Embedded systems experts at the Barr Group have uncovered alarming information about the state of embedded systems design. The group’s recent study, 2017 Embedded Systems Safety & Security Survey, reveals that a significant percentage of embedded systems designers are failing to place emphasis on the security and safety of their designs.
A sizeable 28 percent of the 1,700+ qualified respondents indicated that the products they are designing are capable of causing injury or death in the event of a malfunction. Of these products, nearly half will always or sometimes be connected to the Internet. “What’s really disturbing is that there are now so many potentially dangerous products connected to the Internet,” Michael Barr, CTO of the Barr Group told Design News. “We also found that not enough of the designers of these Internet of Dangerous Things devices are paying proper attention to security.”
The Barr Group has conducted this study in previous years. Over time, the results have shown no improvement. Barr said he was surprised that the results haven’t changed. “This is our third year of doing the survey. The disturbing part is that the surprisingly bad news from the prior two years is getting repeated in this year’s results,” said Barr. “We asked identical questions. We didn’t find any trend that was significant. Unfortunately, the trend of malpractice among these respondents is potentially dangerous.”
The Path Toward Safer Systems
Barr, who will present a keynote talk on the topic of embedded safety and security at next month's Embedded Systems Conference in Boston, explained that the ability to improve safety and security is not a mystery to embedded systems engineers. In the Executive Survey that opened the printed results of the study, the Barr Group noted there is a large opportunity to easily improve the safety of embedded systems by more broadly using well-known software development best practices.
The study also pointed out that safety and security are not elevated in industries where poorly designed systems could potentially affect a high number of consumers. The results found that safety practices are not clearly better in the automotive industry than in the medical device industry, even though many more lives are at risk with automotive failures.
Barr, himself, is a recognized expert in embedded design for automotive. His testimony regarding software formed the backbone of a headline-grabbing Toyota unintended acceleration trial of 2013. Barr has also cautioned that when it comes to safety and autonomous vehicles, we need more informed oversight.
Best Practices Need to Be Heeded
One of the recommendation to come from the study is that broader use of software development best practices can provide an opportunity to better secure the vast numbers of internet-connected devices that are getting developed. Yet best practices don’t help if safety and security are not on the priority list of the designers. The study revealed that designers of a remarkably large number of potentially dangerous, connected embedded systems are ignoring security altogether.
Though it is widely known that connected products can be hacked, 22% of embedded systems engineers who work on connected safety-critical products said security was not even on their requirements list. “This is dangerously inadequate planning that puts all of us at greater risk,” said Barr.
The study conceded that the challenge of securing embedded systems and making sure they’re safe is not simple. The range of architectures and applications is large, so there will never be a one-size-fits-all solution to the problem of securing embedded systems.
As to why the results show such a wide security gap in embedded system, Barr noted several reasons. “It is certainly time, cost, and expertise,” said Barr. “Also related is that a person buying a pacemaker isn’t necessarily thinking about the wireless security in the communication between the device and the doctor. The consumers of the product don’t know how to evaluate the level of security.”
Michael Barr will deliver a keynote address at the Embedded Systems Conference in Boston May 3. The session, Embedded Systems Safety & Security: Dangerous Flaws in Safety-Critical Device Design, will expand on many of the issues described in this article. Register here for ESC Boston.
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.
Images courtesy of the Barr Group