Device manufacturers face a landscape pitted with landmines as they develop and maintain products that can stand up to today’s security threats. They have to try to future-proof their products against unexpected attacks if at all possible. Security solutions have to be developed, implemented, and sustained in the production of the device and thereafter. Facing these threats involves implementation techniques, over-the-air updates, secure provisioning, tamper detection, and access control.
Joe Pilozzi, technical marketing manager at STMicroelectronics, will look at the wide range of issues that surround embedded device security at the ESC Conference in San Jose on Wednesday, Dec. 7 in the session, Embedded Security Considerations. Pilozzi will look at the current and emerging threats and explain how companies can meet these threats in both new and existing devices.
In order to meet security threats, it helps to realize what motivates the attackers. Today’s hackers are well-financed because they know their attacks can be very profitable. “We have to understand who might attack and for what reasons. There is a large amount of money to be made from copying a device. That can pay for significant resources to attack it,” Pilozzi told Design News. “An attacker can make money by selling your stock short when you discover and publicize a flaw in your product. If they make it fail, it can potentially lead to your customers getting physically or financially damaged.”
Securing the Internet of Things. Today's IoT devices are under increasing attack. Device manufacturers and embedded software designers must be vigilant if they are to provide a secure system for applications to do their work. Learn more about securing IoT devices and applications in the Connected Devices track at ESC Silicon Valley, Dec. 6-8, 2016 in San Jose, Calif. Register here for the event, hosted by Design News’ parent company, UBM.
To some extent, security measures have to be assessed by the potential damage they can do to the product manufacturer. “We have to understand the direct and indirect costs of the attacks and then decide which must be blocked, which can be managed, and which can be accepted. The costs to deploy the required countermeasures must be justified in terms of ROI,” said Pilozzi. “Said in an overly dramatized way: how many dollars per unit is it worth to my business to prevent a security compromise from harming or killing a customer?”
Is an Attack Already Underway?
Part of the struggle to avoid threats is the ability to determine if an attack is already occurring. Detecting an existing attack is the new black in cybersecurity. “Tamper detection and prevention can be implemented in a device, a product, or an IC/processor. Many embedded controllers include tamper detection and prevention capabilities that can be used to detect or prevent tampering,” said Pilozzi. “For example, the I/O of products can be configured to trigger interrupts upon detecting changes that can be acted upon to protect or control critical resources and actions.”
To a large extent, cybersecurity comes down to protecting yourself against the latest attack in the news. “The sad consequences suffered by those who are first attacked prepare the rest of us. We can learn and then change our software,” said Pilozzi.
The security fix involved in preventing an attack depends on the nature of the device that’s attacked. Expensive products can be fixed; cheap product can be ditched. “PCs and smartphones can be upgraded or patched depending on their flexibility,” said Pilozzi. “Low cost devices usually can’t learn or can’t be modified to manage a threat that was previously unknown. The best we can do is make use of that knowledge and address those threats before the next release.”
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.