“The dangerous world we live in is one where the embedded systems that we build are increasingly a battlefield, a place where anonymous hackers are able to remotely injure and potentially kill people on the other side of the world because dangerous devices are connected to the Internet.” Barr Group CTO Michael Barr delivered this warning in his keynote address at ESC Boston in May. For developers of devices that could cause serious injury or even death if attacked, he sent this message: security is not an option, and in case you thought encryption was enough — it’s not.
“Encryption is amazing stuff. The problem is that it is always part of a protocol,” he said. “There can be bugs and weaknesses in the protocol that can be exploited. While it’s great that you’re encrypting, the weakest link is where hackers are going to find their way in. Security by encryption is never enough.”
In January 2017, the Barr Group conducted a survey of 1,726 embedded engineers across multiple industries. Not surprisingly, the top four industries that these potentially dangerous devices target are medical (21 percent), industrial automation (20 percent), automotive systems (17 percent), and defense/aerospace (13 percent). Of these respondents, 28 percent were “actively involved in designing an embedded system that could be dangerous.” Another 25 percent were developing potentially dangerous devices. Of these dangerous systems, 60 percent were going on the Internet.
“More than one in five designers of a current embedded system that will be on the Internet and that could kill or injure a person are doing nothing” in terms of securing their devices from attack, he said. The survey included some grim statistics about how poorly the medical device industry is doing when it comes to ensuring the security of medical devices that are part of the IoT landscape. Here are some specifics the survey found for embedded systems in medical devices:
- No coding standard: 18 percent
- No static analysis: 27 percent
- Irregular/no code reviews: 35 percent
- No security requirements: 30 percent
So, what should industry be doing? Barr called on embedded systems developers to think like hackers. “You have to think who could attack, why would they attack, and what skills, tools, and motivations would they have. Then you can practice what’s called defense in depth,” he said, emphasizing that developers need to design in that extra layer of security so that there is no weak link. He presented a five-point action plan that he said, “we must follow to ensure that we are effectively and responsibly creating a safer, more secure connected world.”
- Don’t ignore security: We have an ethical duty!
- Do adopt (bug-reducing) software best practices.
- Do use cryptography where appropriate.
- Do practice defense in depth.
- Do get and stay educated about security.
A video of his presentation is available here .
