Cybersecurity for Embedded Systems | SPONSORED
All critical infrastructure is under cyber attack, all the time. The attack on the Oldsmar, FL water supply is a good example. And it’s getting worse; vulnerability to cyber attack is increasing as the embedded devices controlling these critical infrastructures become more connected. The DevOps approach to software development offers an antidote—an opportunity to embed run-time security into the software for embedded systems.
Automated run-time protections are crucial for cyber defense that scales. Protecting critical infrastructure is too vast an undertaking for human-based monitoring and response alone. As an example, there are approximately 54,000 drinking water systems in the United States, and many do not have someone watching IT operations 24/7, as KrebsOnSecurity reports. This makes them ripe for cyber attacks, which could prove deadly.
Cybersecurity Considerations for Embedded Systems
Many have expanded DevOps to DevSecOps, indicating cybersecurity is part of a holistic, iterative, automated approach. That’s a great goal. Unfortunately, traditional cybersecurity practices are not a good fit. Static scanning is a standard tool for cybersecurity, although it is known to be woefully incomplete in its ability to identify errors. More damaging in the DevOps context, the practice undermines the team culture by pointing a finger at the developers, while cybersecurity is still on the outside.
Equally important, scanning undermines important automation and speed objectives. Scanning generates alerts which software developers must address or ignore. This find and fix approach takes valuable time for an incomplete solution. Scanning is not like a handy document spell check feature.
Embedded systems need to be protected against both known and unknown (yet-to-be-exploited) vulnerabilities. The benefit is mitigation of memory corruption vulnerabilities, those ubiquitous vulnerabilities comprising 40-70% of identified vulnerabilities, depending on the code stack. Mitigation should happen automatically at run-time, when embedded devices are ensuring the smooth operation of critical infrastructure and are also under constant attack.