are unfortunately still too rare. I often hear that the competition is not yet doing anything in this direction, that customers would not pay anything for secure products or that simply no one in the company has time for these topics. In my opinion, it should be much more about strategic decisions on how the security of components should and must develop. In addition, protective measures can also make a positive contribution to differentiation on the market.

Example automotive: Here, with UNECE R 155, new regulations were recently issued to make vehicles safe over the complete product life cycle. In your view, do OEMs and suppliers still have some catching up to do in the area of embedded security?

By far, R155 is not only aimed at embedded security, i.e. the security of individual components in the vehicle, but also at a secure development process for these components, their secure production and the monitoring of secure operation.

These are very comprehensive requirements. Anyone who claims that they have no need to catch up is probably simply not yet aware of this. Medium-sized companies and suppliers in particular are facing major challenges in this regard. The serious shortage of skilled workers in the field of cyber security further exacerbates the situation.

***

Prof. Dr. Dominik Merli is Professor of IT Security at Augsburg University of Applied Sciences (THA). He also heads the Institute for Innovative Security (HSA_innos) at the THA. The institute helps organizations of all sizes make their systems, products and personnel resilient to digital threats so they can operate securely and sustainably successfully in a networked world.

Further information

• Website of the Institute HSA_innos
• @Dominik Merli on LinkedIn