Embedded Systems Conference Addresses IIoT Security

By Rick Rys

Category:
Industry Trends

ARC senior analyst Dick Slansky and I attended the ESC (Embedded Systems Conference) in Boston this week and would like to share our observations on this complex and dynamic market. The market for embedded systems continues to grow, driven by cheaper processors and the trend to improve device intelligence and interconnections. But many problems, changes, and opportunities for players to win or lose remain.

The well-attended conference had four main tracks:

  1. Embedded Hardware Design & Verification

  2. Embedded Software Design & Verification

  3. Connected Devices & IIoT

  4. Advanced Technologies

There were about 46 exhibitors on the floor for the ESC.

Our basic take away (and not really a surprising one) involved the constant march toward faster and more capable processors as shown by the evolution of ARM families of processors. A significant advantage of staying in the family is that much of the previous software code can be re-used for evolving embedded products. This helps to keep costs down and improve schedules.

Colin Walls from Mentor, explained the importance of power management and how the software plays a critical role. In addition to DVFS (Dynamic Voltage and Frequency Scaling) which can adjust the CPU speed to the task, many embedded systems (like cell phones) now have both “big” and “little” processors, with the big processor turned off when not needed.

While not always apparent to users of embedded systems, the developer community is aware of continuing security vulnerabilities that can make IIoT devices vulnerable. 

Keynote speaker, Michael Barr, of the Barr group pointed to a survey in which he asked 1,700 embedded system engineers the worst thing that could happen if the system they were working on got hacked. This revealed a huge number of potentially dangerous outcomes and that developers often consciously ignored security to avoid delaying the project schedule. Michael suggested that this is akin to an “IoDT,” or “Internet of Dangerous Things.”

 

Embedded Systems Software Stanards.jpg

Embedded System Software Standards

 

Some 19% of developers mentioned they did not develop to software standards, and nearly as many said that standards were not enforced.

While, many times, security vulnerabilities are never exploited, they certainly could backfire if they are. Michael mentioned the case of the Jeep/Chrysler hack in 2015, which required Chrysler to recall 1.4 million cars to install new firmware and wireless carrier Sprint to add new wireless communications security features to prevent hackers from remotely operating cars. Security researchers Charlie Miller and Chris Valasek originally demonstrated this vulnerability by having a test driver go for a ride. They told him they had hacked his car, but not to panic. At first, they remotely operated the car’s air conditioner super cold, then washers and wipers, then the radio at high volume. The test driver was powerless to stop any of this. When they cut out his transmission, he coasted to a stop in busy highway traffic. Clearly, this shows the potential for risk to humans and property posed by shortcuts in the underlying embedded system security.

Michael gave the example of the TPS (tire pressure sensor) in a car and explained how a hack could potentially set off the flat tire alarm, which could enable someone rob the driver and/or steal someone’s car when they pulled over to inspect their tires. The point here is that security must be applied at the sensor level, but this can add considerable cost and complexity in a market that demands low cost. The conclusion is that many IIoT sensing devices represent a convenient access point for hackers.

It should not be surprising to learn that engineers often skimp on security to meet the demand for increasingly lower cost IIoT devices (sensors, edge devices, communications, HMIs, etc.) and applications.

Engage with ARC Advisory Group