"Embedded security is destined to become a defining product feature"
Embedded systems are vulnerable to attack from two different sides: the masked perpetrator infiltrates sensitive systems on site, whereas the hacker chooses cyberspace for his attack. Developers in the embedded systems industry are faced with the task of ensuring data security and functional safety for their systems.
In this interview, Prof Dr Axel Sikora, Chairman of the embedded world Conference, discusses the importance of embedded security and analyses new legal regulations that are of significance to the embedded systems industry.
Do embedded systems need special prioritisation when it comes to safeguarding IT systems?
The embedded systems industry under cyberattack
Why is embedded security such an important topic?
Prof. Dr.-Ing. Axel Sikora: The security of IT systems is already extremely important in order to achieve classic data protection goals including confidentiality, identity, authentication and authorisation and thus the protection of data and information. Embedded systems are also often required to take on control tasks. If data security is compromised, functional safety can sometimes be impaired. As a result, control of machines and systems could be taken over, cars remotely controlled or power plants shut down.
Numerous recent examples from the embedded community demonstrate that such attacks are not only theoretically possible. Especially in these times of increased political tension and armed conflicts, such risks cannot be overestimated. This applies not only to the protection of so-called critical infrastructure (see the German critical-infrastructure protection programme KRITIS), but also to many downstream applications in industry, transport technology, environmental technology, smart cities, smart homes/buildings and many other examples.
IT security for embedded systems
How can embedded systems be successfully protected against cyberattacks?
Prof. Sikora: In order to ensure the security of embedded systems, a wide range of requirements must be met that go beyond conventional IT security measures:
- Despite significant increases in system performance, many embedded security systems persist in operating on significantly limited resources. On the one hand, this brings with it technically very demanding and, for me, extremely fascinating challenges in order to implement the necessary measures despite the limited resources. On the other hand, it must be said that the performance of attacking systems is constantly increasing, potentially to the point of utilising quantum computers. David will have to defend himself very valiantly against Goliath! Networking on the internet creates an additional potential target to attack because powerful computing power can be utilised remotely.
- Many embedded systems are located "in the field". This means that they cannot be protected by conventional physical security measures, such as access protection to a data centre. In addition to remote attacks, this introduces a new class of physical attack.
- Both aspects are reinforced by the fact that many applications that deploy embedded systems have very long life cycles. In industrial automation or transport technology, several decades are not uncommon. That's why we need to anticipate possible cyberattacks in the year 2050 or 2060 when designing today. To stay with the image; Goliath continues to grow over time, while David remains small. He must therefore strive to become all the more intelligent!
There are a few more aspects, but to explain them all in detail I would need at least a full lecture hour.
Embedded security measures
What security solutions are already available?
Prof. Sikora: The basic concepts of embedded security are initially identical to the principles of traditional IT security. These include fundamental principles such as security by design, security by default, defence in depth and the use of open principles, algorithms and implementation. In addition, it also involves the use of special hardware solutions that attempt to achieve the aforementioned physical security of a data centre but at the microelectronic level. And finally, security by architecture, in other words true physical separation and non-interaction between the various system components. This is becoming increasingly common – as is the role played by awareness that absolute security cannot be guaranteed.
In general, it must be said that attacks and their corresponding defence measures are becoming increasingly complex. In our projects, we increasingly realise that there are only a few experts who fully understand the challenges and solutions.
This makes the use of standardised architectures and protocols all the more important in order to allow pre-development of hardened modules and their more cost-effective implementation in systems. These modules must then be tested, secured and, if necessary, certified accordingly so that they really do not offer soft targets for attacks when they are applied on a larger scale.
The future of embedded security
Can you make a prediction about the importance of embedded security in the future?
Prof. Sikora: I believe it is now clear that embedded security will become increasingly important over time. The old saying "security follows functionality" will apply less and less. And this is true in two respects: firstly, embedded security measures must not be designed and implemented retrospectively after function development, but must instead be considered integrally from the outset. On the other hand, security will become an increasingly important functional feature, which will play a key role in determining, for example, potential applications, ease of integration or comprehensible operability.
Cyber security: New statutory regulations
What significance do the new laws and regulations have for the embedded systems industry?
Prof. Sikora: EU and therefore also national legislators have introduced a large number of new laws and regulations which will fundamentally change the requirements for developers and operators of IT and embedded systems.
Three main lines of activity should be mentioned here:
- The EU Cyber Security Act (CSA) came into force in 2019 and must now be fully implemented by all member states. A framework creates a standardised system within the European Union to certify the security of information and communication technology (ICT) products, services and processes. These certificates provide information about the safety requirements met by the products and services and provide for three safety tiers in the form of "low", "medium" and "high" levels, which include risk assessment with regard to the probability of a safety-related incident. At the lowest level, manufacturers can assess the conformity of their products and services themselves. The highest level confirms extensive capabilities to avert state-of-the-art cyberattacks.
- However, the new initiative for network and information security (NIS2.0) must also be taken into account. This was adopted at the European level in November 2022 after lengthy negotiations and defines the minimum standards for the regulation of critical infrastructures (CIIP - Critical Information Infrastructure Protection) in the EU, with the new regulation significantly expanding the scope of those affected and their obligations. The EU member states must incorporate NIS2.0 into national law within the next few months. In Germany, this was achieved through the Security Act 2.0, which came into force in May 2023 and obliges CIIP or KRITIS companies, for example, to deal with or use anomaly detection.
- The so-called delegated regulation, which adds several paragraphs to the EU Radio Equipment Directive (RED), has so far received comparatively little attention. In particular, this directive stipulates that radio equipment must incorporate security measures to ensure that personal data and the privacy of users and subscribers are protected and that certain functions are supported to protect against fraud.
The new RED regulations are due to be published in June 2024 and will become binding from August 2025. In addition, there are other application-specific requirements, such as ISO/IEC62443, which describes the technical security requirements for components of industrial automation systems or, in Germany, the BSI Technical Guideline TR03109 for safeguarding smart meter infrastructures.
In other words: a host of complex requirements and a jungle that we developers now have to face and that must be fulfilled in a very timely manner.
Embedded security is a crucial topic at embedded world 2024
What importance will the subject have at #ew24?
Prof. Sikora: As has already become clear, there is massive pressure and a sense of urgency for developers, integrators and operators of systems that contain embedded systems. Accordingly, there is a huge hunger for information, which we will be addressing at embedded world 2024. We will talk about legal requirements in detail in a panel discussion. We will go into technological aspects at various levels, from hardware and software to secure protocols and various testing options, in a dedicated security track at the embedded world conference. This will be bigger than ever in 2024!
To find out how to obtain tickets and for details of the program of the embedded world Conference 2024 please visit: www.embedded-world.eu