Designing with Embedded Security in Mind: Starting Early and at the Edge
Proactive steps before devices are deployed create a long-term security advantage.
As edge node devices collect and share data vital to connected embedded applications, it’s essential to proactively incorporate security features—hardening the design and enabling secure ongoing monitoring and management even before device deployment. Planning and partner insight supports this early advantage in establishing long-term security benefits. By focusing on security at the edge, OEMs protect application data at the device level, reduce total cost of ownership and reduce risk as threats continue to evolve in connected, data-critical applications.
Cyber-attacks can target any component within a system; devices don’t necessarily need to be connected to the Internet or part of a Cloud solution to be vulnerable to security issues or threats. For OEMs, this demands greater awareness of how to protect devices and application data at the device level, as well as a readiness to evolve and think creatively about security design. Being protected at the edge node not only enables secure ongoing management, but also ensures effective integration with other components, network infrastructure and secure Cloud solutions.
Medical devices illustrate the challenge. Data gathered and used by edge node devices is improving patient care and streamlining healthcare organizations, but also creating new security risks. Increased connectivity between hospitals, clinics, physicians’ offices, contractors, suppliers, university networks and other external parties—coupled with an increasing number of connected devices—expands the potential size and scope of a data breach. This drives the perimeters of security beyond internal networks to an array of vulnerable external endpoints. Avoiding cyber-attacks in this type of extended network of connected devices requires a more robust, holistic security strategy, with system developers and OEMs minimizing vulnerabilities through proactive steps that focus on the edge node. Specific market requirements will vary and add complexity; for example medical OEMs must adhere to FDA and HIPAA requirements for solutions beyond traditional security measures such as firewalls, antivirus tools and intrusion detection systems.
Security Enhancements to Hardware
Adoption of commercial operating systems (OS) in embedded devices has necessitated hardware and software innovations to counter the risk. From a hardware perspective, today’s processors introduce more cores than available in the past and integrate advanced security features that add tangible value for connected embedded devices. Key features include hardware-accelerated encryption that is faster than traditional cryptographic processing and reduces the attack surface. By blending hardware- and software-based security hardening, OEMs can ensure a secure design without compromising performance. For example, in the 6th Generation Intel® Core™ processor family, the firmware’s trusted platform module has been enhanced to safeguard credential storage and key management, and help defend the platform against low-level denial of service attacks. Integrated features keep memory protected from buffer-overload attacks and enable machines to be securely booted or restored to a previously known good state. Close integration between the processor and McAfee® Embedded Controls further builds in lightweight embedded antivirus technology, adding resilience against malware and other attacks.
The advantages of integration are numerous. OEMs often miss the opportunity to fully capitalize on the value of processor advancements due to the complexity introduced into the design, requiring additional expertise, resources and development time. Security expertise is essential to guide development at this stage and can be handled with partnerships, adding as much or as little insight as the OEM wants. Trusted design consulting can steer the process to any degree, ranging from minimizing the attack surface to optimizing performance, validating devices, handling setup of embedded controls and establishing secure connectivity. This critical consideration ensures the best use of resources, building in threat mitigation, stronger control of applications, and secure access early in the design phase.
Tailor a Lean Software Stack
OEMs may choose to leave unnecessary standard components in the OS, thinking that an application might eventually need them. In contrast, and because every additional component increases the attack surface, software considered non-essential to the embedded application should be removed. For example, if the OS image contains a version of Microsoft Windows, there are likely applications that could and should be stripped out as a matter of policy. These include relatively benign components such as games, and more vulnerable applications such as Outlook and Internet Explorer.
This policy becomes important not just in terms of security, but also from a performance perspective. Removing traditional or commercial computing applications ensures the device is used within its intended scope of performance and restricts users accordingly. In evaluating this design approach, OEMs should acknowledge that exposure to vulnerabilities is not solely limited to Internet-based applications. In real-world applications, anything that connects to the device (such as a USB storage stick) or wirelessly connects to the device (e.g., a Bluetooth-enabled keyboard) can affect security and performance.
Stay Prepared with a Current, Ready-to-Validate Software Stack
Software defects and vulnerabilities will arise over time. The risk is greatest with off-the-shelf software, as its widespread use increases the likelihood of shared knowledge of vulnerabilities among cyber-criminals. To protect systems from new or evolving threats, manufacturers must maintain the most current patches for the OS and other components in the master stack. A current, ready-to-validate version of a device’s software stack should be ready to test at all times, ensuring patches can be quickly developed, tested and issued, especially in the event of a recall. When patches are validated and ready to deploy, they must be issued promptly—a departure from historical practices, which may have relied on annual updates. Security problems due to software vulnerabilities may be prevented before they can be exploited, protecting data as the priority and minimizing costly system downtime.
Periodic patching combats the risk; however, the process demands well-planned, effective software stack management practices. Ideally, the OS image is created as a baseline—with specific features and security patches identified as the initial standard of deployment. When applied to supporting devices, all applicable devices effectively have the same secure, up-to-date components. Effective image management also assures that the image and its associated controls help the manufacturer comply with industry standards and regulations, including patching. When a new application, system or feature rolls out, it builds upon the baseline as a means of assuring consistency, security and compliance in edge devices. This approach creates a high level of efficiency with smaller files that can be distributed remotely, and minimizes vulnerabilities because an entirely new image is not released.
When software stack maintenance is not designed for efficiency and consistency, devices are exposed to increased risk. There is potential for one device to have different features and security patches than another device in another location. Remote management may not be feasible, causing manufacturers to devote resources to a sort of field triage to determine which OS image was deployed where and how it can be effectively patched. Systems remain at risk longer, and costs can increase, as building a new image requires more time and development resources than updating an existing, well-managed image.
Remote monitoring and management not only makes software stack maintenance easier, but also can collect valuable security-related data. This could include events indicating unauthorized configuration changes or other abnormal behavior on the device itself, indicating possible tampering or vulnerability. Beyond events and triggers, analytics can be run on the collected data, determining usage patterns where certain anomalies appear to reveal security issues.
Whitelist Instead of Blacklist
While blacklisting prevents certain applications from running (comparing them to a known vulnerability database), whitelisting identifies what can run on a device or system. It creates an inclusive list of permissions that define executable applications and their associated network traffic patterns. This proactive approach is more strategic today given the constantly evolving security risks of protecting sharable data. Because attacks and viruses evolve so quickly, blacklisting remains a reactive solution that can never be fully up-to-date. A recent McAfee® Threat Report indicated a 58 percent increase in samples of ransomware in Q2-2015 alone and an overall increase of 127 percent over the previous year. Malware grew by 12 percent to more than 433 million samples during the same period, along with 17 percent growth in mobile-specific malware, now tracked at more than 8 million samples.
Whitelisting can be implemented using integrated security tools such as McAfee® Embedded Controls, which simply block unauthorized applications by validating them against the whitelist prior to allowing any operating system service or application to be executed. Importantly for maintaining device performance, whitelisting also prevents malware from entering the system without wasting CPU and other system resources to evaluate the risk in real-time.
Freeze the Configuration to Block Unauthorized Changes
This is not necessarily a new security strategy, depending on the embedded market. Essentially the OS image that is used as the baseline described above is a set of configurations including files, data, settings and applications. By freezing the OS, OEMs enable the system to return to this known state upon reload of the system after a change or vulnerability has had some impact. All changes are disabled or removed upon reboot, and the impact becomes non-substantive as the original configuration is re-established. At the same time, user and application data can be written safely on non-system drives or network spaces. Freezing is an intelligent part of the security hardening process, preventing system damage even while allowing authorized users to schedule automated software updates to the operating system.
Whether or not a system configuration is frozen or locked, the device, its OS image and its components should be tested and validated before deploying a system to the field—ensuring the number of attack vectors are at a minimum. Detailed processes, testing checklists and experienced engineering are essential to hardening techniques, as are advanced vulnerability scanning engines that constantly update their vulnerability information.
Minimizing the Cyber-Attack Surface of Devices
As connected devices become more integrated and capable of sharing information in real-time, a wide range of data must be protected from server to edge. Yet many OEMs consider security part of deployment rather than development, missing the opportunity to create a powerful advantage by integrating a security strategy early in the design phase. Edge node devices out on the front lines—such as portable diagnostic devices that bring high-resolution imaging to emergency settings or access electronic heath records in real-time—require a proactive design approach that helps optimize long-term security performance, reduces total cost of ownership and meets market-specific federal requirements for privacy and protection of data.
Security at the device level is critical to attaining safe, protected performance in long-life embedded products—particularly those with complex security hardening requirements due to off-the-shelf hardware, software and applications. By exploring new ways to further security performance, whether it’s through additional encryption, hardening, whitelisting or secure OS images, optimized security requires a holistic, cost-effective approach that goes beyond addressing threats from Internet connectivity. As devices become more scalable, with more performance options and features, security design will continue to grow as an essential consideration, fully integrated into the product environment and lifecycle.
Andrew Herger is Dedicated Computing’s Director of Engineering – Internet of Things (IoT).