Embedded security attacks are emergencies, and we need to treat them that way.

The embedded security problem is an ongoing and escalating emergency in progress. The internet of things is so extensive and so interconnected that simply writing good code is not good enough. Conventional boundary thinking is irrelevant. Resetting systems is no guarantee to halt attacks. There’s no time for finger pointing and guesswork.  According to PSA-Certified, the average cost of a successful IoT device attack is more than $330,000 and it’s estimated that by 2025, cybercrime damages will total $10 trillion. It’s time to take crisis control lessons from the emergency management industry and get out of this spiraling failure.

Rapid response criteria are needed for embedded systems emergency management

A rapid response plan requires both technical and workflow commitments to process attack intelligence.
The basic steps include:

• Obtain time, date, geolocation alerts to pinpoint when and where the problem began
• Monitor for propagation patterns as the attack spreads.
• Upload code module samples to provide evidence of the alteration of system code.
• Share combined intelligence with all stakeholders according to assigned roles, who will coordinate together to implement remediations.

The magic words are: stakeholders coordinate together. Who are the stakeholders? What are their roles? In any system life cycle there are at least five: Developer, OEM, Product Vendor, Dealer, and Owner. The technologies chosen to build and implement embedded systems must provide the information necessary for them to rapidly resolve problems.

Steps to building the next-generation embedded system emergency response

Solving attacks quickly happens when actions can and will be taken quickly. A fundamental change in embedded software development, information sharing, monitoring and updating is required.

• Software development must include code signing, behavioral deviation detection and trusted update mechanisms. Developers must learn to see security as integral to their reputations.
• Stakeholders must agree to opt into event monitoring. Rapid updating, including options for real-time over-the air must be available.
• Emergency management workflow agreements and action plans must exist for all stakeholders. The  technical design must enable stakeholders to take actions and receive positive recognition for fast responses.

Bottom Line

When embedded systems are compromised, services are affected, money is lost and lives are at risk. Emergency-ready software supply chains are needed now, not years in the future. Players at any point in the supply chain should ask tough questions about security treatments, and skip vendors who are not ready to address the life cycle commitments set forth in this opinion.

- John Girard  |  Advisor at Lionfish Tech Advisors and Managing Director of Cyber Imbiber Tech Advisor LLC.
 

Recommended Reading

Why Certify IoT Security?, PSA Certified

Top 25 Auto Cybersecurity Hacks: Too Many Glass Houses To Be Throwing Stones, Forbes

From Stuxnet to Industroyer: The biggest hacks in the history of Industrial IoT, Turn-key Technologies

 

© 2022 Cyber Imbiber Tech Advisor LLC