Do embedded systems need special prioritisation when it comes to safeguarding IT systems?
The embedded systems industry under cyberattack
Why is embedded security such an important topic?
Prof. Dr.-Ing. Axel Sikora: The security of IT systems is already extremely important in order to achieve classic data protection goals including confidentiality, identity, authentication and authorisation and thus the protection of data and information. Embedded systems are also often required to take on control tasks. If data security is compromised, functional safety can sometimes be impaired. As a result, control of machines and systems could be taken over, cars remotely controlled or power plants shut down.
Numerous recent examples from the embedded community demonstrate that such attacks are not only theoretically possible. Especially in these times of increased political tension and armed conflicts, such risks cannot be overestimated. This applies not only to the protection of so-called critical infrastructure (see the German critical-infrastructure protection programme KRITIS), but also to many downstream applications in industry, transport technology, environmental technology, smart cities, smart homes/buildings and many other examples.
IT security for embedded systems
How can embedded systems be successfully protected against cyberattacks?
Prof. Sikora: In order to ensure the security of embedded systems, a wide range of requirements must be met that go beyond conventional IT security measures:
- Despite significant increases in system performance, many embedded security systems persist in operating on significantly limited resources. On the one hand, this brings with it technically very demanding and, for me, extremely fascinating challenges in order to implement the necessary measures despite the limited resources. On the other hand, it must be said that the performance of attacking systems is constantly increasing, potentially to the point of utilising quantum computers. David will have to defend himself very valiantly against Goliath! Networking on the internet creates an additional potential target to attack because powerful computing power can be utilised remotely.
- Many embedded systems are located "in the field". This means that they cannot be protected by conventional physical security measures, such as access protection to a data centre. In addition to remote attacks, this introduces a new class of physical attack.
- Both aspects are reinforced by the fact that many applications that deploy embedded systems have very long life cycles. In industrial automation or transport technology, several decades are not uncommon. That's why we need to anticipate possible cyberattacks in the year 2050 or 2060 when designing today. To stay with the image; Goliath continues to grow over time, while David remains small. He must therefore strive to become all the more intelligent!
There are a few more aspects, but to explain them all in detail I would need at least a full lecture hour.