We are installing an increasing amount of embedded systems on our networks. In this video, you’ll learn about security concerns surrounding systems on a chip, field-programmable gate arrays, SCADA devices, IoT devices, and more.
<< Previous Video: Resiliency Next: Embedded Systems Communication >>
An embedded system is a computer and software that has been built for a very specific purpose. This can be a device that is created to perform a single task, or it may be working with many other devices to be able to perform additional tasks. These embedded systems are created with this single goal in mind.
Very often, they’re created with special hardware that fits into particular sizes, or it may be created to fit a particular cost. Some common examples of embedded systems might be the traffic light controllers that control the red, green, and yellow lights on the highway. It might be the digital watch that you’re wearing.
That’s a very specific embedded system. Or maybe something like a medical imaging system, which is created to perform a very specific medical function and does not have any capabilities outside of that scope. Often, an embedded system is running on a System on a Chip, or an SoC. The System on a Chip has multiple components on the single platform.
And often, there may be a single chip which handles multiple functions on that single board. These are very common with embedded systems, primarily because they’re something you can buy off the shelf. They’re very flexible in their capabilities. And you can customize the software to perform many different functions.
You may not be able to tell from this picture of a Raspberry Pi, but this is a relatively small form-factor. You can see an HDMI interface. There’s USB interfaces on the side, and an RJ45 connector for ethernet connectivity. There’s not only support for those external interfaces, there’s usually memory that’s built into the board itself.
And it’s very common these would have a very low power consumption, because these are very simple devices that don’t require a huge power draw. Of course, there are security considerations to consider when working with a System on a Chip. It may be that the hardware you’re using on this SoC device is not able to be upgraded.
This Raspberry Pi is a very good example, where most of the components are soldered to the board. There’s not a lot of modularity in this particular system. So it becomes very difficult to swap any components out.
Although it might be easy to change the software that’s running on this SoC device, it would not be easy to add additional hardware components to this, especially security type components. It would be difficult to find a firewall or some other type of security device that you could integrate into this hardware.
Here’s a better view of this Raspberry Pi 3 Model B. You can see that all of this is very integrated. There are some interfaces for USB, for ethernet. There’s an AV interface, a camera interface, and a link for HDMI, all contained on this single System on a Chip.
A common type of hardware that you’ll find on embedded systems is an FPGA. This is a Field-Programmable Gate Array. You can see an example of an FPGA on this particular board, right here in the middle. This is an integrated circuit that you can program after the device is shipping.
It effectively allows you to field-program functionality within this particular FPGA. Since this is an array of logic blocks that can be software controlled, you can have new software pushed to this device. And that software can then effectively reprogram the FPGA.
This provides a lot of flexibility for the developer. They can ship a product. And then later on, if they want to add new capabilities or modify the functionality of the device, they can simply add new software which will reprogram the FPGA. This is a technology you’ll find on many different kinds of devices. Switches, routers, firewalls, and other security components make extensive use of these FPGAs.
If your organization works with industrial hardware, then you’re probably familiar with SCADA. This is the Supervisory Control And Data Acquisition System. You may sometimes see this referred to as an Industrial Control System, or ICS. You’ll commonly find SCADA systems in place where there is a large amount of industrial equipment.
So if you are in a power manufacturing facility or you have a manufacturing floor, all of that equipment can be networked. And it can all be controlled from a computer using this SCADA network. This is useful when you want to monitor these devices from a central management console.
And you may want to change the configuration of this industrial equipment. And you can do that all through the front end of the SCADA system. These are not the kinds of systems that you would have directly connected to the internet, not only because it’s impractical, but it’s also insecure.
Instead, this would be something that is segmented off from the rest of the network. And you would have to go through some type of security controls just to gain access to the SCADA network. Devices that would commonly be connected to the internet are the Internet of Things devices, or IoT devices.
We sometimes refer to these as smart devices. And they’re devices that can be connected to many different types of systems inside of our homes and businesses. For example, on your air conditioning system, you might have an IoT device handling the air control. So you’d be able to connect through an app on your phone, and effectively see what the temperature is in your house and be able to modify the heating or the cooling.
There’s also home automation IoT devices, such as video doorbells, garage doors, and security systems. Or you might be wearing an Internet of Things device, such as a smartwatch or a health monitor. If you’re working in a large facility, it might be common to plug in an IoT device that’s able to manage the heating, the air conditioning, the quality of the air, and perhaps even the lights. This will allow a facilities manager to be able to configure automation, and be able to keep a constant watch over all of those components in the building.
Although these IoT devices are very functional for monitoring the heating and cooling or the video doorbells that we might have, these are not necessarily systems that have been created by security professionals. These IoT devices are on the internet. They’re also connected to our home networks. And so, there is an important consideration for security.
On my network, I have a separate network set aside for IoT devices, that is segmented from my local home network that has all of my computers on it. That way, if someone does gain access to one of these IoT devices, they would not have access to any of my personal data on my local home network.
Many embedded devices are very specialized. For example, a medical device, such as a heart monitor or insulin pump, is a very specialized device that has a single goal in mind. Unfortunately, the nature of these embedded systems doesn’t always allow the manufacturer to upgrade the operating system. So you may find that these devices, although very important and very specialized, may be running older versions of operating systems.
Our automobiles have now very specialized and multiple embedded systems. And you’ll find that almost every aspect of the car has monitors sensors. And they can all communicate with each other to make the driving experience that much better.
A similar set of specialized embedded system exists on aircraft. There’s many different networks and many different sensors, all communicating amongst each other. This would not be a place where you would want a denial of service. And you want to be sure that no one has access to those networks, to be able to create any problems on an aircraft.
And in our homes and businesses, we’re starting to put more and more sensors on our utilities. And you’ll find many embedded systems that are watching water, electrical, and other types of utility use. In your home or business, you may be using VoIP. This is Voice over Internet Protocol, or Voice over IP.
This is the latest technology to replace what was our old analog phone lines, or what we used to call the Plain Old Telephone Service, or POTS. Our Voice over IP telephones are very complex embedded systems that allow us voice communication, and provide many different functions as well. Each one of our Voice over IP phones is a standalone computer. They all have separate boot processes and configurations. And there are many different capabilities that allow us to communicate via voice, video, and other functions, as well.
Another common place to find an embedded system is in the air conditioning and heating systems in our homes and businesses. This is HVAC, or the Heating, Ventilation, and Air Conditioning systems. These are usually very complex systems, especially when you get into larger environments. And they’re usually integrated with the fire system, as well.
There are a lot of different components all working together to provide this HVAC functionality. It’s very common in large HVAC implementations to have a computer that monitors and maintains all of the HVAC for the facility. This would be a computer that would be able to monitor and even change the configuration in the heating and air conditioning systems.
And with components like this that affects so many different people in a particular building, it’s important that we apply the proper security to these HVAC monitoring systems. We want to make sure that no one from the outside is able to get unauthorized access to these. Because if they do that, they can turn off all of the heating, all of the air conditioning, and create, in some cases, very dangerous situations for the people in the building.
And what would a conversation of embedded systems be without a discussion of drones? These are flying vehicles that are becoming more and more common in our skies. These may be devices that are manually controlled from the ground, or there might be some type of autonomy that will allow these devices to perform functions without any type of human intervention.
These are increasingly used for both commercial and non-commercial uses. And at least in the United States, you have to have a federal license to be able to fly one of these drones. It’s very common to find security features and fail-safe functionality built into these drones. That way, if anything occurs while this device is in the air, you can get it back on the ground safely without harming anybody else who may be around.
An embedded device that many of us have in our homes and businesses is a printer a scanner or a fax machine. These are sometimes referred to as Multi-function Devices, or MFDs. That’s because in a single device, you can have a scanner, a printer, a fax machine and more, all inside of this single embedded device.
These are multi-function devices because you may have a scanner, a printer, and a fax machine all in this single unit. And because of that, these have become increasingly complex with very sophisticated firmware. For example, because of the scanning functionality of this device that’s used to either scan an image for use locally or scan a document that we can fax to someone else, those images are stored somewhere on this device, usually with the internal memory of this multi-function device.
And it’s not unusual to have a way to retrieve those images later, whether that is something that is intended or not intended by the MFD manufacturer. There might also be logs on this device that can give an attacker information about who this device has communicated with, or what phone numbers have received faxes.
The embedded devices that we have in our automobiles or the industrial equipment that we’re using very often will use an RTOS, or a Real-Time Operating System. This is an operating system that’s designed to work on a very deterministic schedule. This means that the hardware and software of this device is able to operate with very specific scheduling.
This also means that there’s no process on this particular device that would override or take control of the system, and not allow other parts of the system to operate. A good example of this is the Real-Time Operating System that’s used for the anti-lock brakes that are in our automobiles, because those need very specific updates on the wheel slippage that is occurring when someone’s trying to brake their car.
This adds a bit of complexity when you add some security aspects to a Real-Time Operating System. You don’t want the security system to get in the way of the Real-Time Operating System. But you also want to be sure that the RTOS is secure. Because of the nature of these Real-Time Systems, it’s often difficult to know exactly what’s running inside of those embedded systems. So you may not know what type of security is even running inside of that Real-Time Operating System.
The cameras and the monitoring systems we’re using for video surveillance are also embedded systems. The cameras themselves have become very advanced with their functionality, and being able to change what they can see during the day versus what they can see at night. There’s motion sensitive functionality, or even the ability to track different objects as they’re going through the camera’s vision.
These cameras might also be monitoring very sensitive areas. So it’s important to make sure that the proper security is put into the monitoring systems, so that only authorized users are able to see what the cameras are seeing. These cameras may be mounted very high on a building or they might be on the roof.
So it may not be very easy to change a camera or replace that hardware. Many of these cameras, though, do support firmware upgrades. So there may be a way to constantly monitor and protect those systems when security patches are released.