Embedded systems engineers are dropping the ball when it comes to security!
In an eye-opening embedded systems safety and security survey conducted by the , 28 percent of respondents said the systems they work on could cause injury or fatalities and 60 percent of the respondents said their systems were connected to the Internet. Disturbingly, even when their systems could be dangerous and were on the Internet, 22 percent of engineers said security was not a design requirement on their project.
This is the Barr Group’s third annual survey on safety and security. And this year, more than 1,700 professional embedded systems designers from all over the world gave responses relating to security and safety practices, process, and architecture. Those surveyed were involved in a variety of industries –including industrial control, aerospace, medical, and automotive. A number of questions involving coding standards, bug tracking, and best practices were posed in the survey, along with questions involving operating systems, processors, and languages.
Barr Group CTO Michael Barr offered some insights into these alarming numbers. “Development processes are in perpetual movement. The engineers involved in developing IoT devices, in particular, tend to have fewer years of experience. Geography also plays a role. Shifting development from the United States and Europe to Asia, there appears to be a less mature development model with less of an appetite for applying industry best practices appropriate to safety and security.”
Barr also cited the maturity level of various industries. In medical and aerospace, for example, companies take greater pains to ensure quality, whereas designers of emerging IoT and consumer products are simply trying to get things working before security is even considered.
With regard to IoT devices specifically, 9 percent of those designers don’t keep their source code in a version control system. This makes historical snapshots and bug-fix branch capabilities difficult to impossible. 25 percent don’t have a bug tracking system or database to track known issues. 56 percent do not perform regular source code reviews for bug and security hole identification. And 60 percent do not use any static code analysis tool.
Two key areas to address according to Barr are:
- Embedded systems engineering must put security on the requirements list – this survey uncovered that 22 percent of those whose products could kill and were on the Internet didn’t even have security on the list of design requirements.
- Engage in an analysis phase focused on attack motives, the types of attacks the system may experience, what the attack surface of the system looks like (physical access, reachable from the Internet, etc.), and worst-case security breach analysis.
“Whether these companies do these things internally or by involving an external consulting organization, security is a critical part of today’s embedded and IoT systems and cannot be ignored,” Barr said. “Retrofitting security is a lot harder than building it in from the start. Penetration testing, metrics, and security training can go a long way to address the issue.”
Rising security concerns present a unique opportunity for IoT platform companies. On one end of the spectrum, platform companies that focus strictly on functionality form a baseline product, but platforms with integrated security issue identification, attack prevention, and other security features can provide valuable differentiation.
When asked about the Barr Group survey, Alan Grau, CEO of embedded and IoT device security companydidn’t sound surprised, but emphasized the need for higher prioritization of system security. “Cyber attacks targeting IoT devices will continue to occur until developers get serious about security. The installed base of IoT devices that are shipped without adequate security built into the devices is growing, making it even easier for hackers to target the IoT. Despite recent high-profile attacks such as Mirai that showed just how vulnerable the IoT is, security is still not a priority on far too many projects.”