Emerging security challenges in embedded systems

Traditionally, embedded systems in industry have focused on process control, automation, and supervision. Highly advanced embedded device processor technology enables the use of the most common operating systems even in demanding real-time industrial applications. This also allows industrial embedded systems to take advantage of IoT technology, which creates the conditions for Big data, analytics and the use of artificial intelligence.

However, this also brings new challenges from a security perspective when control systems can be connected to the network. It is no longer enough to protect firmware with Secure boot technology and a TEE environment, but more comprehensive security solutions are needed.

Information security and functional safety

Functional safety is one of the most important features in demanding industrial control systems. Information security and functional safety are not usually mentioned in the same context, but in industrial control systems they can be very closely related.

If the system controls machinery or a process that could cause harm to people, property, or the environment, it is obvious that uninvited visitors must not be allowed to interfere with the operation of the system. But equally important are system failures: for example, a “denial-of-service attack” caused by a failed device should not cause the control system to shut down and become dangerous.

Thus, modern security solutions for embedded systems are now also an important part of functional safety planning.

Container technology in embedded systems

Container technology is one of the most significant innovations whose popularity has grown significantly over the last ten years. The technology is used to create a restricted environment that includes only the necessary components of the application. This assembly, the container, is easily transferable to another container runtime environment, making it easier to reuse components.

In embedded systems, the container runtime environment can be installed on the device by default, allowing custom applications to be easily added afterwards to the end customer as well. Containers also enable the integration of development, testing and production environments (e.g. into a DevOps pipe), making tool maintenance easier. Solutions that implement container technology include Docker and LXC.

Utilizing container technology can also improve system security in two ways: applications running on a container can be isolated from the rest of the system, and containers can also be used to make security upgrades easier and faster. For example, when applications connected to a system's network are containerized, it is possible to update only one container without a complete system-wide update (and testing). In this case, it is also straightforward to implement OTA updates over the network. The ability to upgrade networked devices is essential from an information security perspective.

Real-time systems and hypervisor software

A significant challenge in real-time systems is that the system would always be able to respond to inputs in a timely manner. This means that, for example, IoT technology or communication cannot cause delays or random changes in system response time, which in turn could lead to incidents from a functional safety point of view.

A real-time system like that can be built asymmetrically with current SoC technology, whereby, for instance, different operating systems or applications can be run on different processor cores. However, from a security point of view, solutions are needed to isolate the different operating systems in this case.

One way to do this is to use a hypervisor, a software that monitors and controls the performance of virtual machines. The Jailhouse project is a hypervisor software developed specifically for real-time systems. It does not actually create virtual machines but takes advantage of modern processor virtualization features in order to create isolated operating system instances alongside Linux. The advantages of Jailhouse over other hypervisors (KVM, Xen, etc.) are specifically lightness and suitability for real-time applications.

Towards smarter control systems

Industrial control systems require constantly better and more cost-effective solutions to meet the demands of digitalization and information security. However, the use of container technology and hypervisor software brings interesting solutions to embedded systems as well.

Wapice develops solutions to meet these challenges. Complex, more intelligent control and monitoring systems can be implemented cost-effectively and securely using the latest technologies.

Written by:
Jouko Haapaluoma and Jani Paalijärvi