Embedded systems and IoT security technical article

I wrote a technical article on embedded systems and IoT security to Uusiteknologia.fi magazine:

Designing modern electronics+ information security

With the latest smart electronics and embedded microprocessors, devices connected to the network can be implemented even better, but even better care must be taken of their data security and protections.

This Designing modern electronics article gives information for the information security protection of modern electronics. Embedded systems are prone to various information security risks, which in the worst case can cause serious consequences for both users and the environment.

That is why information security should be taken into account from the outset, from the design phase of the device or system to the maintenance phase and decommissioning at the end of the solution’s life cycle.

An insecure Internet of Things can pose a significant risk to the entire digital operating environment. And since the Internet is already ubiquitous, every IoT device is vulnerable to attack.

Although the goal should always be to achieve sustainable security, information security operations must be functional already when the product leaves the factory and must be maintained with software updates.

Designers of embedded systems must adopt a security-first approach to ensure that the systems they design are protected from security risks. Therefore, network security, software security and physical security are important in IoT devices.

This article has provided a basic understanding of information security in embedded systems and provides a guide for designers to create reliable and secure systems that are safe for both users and the environment.

Here you can my article in Finnish:

Nykyelektroniikan suunnittelukoulu Plus, osa 5: Sulautettujen ja IoT-ratkaisujen tietoturva
https://www.uusiteknologia.fi/2023/11/08/nykyelektroniikan-suunnittelukoulu-plus-osa-5-sulautettujen-ja-iotn-tietoturva/

If you want to get idea of the article content in English, try Google translation of the article.

32 Comments

  1. Tomi Engdahl says:

    Onko älylaitteiden tietoturva kunnossa? “Sähkökatkokin voi olla kyberturvauhka”
    https://www.kotitalolehti.fi/alylaitteiden-tietoturva/

    Reply
  2. Tomi Engdahl says:

    The next step is to secure your edge devices, which are often the most vulnerable and exposed to cyber attacks. You need to apply the principle of least privilege, which means granting only the minimum access and permissions necessary for each device to perform its function. You also need to encrypt your data at rest and in transit, using strong and updated algorithms and protocols. Additionally, you need to implement authentication and authorization mechanisms, such as passwords, certificates, or tokens, to verify the identity and legitimacy of your devices.

    Reply
  3. Tomi Engdahl says:

    You need to align your policies with your business objectives, regulatory requirements, and industry standards, such as the NIST Cybersecurity Framework, the ISO/IEC 27000 series, or the Cloud Security Alliance Edge Computing Security Framework. You also need to communicate and enforce your policies across your organization, and review and revise them regularly to reflect any changes or improvements.

    Reply
  4. Tomi Engdahl says:

    Mikä radiolaitedirektiivi? Täältä näet päivitetyt tiedot
    https://etn.fi/index.php/13-news/15511-mikae-radiolaitedirektiivi-taeaeltae-naeet-paeivitetyt-tiedot

    Elokuussa 2025 tulee EU:n alueella voimaan uusi radiolaitteita koskeva kyberturvadirektiivi.

    Tuleva radiolaitedirektiivi tarkoittaa käytännössä, että kaikki EU:n alueella myyntiin elokuun 1 päivän jälkeen vuonna 2025 tulevat langattomat IoT-laitteet täytyy suunnitella ja hyväksyttää uudelleen.

    Nykytilanne muuttuu siis 1.8.2025. Sen jälkeen vanhaa, markkinoille aiemmin tuotua laitetta ei voi enää myydä. Kun laite tuodaan saataville EU:n markkinoilla, sen pitää vastata nyt draftivaiheessa olevan RED-direktiivin vaatimuksiin.

    Vaatimukset määräävät, että radiolaite ei saa vahingoittaa verkkoa väärinkäyttämällä veron resursseja, mikä johtaisi verkon palvelutason alenemiseen. Radiolaitteessa pitää toteuttaa turvamekanismit, jotta laitteen käyttäjän henkilökohtainen data ja käyttäjän yksityisyys eivät vaarannu. Lisäksi laitteen pitää tukea ominaisuuksia, jotka estävät sen käytön petoksissa.

    Etteplanin kyberturva-asiantuntija Antti Tolvanen kertoo seikkaperäisesti esityksessään sekä RED-direktiivistä, että muista EU:n kyberturvahankkeista. Esitys löytyy täältä.

    EU ei luonnollisesti ole hakemassa vanhoja langattomia IoT-laitteita kenenkään kotoa, mutta itse asiassa sekin olisi mahdollista. Direktiivin 7. artikla nimittäin sanoo, että mikäli laite asettaa verkon riskin alaiseksi eikä vastaa direktiivin vaatimuksia, kansallinen viranomainen voisi estää niiden käytön.

    Webinar: Cyber Security Regulations Update 2023
    https://www.youtube.com/watch?v=JgoVLsvDj9E

    Reply
  5. Tomi Engdahl says:

    The Connectivity Standards Alliance has announced the release of the Internet of Things Device Security Specification 1.0 — with a Product Security Verified Mark for IoT devices passing its requirements.

    The CSA’s IoT Device Security Specification Promises Better Security, More Transparency
    New specification and product mark look to restore consumer confidence in the security of IoT products and services worldwide.

    https://www.hackster.io/news/the-csa-s-iot-device-security-specification-promises-better-security-more-transparency-42c5b3a6bfd9?fbclid=IwAR3GkElK8HwDrhOGkSeDCGY-gVXbGqkM1AZ4Sbc_iBmUcQgohFuGmo9gJ8g

    Reply
  6. Tomi Engdahl says:

    SPDL (Secure Product Development Lifecycle) comes into play. SPDL is a comprehensive framework that provides guidance and structure for developing and maintaining secure products. According to the widely adopted IEC 62443-4-1 standard, it consists of eight essential practices that cover every stage of the product lifecycle.
    https://www.etteplan.com/about-us/insights/secure-product-development-lifecycle-essential-tool-for-product-development/

    Reply
  7. Tomi Engdahl says:

    When manufacturing IoT devices with embedded systems, it’s helpful to consider broader IoT security standards, like EN 303 645 and IEC 62443-4-2, as well as the NIST Cybersecurity for IoT Program, NISTIR 8259A: Core Device Cybersecurity Capability Baseline. Additionally, for those products intended for European customers, manufacturers must show proof that their products meet the EU’s regulations, such as the General Data Protection Regulation (GDPR) and the EU Cybersecurity Act, in addition to Radio Equipment Directive (RED), regulations for medical devices (MDR), and in vitro diagnostic medical devices (IVDR) and NIS2 Directive, depending on the use case.

    https://www.thefastmode.com/expert-opinion/33730-vulnerabilities-in-embedded-systems-and-the-evolving-cybersecurity-regulations-landscape

    Reply
  8. Tomi Engdahl says:

    IEC 62443-4-2 standardin hyödyt ja haasteet yritykselle : systemaattinen kirjallisuuskatsaus
    https://jyx.jyu.fi/handle/123456789/92255

    Reply
  9. Tomi Engdahl says:

    Toimialat, joita direktiivi koskee
    Direktiivi koskee automaattisesti kaikkia keskisuuria (50+ henkilöä ja yli 10 milj. liikevaihto) ja suuria yrityksiä, jotka toimivat kriittisillä toimialoilla. Direktiivi koskee myös kaikkia kansallisesti kriittiseksi toimijoiksi määriteltyjä koosta riippumatta

    https://www.loihdetrust.com/nis2-direktiivi/

    Reply
  10. Tomi Engdahl says:

    IoT Security
    MITRE EMB3D Threat Model Officially Released
    https://www.securityweek.com/mitre-emb3d-threat-model-officially-released/

    MITRE announced the public availability of the EMB3D threat model for embedded devices used in critical infrastructure.

    MITRE, the non-profit technology and R&D company, on Monday announced the public availability of its EMB3D threat model for embedded devices used in critical infrastructure and other industries.

    EMB3D was developed by MITRE in collaboration with cybersecurity and industrial sector partners such as Red Balloon Security, Narf Industries, and Niyo ‘Little Thunder’ Pearson of ONE Gas.

    Unveiled in December 2023, the framework provides a knowledge base of cyber threats to embedded devices used in the critical infrastructure, IoT, healthcare, automotive, and manufacturing sectors.

    The resource is recommended for vendors, asset owners and operators, testing organizations and cybersecurity researchers.

    The MITRE EMB3D™ Threat Model
    https://emb3d.mitre.org/

    The EMB3D Threat Model provides a cultivated knowledge base of cyber threats to embedded devices, providing a common understanding of these threats with security mechanisms to mitigate them.

    This initial release of EMB3D includes the Device Properties and Threats enumerations. The full set of Mitigations will be available in the Summer 2024 update.

    What is EMB3D™
    EMB3D is a threat model for embedded devices found in industries such as critical infrastructure, Internet of Things, automotive, healthcare, manufacturing, and many more. The threat model is intended to be a resource to help vendors, asset owners/operators, test organizations, and security researchers to improve the overall security of embedded devices’ hardware and software. This threat model aims to serve as a central repository of information, defining known threats to embedded devices and their unique device features/properties that enable specific threat actions. By mapping the threats to the associated device features/properties, the the user can easily enumerate threat exposure based on the known device features.

    Reply
  11. Tomi Engdahl says:

    ECF24 presentation by Antti Tolvanen, Etteplan – Maria01 – September 26, 2024, Helsinki
    https://www.youtube.com/watch?v=42MhkCv_TUc

    NIS2, RED, CRA, AI Act and Data Act –
    How will EU regulatory changes affect design and maintenance of embedded products

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*