SlideShare a Scribd company logo

Embedded Systems Security: Building a More Secure Device

Priyanka Aash
Priyanka Aash

The document discusses common security issues faced by embedded systems and recommendations for improving security. It identifies 12 common threats to embedded systems, such as supply chain attacks, physical access, reverse engineering, lack of secure configurations, and human errors. The document recommends building security functions into embedded systems from the start to defend against threats, understanding contract manufacturing processes, and ensuring host systems maintain control over security. It advises assessing risks and vulnerabilities based on the 12 threats and seeking external security reviews within 6 months.

Technology
1 of 27
Download to read offline
SESSION ID: #RSAC Copyright © 2016 Raytheon Company Randall Brooks, CISSP, CSSLP Embedded Systems Security: Building a More Secure Device ASD-W05 Engineering Fellow Raytheon @randallsbrooks
#RSAC Objectives What are common embedded systems? What issues do they face? Recommendations for securing embedded systems 2
#RSAC Poll 3 Which operating system is your software most commonly developed for? Which language is your software most commonly developed for? Which hardware does your system run on? What are your thoughts on the following statement: My system is standalone, therefore many Cybersecurity or Software Assurance (SwA) requirements do not apply? What do you perceive as the biggest threats to your embedded system’s security? Given the rise of IoT, do you feel IoT and its issues are related to your embedded system’s security issues?
#RSAC Results (Predicted) OS: Green Hills and VxWorks Language: C++ Hardware: PPC (SoC) Standalone: Systems are not actually standalone Threats: Supply chain, physical access IoT Threats: IoT mirror without legacy issues 4
#RSAC Results (Actual) OS: Large increase in the use of Linux and even Windows Language: C/C++, Java, and even Ada Hardware: x86 (SoC) Standalone: Systems are not actually standalone Threats: Supply chain, physical access, reverse engineering IoT Threats: IoT mirror without legacy issues 5
#RSAC Audience Poll 6 Which operating systems do you see or use? Other languages? Which about hardware? MIPS? ARM?
#RSAC Example Embedded Computing Environment 7 Computing Environment OS APIs Multi-Core Hardware Other Processing Nodes / Payloads Virtualization Hypervisor (Optional) OS - Linux Vendor Provided C++ Service “B” & Libraries Vendor Provided C++ Service “A” & Libraries Vendor Provided Java Service “A” & Libraries Vendor Provided Java Service “B” & Libraries Network Service Bus Java Runtime Environment (JRE)Java Runtime Environment (JRE)
#RSAC Traditional Embedded System Issues Storage components Processing power Battery life Time-to-market Overall cost 8 Functionality, Security, and Cost: Pick Two
#RSAC The Troublesome 12 Embedded Systems Cybersecurity Threats 9 Supply Chain/Counterfeit Parts Legacy Systems Cascading Faults Physical Access Patch update process No Secure Configuration Reverse Engineering Custom protocols Design Mistakes Network Access Custom libraries Humans 0x0c
#RSAC Threat: Supply Chain/Counterfeit Parts Make vs. buy Quality vs. counterfeiting vs. malicious alteration Vendor tracking database ASICS, FPGAs, and microprocessors Destructive and non-destructive analysis Information storage in volatile memory and permanent storage Nano tagging 10
#RSAC Threat: Physical Access Malicious access Maintenance connections Maintenance equipment 11 Game Over?
#RSAC Threat: Reverse Engineering Intellectual Property (IP) access System Integrity Disassembly Black box testing Static Analysis Security Testing (SAST) of binaries Dynamic System Probing 12
#RSAC Threat: Network Access Standalone systems internetworked Unprotected processes Remote access Radio Frequency (RF) manipulation 13
#RSAC Threat: Legacy Systems System interaction Least common security measure Loss of technical knowledge 14
#RSAC Threat: Patch Update Process None Systems are permanent and not updated Unauthenticated No digital signature on software/firmware Invalid No integrity No fail secure 15
#RSAC Threat: Custom Protocols Legacy No authentication Variable size Non-standard or multiple version support 16
#RSAC Threat: Custom Libraries Common functions Extended Malicious library 17
#RSAC Threat: Cascading Faults Information flow – authentication and integrity for end-to-end protection of information between partitions Data isolation – confidentiality of data Periods processing – protect against covert channels Damage limitation – protection from a failure in one partition will not cascade to another partition. MILS Separation Kernel OS (Level 1) OS (Level 2) OS (Level 3) Middleware Services Privileged Mode User Mode 18 Separation kernels keep execution separate
#RSAC Threat: No Secure Configuration Tampered configuration Not secure by default Shared passwords across collection’s embedded systems 19
#RSAC Threat: Design Issues Hard-coded credentials Weak or missing authentication Improper segregation of sensitive and non-sensitive data Weak, custom, or excessive use of encryption Debug functions left in 20
#RSAC Threat: Humans Psychological acceptability Admins or users making an intentional unauthorized change or unintentional authorized change to the system. Auditing, change, and control management Training 21
#RSAC How does this apply to IoT? How closely does IoT mirror these Threat? Does IoT have legacy issues? What about the future? Does the key word “Internet” mean higher risk? 22
#RSAC Conclusion 23 Protect Application, Execution, Data and IP Security functions should be built in and defend against threats within the environment. It is important to understand CPI and what is done to protect it. Host systems must maintain ultimate control over security algorithms to protect the data and prevent IP theft.
#RSAC Applying What You Have Learned Part 1 24 Educate + Learn = Apply Take any new knowledge and apply to your development system As a student hopefully you got 2-3 key items you learned today As an instructor, hopefully I provided some good lessons learned. Let me know what you learned in the Question and Answers!
#RSAC Applying What You Have Learned Part 2 25 Next week you should: Consider the 2-3 key items you learned from this session and start to consider where do they apply to your work? In the first three months following this presentation you should: Do an initial Risk Assessment and consider The Troublesome 12 Embedded Systems Cybersecurity Threats Within six months you should: Seek the advise of a 3rd party vulnerability research or assessment team Train developers on Application Security/Software Assurance
#RSAC Questions? 26
#RSAC Biography 27 Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance. Brooks has nearly 20 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP, CSSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue University with a Bachelors of Science from the School of Computer Science. E-mail: brooks@raytheon.com

Recommended

Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systemsRaghav S
 
Secure Embedded Systems
Secure Embedded SystemsSecure Embedded Systems
Secure Embedded SystemsInformatik-Forum Stuttgart e.V.
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system UrmilasSrinivasan
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsItex Solutions
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
 

Recommended

Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systemsRaghav S
 
Secure Embedded Systems
Secure Embedded SystemsSecure Embedded Systems
Secure Embedded SystemsInformatik-Forum Stuttgart e.V.
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system UrmilasSrinivasan
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsItex Solutions
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignPriyanka Aash
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Nathan Wallace, PhD, PE
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksPriyanka Aash
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsAlan Tatourian
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Reference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsuranceReference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsurancePriyanka Aash
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkNathan Wallace, PhD, PE
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical ControlsMLG College of Learning, Inc
 
Security in Embedded systems
Security in Embedded systems Security in Embedded systems
Security in Embedded systems Naveen Jakhar, I.T.S
 
Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)AndrewRJamieson
 

More Related Content

What's hot

Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...AVEVA
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignPriyanka Aash
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Nathan Wallace, PhD, PE
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksPriyanka Aash
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsAlan Tatourian
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Reference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsuranceReference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsurancePriyanka Aash
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkNathan Wallace, PhD, PE
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in PerspectiveDragos, Inc.
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 

What's hot (20)

Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systems
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control Design
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & Frameworks
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?What Is Next-Generation Endpoint Security and Why Do You Need It?
What Is Next-Generation Endpoint Security and Why Do You Need It?
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Reference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsuranceReference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- Insurance
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
 

Viewers also liked

Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)AndrewRJamieson
 
ppt on embedded system
ppt on embedded systemppt on embedded system
ppt on embedded systemmanish katara
 
Embedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsEmbedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsReal-Time Innovations (RTI)
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoTteam-WIBU
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyL. Duke Golden
 
Embedded based home security system
Embedded based home security systemEmbedded based home security system
Embedded based home security systemNIT srinagar
 
Opportunities and Challenges of Large-scale IoT Data Analytics
Opportunities and Challenges of Large-scale IoT Data AnalyticsOpportunities and Challenges of Large-scale IoT Data Analytics
Opportunities and Challenges of Large-scale IoT Data AnalyticsPayamBarnaghi
 
Enabling embedded security for the Internet of Things
Enabling embedded security for the Internet of ThingsEnabling embedded security for the Internet of Things
Enabling embedded security for the Internet of Thingsteam-WIBU
 
Introduction To Embedded Systems
Introduction To Embedded SystemsIntroduction To Embedded Systems
Introduction To Embedded SystemsVishwa Mohan
 
Unit 1 embedded systems and applications
Unit 1 embedded systems and applicationsUnit 1 embedded systems and applications
Unit 1 embedded systems and applicationsDr.YNM
 
LinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedLinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedSlideShare
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
IoT-market-estimative
IoT-market-estimativeIoT-market-estimative
IoT-market-estimativeCleber Gomes
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 

Viewers also liked (20)

Security in Embedded systems
Security in Embedded systems Security in Embedded systems
Security in Embedded systems
 
Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)
 
ppt on embedded system
ppt on embedded systemppt on embedded system
ppt on embedded system
 
Embedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and SolutionsEmbedded Security and the IoT – Challenges, Trends and Solutions
Embedded Security and the IoT – Challenges, Trends and Solutions
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoT
 
Embedded System Basics
Embedded System BasicsEmbedded System Basics
Embedded System Basics
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
 
Embedded based home security system
Embedded based home security systemEmbedded based home security system
Embedded based home security system
 
Opportunities and Challenges of Large-scale IoT Data Analytics
Opportunities and Challenges of Large-scale IoT Data AnalyticsOpportunities and Challenges of Large-scale IoT Data Analytics
Opportunities and Challenges of Large-scale IoT Data Analytics
 
Enabling embedded security for the Internet of Things
Enabling embedded security for the Internet of ThingsEnabling embedded security for the Internet of Things
Enabling embedded security for the Internet of Things
 
Embedded system ppt
Embedded system pptEmbedded system ppt
Embedded system ppt
 
Introduction To Embedded Systems
Introduction To Embedded SystemsIntroduction To Embedded Systems
Introduction To Embedded Systems
 
Unit 1 embedded systems and applications
Unit 1 embedded systems and applicationsUnit 1 embedded systems and applications
Unit 1 embedded systems and applications
 
LinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedLinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-Presented
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
 
IoT-market-estimative
IoT-market-estimativeIoT-market-estimative
IoT-market-estimative
 
6 weeks training on Embedded System
6 weeks training on Embedded System6 weeks training on Embedded System
6 weeks training on Embedded System
 
Timers
TimersTimers
Timers
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 

Similar to Embedded Systems Security: Building a More Secure Device

RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesPriyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationpeter lam
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 

Similar to Embedded Systems Security: Building a More Secure Device (20)

RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
 
inSOC Sales Deck Dec 2020.pdf
inSOC Sales Deck Dec 2020.pdfinSOC Sales Deck Dec 2020.pdf
inSOC Sales Deck Dec 2020.pdf
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
Secureview 3
Secureview 3Secureview 3
Secureview 3
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security Architecture
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligencePrecisely
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 

Recently uploaded (20)

Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 

Embedded Systems Security: Building a More Secure Device

  • 1. SESSION ID: #RSAC Copyright © 2016 Raytheon Company Randall Brooks, CISSP, CSSLP Embedded Systems Security: Building a More Secure Device ASD-W05 Engineering Fellow Raytheon @randallsbrooks
  • 2. #RSAC Objectives What are common embedded systems? What issues do they face? Recommendations for securing embedded systems 2
  • 3. #RSAC Poll 3 Which operating system is your software most commonly developed for? Which language is your software most commonly developed for? Which hardware does your system run on? What are your thoughts on the following statement: My system is standalone, therefore many Cybersecurity or Software Assurance (SwA) requirements do not apply? What do you perceive as the biggest threats to your embedded system’s security? Given the rise of IoT, do you feel IoT and its issues are related to your embedded system’s security issues?
  • 4. #RSAC Results (Predicted) OS: Green Hills and VxWorks Language: C++ Hardware: PPC (SoC) Standalone: Systems are not actually standalone Threats: Supply chain, physical access IoT Threats: IoT mirror without legacy issues 4
  • 5. #RSAC Results (Actual) OS: Large increase in the use of Linux and even Windows Language: C/C++, Java, and even Ada Hardware: x86 (SoC) Standalone: Systems are not actually standalone Threats: Supply chain, physical access, reverse engineering IoT Threats: IoT mirror without legacy issues 5
  • 6. #RSAC Audience Poll 6 Which operating systems do you see or use? Other languages? Which about hardware? MIPS? ARM?
  • 7. #RSAC Example Embedded Computing Environment 7 Computing Environment OS APIs Multi-Core Hardware Other Processing Nodes / Payloads Virtualization Hypervisor (Optional) OS - Linux Vendor Provided C++ Service “B” & Libraries Vendor Provided C++ Service “A” & Libraries Vendor Provided Java Service “A” & Libraries Vendor Provided Java Service “B” & Libraries Network Service Bus Java Runtime Environment (JRE)Java Runtime Environment (JRE)
  • 8. #RSAC Traditional Embedded System Issues Storage components Processing power Battery life Time-to-market Overall cost 8 Functionality, Security, and Cost: Pick Two
  • 9. #RSAC The Troublesome 12 Embedded Systems Cybersecurity Threats 9 Supply Chain/Counterfeit Parts Legacy Systems Cascading Faults Physical Access Patch update process No Secure Configuration Reverse Engineering Custom protocols Design Mistakes Network Access Custom libraries Humans 0x0c
  • 10. #RSAC Threat: Supply Chain/Counterfeit Parts Make vs. buy Quality vs. counterfeiting vs. malicious alteration Vendor tracking database ASICS, FPGAs, and microprocessors Destructive and non-destructive analysis Information storage in volatile memory and permanent storage Nano tagging 10
  • 11. #RSAC Threat: Physical Access Malicious access Maintenance connections Maintenance equipment 11 Game Over?
  • 12. #RSAC Threat: Reverse Engineering Intellectual Property (IP) access System Integrity Disassembly Black box testing Static Analysis Security Testing (SAST) of binaries Dynamic System Probing 12
  • 13. #RSAC Threat: Network Access Standalone systems internetworked Unprotected processes Remote access Radio Frequency (RF) manipulation 13
  • 14. #RSAC Threat: Legacy Systems System interaction Least common security measure Loss of technical knowledge 14
  • 15. #RSAC Threat: Patch Update Process None Systems are permanent and not updated Unauthenticated No digital signature on software/firmware Invalid No integrity No fail secure 15
  • 16. #RSAC Threat: Custom Protocols Legacy No authentication Variable size Non-standard or multiple version support 16
  • 17. #RSAC Threat: Custom Libraries Common functions Extended Malicious library 17
  • 18. #RSAC Threat: Cascading Faults Information flow – authentication and integrity for end-to-end protection of information between partitions Data isolation – confidentiality of data Periods processing – protect against covert channels Damage limitation – protection from a failure in one partition will not cascade to another partition. MILS Separation Kernel OS (Level 1) OS (Level 2) OS (Level 3) Middleware Services Privileged Mode User Mode 18 Separation kernels keep execution separate
  • 19. #RSAC Threat: No Secure Configuration Tampered configuration Not secure by default Shared passwords across collection’s embedded systems 19
  • 20. #RSAC Threat: Design Issues Hard-coded credentials Weak or missing authentication Improper segregation of sensitive and non-sensitive data Weak, custom, or excessive use of encryption Debug functions left in 20
  • 21. #RSAC Threat: Humans Psychological acceptability Admins or users making an intentional unauthorized change or unintentional authorized change to the system. Auditing, change, and control management Training 21
  • 22. #RSAC How does this apply to IoT? How closely does IoT mirror these Threat? Does IoT have legacy issues? What about the future? Does the key word “Internet” mean higher risk? 22
  • 23. #RSAC Conclusion 23 Protect Application, Execution, Data and IP Security functions should be built in and defend against threats within the environment. It is important to understand CPI and what is done to protect it. Host systems must maintain ultimate control over security algorithms to protect the data and prevent IP theft.
  • 24. #RSAC Applying What You Have Learned Part 1 24 Educate + Learn = Apply Take any new knowledge and apply to your development system As a student hopefully you got 2-3 key items you learned today As an instructor, hopefully I provided some good lessons learned. Let me know what you learned in the Question and Answers!
  • 25. #RSAC Applying What You Have Learned Part 2 25 Next week you should: Consider the 2-3 key items you learned from this session and start to consider where do they apply to your work? In the first three months following this presentation you should: Do an initial Risk Assessment and consider The Troublesome 12 Embedded Systems Cybersecurity Threats Within six months you should: Seek the advise of a 3rd party vulnerability research or assessment team Train developers on Application Security/Software Assurance
  • 27. #RSAC Biography 27 Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance. Brooks has nearly 20 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP, CSSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue University with a Bachelors of Science from the School of Computer Science. E-mail: brooks@raytheon.com