How Manufacturers, End-Users, and Regulators Can Close the Embedded Device Security Gap

April 28, 2022

Blog

Each of these stakeholders has a role in building out a critical layer of cybersecurity defense. Here are recommendations for overcoming the insecure status quo. 

The safe and continuous operation of communication satellites, building management systems, energy production, delivery systems, and other essential infrastructure depends on embedded devices that often have highly specific, limited use cases, storage and memory limitations, and limited exposure to the internet.

So, it’s not surprising that security controls on these devices are often lacking, especially compared to higher levels of infrastructure that have undergone extensive cyber defense upgrades over the past decade.

To be sure, some end users are pushing for more security controls on embedded devices. And some manufacturers have engineered them, although not at a rate that is commensurate with the increasing cyber risk. By now, it is clear that industrial control systems (ICS) and their essential devices make attractive targets for bad actors. With international tensions elevated and two new, dangerous, and ICS-capable malware strains identified in early 2022, it is more important than ever that this layer of security be hardened to a very high standard.

But despite increasing recognition that on-device security is essential, there is no clear path to its rapid and extensive adoption in most ICS deployments.

This current impasse has several causes. Embedded devices are often mission-critical and difficult to take offline and upgrade; they have limited storage and memory, which makes security engineering difficult and dependent on firmware expertise that is in limited supply; and security upgrades are often expensive, requiring extensive R&D resources for manufacturers and increases in end users’ procurement costs.

We can achieve robust embedded security despite these challenges before attackers exploit current weaknesses. But manufacturers, end-users, regulators, and security providers must acknowledge their independent and shared responsibility for protecting our critical industries and infrastructure, making strategic changes based on mutual self-interest, and recognizing the importance of investment and collaboration. Here are considerations for each group that may help accelerate the process.

Device Manufacturers

One of the best ways to recognize the value of security investment is to acknowledge the potential losses associated with inaction. Concerns about supply chain integrity and increasingly sophisticated attackers have put many device users on notice. An October 2021 Ponemon report found that 59% of respondents (mostly connected device manufacturers) reported they had lost sales due to product security concerns.

OEMs can defend their market advantage and reputation simultaneously by not cutting corners, particularly with the security of new devices. There are two salient reasons for this:

• On-device security is now essential. As more devices are connected and targeted by attackers, concepts such as “security by obscurity” are becoming obsolete. Increasingly, devices can be accessed through attacks that exploit permissions and legitimate protocols and against which external security controls are ineffective. The devices themselves will need security controls to achieve a truly robust level of protection.
• Partnerships can help fill the expertise gap. The problem created by a lack of resources can be mitigated by working with security vendors. OEMs can help set a high standard by engaging with leaders in the security field and working to ensure the controls do not compromise device performance. Building effective security features can be an iterative and collaborative process; it will be beneficial to set a high-quality standard for partnerships and security itself.

End Users

OEMs will not be incentivized to build out device security if their customers don’t demand it. While the Ponemon report suggests end-users are expecting more, they can create even more demand by accepting these conditions:

• No matter where responsibility for a cyberattack may lie, the buck typically stops with the service provider. They will bear the reputational damage of a breach. This should provide an incentive for them to demand device features such as secure boot, secure code updates, on-device firewalls, intrusion detection, and authentication capabilities in all mission-critical devices.
• They must bear some of the security costs. For the time being, increased embedded device security will mean higher costs for everyone. End-users must accept that the prices of these devices will rise in the short term. However, we can expect costs to decrease as on-device security features become standardized.

Regulators, Standards Bodies, and Government Agencies

Regulations such as IEC 62443 and California’s SB327 supply helpful guidance around cybersecurity standards. However, in most cases, guidance specific to embedded systems is still insufficient. The same is true for Executive Orders and directives such as CISA’s Shields Up. Addressing these oversights would be an excellent first step.

Additionally:

• USG can use the power of the purse. As some of the most deep-pocketed customers, government agencies can influence OEMs’ decision-making by raising their own security standards. Executive Order 14028 (Section 4) includes directives for improving the security of supply chains, and laying the groundwork for a “labeling” program that can help identify the strong cybersecurity standards in consumer devices. As the Order suggests, USG agencies can influence the public sector if it leads by example.
• Regulations can interlink safety and security concerns. 62443 and other regulations are beginning to reflect the overlap between safety and security engineering. But we need more; experts from both disciplines are necessary to bring regulations into alignment with the current security threats to embedded systems.

Security Professionals and Vendors

Security professionals need to recognize the challenges OEMs are confronting and maintain a focus on mutually beneficial solutions by acknowledging other areas of expertise. As threats to ICS safety systems intensify, collaboration will be more critical than ever. Security experts need to listen to product safety engineers and operators and be ready to collaborate on solutions.

Vendors can accelerate the adoption of security features by offering solutions that support devices’ core functionality. When problems arise, they must be ready to work with OEM engineering teams to resolve them.