Four Fundamental Trends in Embedded System Security

Our modern world operates on tiny microelectronics that are the brains in the devices you use from the time you wake up until the time you go to sleep, every day, seven days a week.  Smart phones, laptops, wearable devices, your vehicle, your smart thermostat – all of them rely on embedded microelectronics.  While the world you interact with is controlled by microelectronics, the infrastructure behind all of your modern conveniences is even more reliant on microelectronics – cell phone service, your car, the GPS powering your Apple Maps, the cloud servers that host your Google or iCloud data, the banking and credit payment terminals and even the electricity that powers the businesses you frequent and your home.  Microelectronics and the embedded systems they control are the backbone of our modern world.  For as reliant as we are on those systems, they remain shockingly vulnerable to reverse engineering and cyber attack.  As the digital landscape continues to evolve, four fundamental, creative trends in embedded system security are emerging, shedding light on how we can protect these integral systems from vulnerabilities and cyber threats:

  1. Hardware-based security: Traditional security approaches primarily relied on software defenses, but they are proving insufficient against increasingly sophisticated attacks. While a software patch maybe logistically more simple and less costly, ultimately software is unable to protect software.  While machine learning and artificial intelligence are playing a growing role in embedded system security, they are still software-based approaches that require learning/training.  Their application in anomaly detection does limit the spread of an attack but the identification of an unusual pattern that may indicate a security breach is not a prevention mechanism to stop the attack from being weaponized in the first place.  Hardware-based security takes a different approach, integrating security measures directly into the hardware components of embedded systems.  These measures include secure elements, trusted platform modules (TPMs), and hardware-based encryption.
  2. The Zero-Trust security model: this model operates on the principle of "never trust, always verify." In essence, it treats all users and devices as potentially untrusted, even those within the network.  Even if a bad actor were to gain access with the highest administrative privileges, they could only cause a limited amount of damage.  Zero trust security involves strict access controls, continuous authentication, and micro-segmentation, ensuring that only authorized entities can access only the embedded systems they immediately need to work on. This approach is particularly effective in an era of remote work and increased reliance on interconnected devices
  3. Supply chain security: 90% of global semiconductor revenue is based in Asia.  The US Government invested $280B in the CHIPS Act alone to address this unsustainable trend and to boost the reshoring of microelectronics research and manufacturing.  It will take at least a decade before this funding is allocated and begins to see the results it intends.  Until we have tighter control over the fabrication, industry standards are emerging to require vetting of suppliers (eg, secure software bills of material (SBOM)) but we still need broader use of cryptographic mechanisms to verify the authenticity of components and adoption of more transparent secure boot processes to ensure the integrity of the system from the moment it's powered on.  Even if we realize the dream of all microelectronics fabricated in the US, there is still a huge security vulnerability in where reusable IP blocks are sourced during the design phase and how to create the US capacity and work force to fully test and validate all of the microelectronics we’ll be fabricating on US soil. Most IP blocks and most microelectronics validation are also sourced from overseas.  Cryptographic checks and a more secure boot process will always be a requirement for supply chain security.
  4. Full lifecycle security: while you’re likely only have your smart phone for about 2.5 years, the lifespan of embedded devices is on average 7 years, with many devices in some sectors like the electrical grid and military systems extending to 30+ years.  Knowing that what gets fielded today will likely be in use in 10-30 years from now means that we need to think twice before we incur too much technical debt in the technology we’re putting into operation today.  Full lifecycle security means not only considering possible future threats but also fully understanding how the system will be maintained and updated while it’s in use.  While the standards are not yet fully baked, no system should be fielded without some protections for future threats like post-quantum crypto, even though quantum computers are not yet a practical reality.  Firmware, the software embedded in hardware components, is a critical component of an embedded system's security. Creative trends in firmware security are focused on implementing secure firmware updates, protecting against unauthorized access, and ensuring the integrity of the firmware throughout its lifecycle.

While there has been tremendous progress in these four trends, there is still a long way to go before the microelectronics that control our lives are notably more secure and prepared for future attack and disruption.  Incorporating proper security is too often viewed as an investment that only realizes a return under a worst-case scenario as opposed to an acceptance of the risk of operating in a digital reality.  Beyond the right technology solutions, it will also take public/private efforts to ensure policies are in place and enforced to see those solutions find their way into everyday life ahead of commercial companies justifying the business case to incorporate these four security approaches at a minimum.  While working groups and standards are helpful, without the adoption by microelectronics vendors and integrators, those standards are less of a “best practice” and more of a surface-deep, checklist-based approach that solves a symptom, rather than the root problem. Sharing information about emerging threats and vulnerabilities can collectively bolster the security of embedded systems but those often come as a lesson-learned after an attack and we perpetuate the cat-and-mouse game.  The only way to get quit incurring this technical debt in the security of the digital systems that control our lives is for commercial companies to be compelled by the public policy stick in the short term until the motivation by the carrot of resilience and reliable operation/revenue catches up.

Recent News