This document outlines security tenets for life critical embedded systems. It discusses the need for clearly defined security best practices as more devices take on life critical roles. The document proposes seven areas of security tenets: general security, communications security, boot-time security, run-time security, securely managing systems, backend system security, and monitoring for advanced threats. It emphasizes the importance of implementing all tenets to mitigate threats to human life, equipment, or the environment. Threat models must consider all system aspects and assumptions to address protection against known threats.
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
This paper discusses the strengths and weaknesses of proper engineering and life cycle management on
higher level cyber security operations. Rushing innovation and increasing profits undermines the
foundations need to operate and create secure stability in IT based companies. This research argues how it
must be considered and how effective engineering processes greatly add to security even post
implementation.
Stefan Zarinschi in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
This paper discusses the strengths and weaknesses of proper engineering and life cycle management on
higher level cyber security operations. Rushing innovation and increasing profits undermines the
foundations need to operate and create secure stability in IT based companies. This research argues how it
must be considered and how effective engineering processes greatly add to security even post
implementation.
Stefan Zarinschi in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
Whitepaper by Encari's co-founder and the Mid-West ISO's chairman.
Matthew Luallen, co-founder of Encari, and Paul Feldman, chairman of the Mid-West ISO, have written a whitepaper that explains how utilities attempting to meet the North American Electric Reliability Corporation "Critical Infrastructure Protection" (NERC CIP) requirements can meet both the spirit and the letter of the regulations.
The whitepaper provides insights and recommendations around the following topics:
Utilities should go beyond "checking the box" to meeting the true intention of the NERC CIP requirements: protecting the reliability and availability of the Bulk Electric System (BES).
Traditional security solutions (e.g., blacklist-based antivirus, emergency security patches) not only fail to protect reliability and availability, they may negatively impact the goals themselves.
In addition to superior protection against even zero-day attacks, application whitelisting is gaining a following because it addresses the operational realities associated with control system implementations that blacklist-based solutions cannot.
Application whitelisting simultaneously helps address NERC CIP-007, R3 (security patching); CIP-007, R4 (anti-malware); and even NERC CIP-003, R6 (change control and configuration management).
Matthew Luallen, Founder and CEO of Encari, and Paul Feldman, Chairman of the Mid-West ISO, have written a whitepaper that explains how utilities attempting to meet the North American Electric Reliability Corporation "Critical Infrastructure Protection" (NERC CIP) requirements can meet both the spirit and the letter of the regulations.
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
"Man and Machine: Forming a Perfect Union to Mature Security Programs" is a Keynote Address given by Inno Eroraha (NetSecurity) at Global Cyber Security in Healthcare & Pharma Summit in London, UK on 2/6/2020. The presentation highlights the following:
- Securing the enterprise is like protecting the human body
- Complement Penetration Testing with Compromise Assessment and/or Threat Hunting
- Be situationally aware and avoid being blinded by adversarial activities
- Compliance IS NOT Security
- Know ALL your assets and risks faced by each
- Establish a Data Breach Response Capability now
- Create a Matured Security Program and measure success frequently
- Leverage machines and automation to mature your Security Program
- And more
Presentation on Medical device security and emerging standards for the Internet of Things. Presented by Anura Fernando of UL at The Security of Things Forum, Sept. 10, 2015.
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
This paper reports on the Information Systems (IS) securitymeasures implemented by small and medium size enterprises (SMEs) in Zimbabwe. A survey questionnaire was distributed to 32 randomly selected participants in order to investigate the security measures and practices in their respective organisations. The results indicated that over 50% of the respondents had installed firewalls, while more than 80% carried out regular software updates and none of the respondents had intrusion detection systems. The researchers recommended that SMEs work to enhance their knowledge on the different IS threats in order to enable the implementation of preventive measures.
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
Nowadays, use of wireless technology in organizations is a regular act, and we can see this technology erupted in all possible different areas. Related to employing wireless technology those organizations need to apply properly security level, depend on security policy which already defined. If security system applied but not required, or security system required but not provided, leads to improper security system. In this paper we have shown the way to evaluate the data significant and their appropriate security level. Here a model to evaluate the cost of data on security point of view by consideration of some parameters like sensitivity, volume, life, frequency, etc…, this research makes organizations to predict and implement or understand the cost involved for security of their data by measuring the data value. We used questionnaire and survey methodologies to collect the data; and then used SPSS and SAS program to calculate and design a model. In this way regression and BOOTSTARP help us to find accurate result.
A presentation by Tracy Rausch, CEO of DocBox and Chip Block of Evolver Inc. on medical device security & patient monitoring. Presented at The Security of Things Forum on Sept. 10, 2015.
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
Developing programs that are inherently immune to attack requires sound software engineering practices. This session looks at the overall software engineering lifecycle and the critical points at which software security is a specific consideration. From the requirements for third-party suppliers to in-house development, your process must offer a level of confidence that the software functions as intended and is free of vulnerabilities. The presentation shows how using threat models, code pattern analysis tooling, targeted reviews, and more enhances Java security.
Originally presented at JavaOne 2013 San Francisco
This paper discusses the question of optimizing security decisions in an organization, based on the information provided by the technical security infrastructure.
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
Whitepaper by Encari's co-founder and the Mid-West ISO's chairman.
Matthew Luallen, co-founder of Encari, and Paul Feldman, chairman of the Mid-West ISO, have written a whitepaper that explains how utilities attempting to meet the North American Electric Reliability Corporation "Critical Infrastructure Protection" (NERC CIP) requirements can meet both the spirit and the letter of the regulations.
The whitepaper provides insights and recommendations around the following topics:
Utilities should go beyond "checking the box" to meeting the true intention of the NERC CIP requirements: protecting the reliability and availability of the Bulk Electric System (BES).
Traditional security solutions (e.g., blacklist-based antivirus, emergency security patches) not only fail to protect reliability and availability, they may negatively impact the goals themselves.
In addition to superior protection against even zero-day attacks, application whitelisting is gaining a following because it addresses the operational realities associated with control system implementations that blacklist-based solutions cannot.
Application whitelisting simultaneously helps address NERC CIP-007, R3 (security patching); CIP-007, R4 (anti-malware); and even NERC CIP-003, R6 (change control and configuration management).
Matthew Luallen, Founder and CEO of Encari, and Paul Feldman, Chairman of the Mid-West ISO, have written a whitepaper that explains how utilities attempting to meet the North American Electric Reliability Corporation "Critical Infrastructure Protection" (NERC CIP) requirements can meet both the spirit and the letter of the regulations.
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
"Man and Machine: Forming a Perfect Union to Mature Security Programs" is a Keynote Address given by Inno Eroraha (NetSecurity) at Global Cyber Security in Healthcare & Pharma Summit in London, UK on 2/6/2020. The presentation highlights the following:
- Securing the enterprise is like protecting the human body
- Complement Penetration Testing with Compromise Assessment and/or Threat Hunting
- Be situationally aware and avoid being blinded by adversarial activities
- Compliance IS NOT Security
- Know ALL your assets and risks faced by each
- Establish a Data Breach Response Capability now
- Create a Matured Security Program and measure success frequently
- Leverage machines and automation to mature your Security Program
- And more
Presentation on Medical device security and emerging standards for the Internet of Things. Presented by Anura Fernando of UL at The Security of Things Forum, Sept. 10, 2015.
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
This paper reports on the Information Systems (IS) securitymeasures implemented by small and medium size enterprises (SMEs) in Zimbabwe. A survey questionnaire was distributed to 32 randomly selected participants in order to investigate the security measures and practices in their respective organisations. The results indicated that over 50% of the respondents had installed firewalls, while more than 80% carried out regular software updates and none of the respondents had intrusion detection systems. The researchers recommended that SMEs work to enhance their knowledge on the different IS threats in order to enable the implementation of preventive measures.
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
Nowadays, use of wireless technology in organizations is a regular act, and we can see this technology erupted in all possible different areas. Related to employing wireless technology those organizations need to apply properly security level, depend on security policy which already defined. If security system applied but not required, or security system required but not provided, leads to improper security system. In this paper we have shown the way to evaluate the data significant and their appropriate security level. Here a model to evaluate the cost of data on security point of view by consideration of some parameters like sensitivity, volume, life, frequency, etc…, this research makes organizations to predict and implement or understand the cost involved for security of their data by measuring the data value. We used questionnaire and survey methodologies to collect the data; and then used SPSS and SAS program to calculate and design a model. In this way regression and BOOTSTARP help us to find accurate result.
A presentation by Tracy Rausch, CEO of DocBox and Chip Block of Evolver Inc. on medical device security & patient monitoring. Presented at The Security of Things Forum on Sept. 10, 2015.
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
Developing programs that are inherently immune to attack requires sound software engineering practices. This session looks at the overall software engineering lifecycle and the critical points at which software security is a specific consideration. From the requirements for third-party suppliers to in-house development, your process must offer a level of confidence that the software functions as intended and is free of vulnerabilities. The presentation shows how using threat models, code pattern analysis tooling, targeted reviews, and more enhances Java security.
Originally presented at JavaOne 2013 San Francisco
This paper discusses the question of optimizing security decisions in an organization, based on the information provided by the technical security infrastructure.
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...IJMIT JOURNAL
This paper discusses the strengths and weaknesses of proper engineering and life cycle management on
higher level cyber security operations. Rushing innovation and increasing profits undermines the
foundations need to operate and create secure stability in IT based companies. This research argues how it
must be considered and how effective engineering processes greatly add to security even post
implementation.
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
Essay Questions
Answer all questions below in a single document, preferably below the corresponding topic.
Responses should be no longer than half a page.
One
1. A security program should address issues from a strategic, tactical, and operational view. The
security program should be integrated at every level of the enterprise’s architecture. List a
security program in each level and provide a list of security activities or controls applied in these
levels. Support your list with real-world application data.
2. The objectives of security are to provide availability, integrity, and confidentiality protection to
data and resources. List examples of these security states where an asset could lose these
security states when attacked, compromised, or became vulnerable. Your examples could
include fictitious assets that have undergone some changes.
3. Risk assessment can be completed in a qualitative or quantitative manner. Explain each risk
assessment methodology and provide an example of each.
Two
1. Access controls are security features that are usually considered the first line of defense in
asset protection. They are used to dictate how subjects access objects, and their main goal is to
protect the objects from unauthorized access.
These controls can be administrative, physical, or technical in nature and should be applied in a
layered approach, ensuring that an intruder would have to compromise more than one
countermeasure to access critical assets. Explain each of these controls of administrative,
physical, and technical with examples of real-world applications.
2. Access control defines how users should be identified, authenticated, and authorized. These
issues are carried out differently in different access control models and technologies, and it is up
to the organization to determine which best fits its business and security needs. Explain each of
these access control models with examples of real-world applications.
3. The architecture of a computer system is very important and comprises many topics. The
system has to ensure that memory is properly segregated and protected, ensure that only
authorized subjects access objects, ensure that untrusted processes cannot perform activities
that would put other processes at risk, control the flow of information, and define a domain of
resources for each subject. It also must ensure that if the computer experiences any type of
disruption, it will not result in an insecure state. Many of these issues are dealt with in the
system’s security policy, and the security model is built to support the requirements of this
policy. Given these definitions, provide an example where you could better design computer
architecture to secure the computer system with real-world applications. You may use fictitious
examples to support your argument.
Three
1. Our distributed environments have put much more responsibility on the individual user, facility
management, and administrative procedures and controls than in th.
Privacy Protection in Distributed Industrial Systemiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
The Healthcare Internet of Things: Rewards and Risksatlanticcouncil
In The Healthcare Internet of Things: Rewards and Risks, a collaboration between Intel Security and Atlantic Council's Cyber Statecraft Initiative at the Brent Scowcroft Center on International Security, the report's authors—Jason Healey, Neal Pollard, and Beau Woods—draw attention to the delicate balance between the promise of a new age of technology and society's ability to secure the technological and communications foundations of these innovative devices.
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTIJNSA Journal
An efficient key management system is required to support cryptography. Most key management systems use either pre-installed shared keys or install initial security parameters using out-of-band channels. These methods create an additional burden for engineers who manage the devices in industrial plants. Hence, device deployment in industrial plants becomes a challenging task in order to achieve security. In this work, we present a device deployment framework that can support key management using the existing trust towards employees in a plant. This approach reduces the access to initial security parameters by employees; rather it helps to bind the trust of the employee with device commissioning. Thus, this approach presents a unique solution to the device deployment problem. Further, through a proof-of-concept implementation and security analysis using the AVISPA tool, we present that our framework is feasible to implement and satisfies our security objectives.
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTIJNSA Journal
An efficient key management system is required to support cryptography. Most key management systems use either pre-installed shared keys or install initial security parameters using out-of-band channels. These methods create an additional burden for engineers who manage the devices in industrial plants. Hence, device deployment in industrial plants becomes a challenging task in order to achieve security. In this work, we present a device deployment framework that can support key management using the existing trust towards employees in a plant. This approach reduces the access to initial security parameters by employees; rather it helps to bind the trust of the employee with device commissioning. Thus, this approach
presents a unique solution to the device deployment problem. Further, through a proof-of-concept implementation and security analysis using the AVISPA tool, we present that our framework is feasible to implement and satisfies our security objectives.
An efficient key management system is required to support cryptography. Most key management systems use either pre-installed shared keys or install initial security parameters using out-of-band channels. These methods create an additional burden for engineers who manage the devices in industrial plants. Hence, device deployment in industrial plants becomes a challenging task in order to achieve security. In this work, we present a device deployment framework that can support key management using the existing trust towards employees in a plant. This approach reduces the access to initial security parameters by employees; rather it helps to bind the trust of the employee with device commissioning. Thus, this approach presents a unique solution to the device deployment problem. Further, through a proof-of-concept implementation and security analysis using the AVISPA tool, we present that our framework is feasible to implement and satisfies our security objectives.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
2. TABLE OF CONTENTS
A. EXECUTIVE SUMMARY 3
B. INTRODUCTION 4
C. TENETS 8
1. GENERAL SECURITY 8
2. COMMUNICATIONS SECURITY 15
3. BOOT-TIME SECURITY 19
4. RUN-TIME SECURITY 21
5. MANAGING LIFE CRITICAL EMBEDDED SYSTEMS SECURELY 24
6. SECURITY FOR BACK-END SYSTEMS 27
7. MONITORING FOR ADVANCED THREATS 28
APPENDIX A - Use Cases 30
INTRODUCTION 30
USE CASE 1 30
USE CASE 2 33
USE CASE 3 34
USE CASE 4 36
USE CASE 5 38
APPENDIX B - Mapping of Use Cases to Tenets 39
APPENDIX C - Distilled Tenets 40
APPENDIX D - References 42
2
3. A. EXECUTIVE SUMMARY
Life critical systems are devices whose failure or malfunction may result in serious
injury or death to humans, loss or severe damage to equipment, or environmental
harm. Designing security into life critical embedded systems is increasingly
important as more and more devices are becoming Internet connected smart things
in the Internet of Things (IoT). As we apply smart, connected, embedded computing
devices to improve systems with life critical roles, obviously this needs to be done
responsibly. These devices have the potential to better mankind, but also the
potential to be co-opted by malicious parties and do grave harm. Unfortunately,
simple, clear, and current “security tenets” are not yet well articulated for building
life critical systems with embedded computing capabilities. Much of the guidance
that has been written now fails to address both the increasingly sophisticated
threats which these systems face, requiring security to be embedded more deeply in
the system. The current and future generations of embedded computing technology
will continue to cut across industries “horizontally”, bringing to light the need for
greater security and safeguards in these devices. In that context, this document
attempts to put forward basic security tenets to ensure that all life critical
embedded systems across all industries have a common understanding of what is
needed to protect human life, where it depends on or can be endangered by,
embedded computing.
This document should not be taken as regulatory in any sense. Each industry will need
to evolve to conform to these tenets. However, the timelines and details of such
3
4. evolution are to be determined elsewhere, not in this document. This document simply
defines a safer end-state, not the route for each industry to get there.
B. INTRODUCTION
Studies assess that there will be 50 billion devices connected to the IoT by 2020 (1).
With the rapid rise of smart devices now playing life critical roles in vastly different
areas ranging from traditional Supervisory Control And Data Acquisition (SCADA) to
modern Industrial Control Systems (ICS), connected cars, and countless areas of
medicine, such as patient monitoring and embedded medical devices, it is becoming
increasingly crucial to properly embed security at the foundation of these devices in
a manner that allows device vendors to keep pace with rapid advancements in the
technology and attack spaces. Embedding security in the foundation of these
devices is an extremely difficult challenge with national security implications
commensurate with the scale at which life critical Internet of Things (IoT)
technologies are being deployed. Further, the security and safety of systems are
clearly subject to the “weakest link” challenge. Thus, an additional focus on overall
system integrity and how individual components and subsystems interact is key to
avoiding situations where “the sum of the parts is a hole.” Today, security is
dramatically inadequate in many of these smart and embedded devices. There is a
need for the establishment of a set of core security tenets that manufacturers should
incorporate into their products. These defining principles, or tenets, will establish
best practices to ensure that human life, information, and infrastructure remain safe
and secure. Given that aggressors will exploit any weakness, life critical embedded
4
5. systems need to protect all of the security areas outlined below, not just a few. In
life critical embedded systems, any failure to follow any of the tenets could
jeopardize human life, equipment, or the environment.
The security tenets described in this paper were chosen to help “raise the bar” for
security in the life critical embedded systems space, but they can do much more.
There are currently a fair number of best practices and standards available for a
wide range of industrial and consumer spaces, however there is little available that
transcends and reaches across the various industries. Much of the guidance
available today was developed at a time when security was viewed from a holistic
system perspective, instead of building the security into the individual components.
Since many of these threat models are now outdated, this paper attempts to identify
those guiding principles which can increase the security of life critical embedded
systems and potentially many other industries.
Technology improvements are expected to occur, and the hope is that they will be in
line with the guidance below. It is recognized that many life critical embedded
systems already fielded do not meet this guidance. Where possible, those systems
should be upgraded to comply with this guidance. Where such systems are
increasingly connected to other systems, risks of fatalities climb exponentially. Even
without intentional connections to other systems, the ever-growing popularity of
wireless and embedded systems is continually exposing such systems to new risks.
Where such systems cannot be upgraded to comply with the guidance, they should
5
6. be phased out and replaced on a timeline that is appropriately safe and responsible
in context of lives, equipment, and the environment being endangered.
The word “evolve” was purposely chosen in this document because in many
situations a dash towards improved security or safety could favor one of these goals
at the expense of the other. Specifically, the reader is cautioned against assuming
that security and safety are equivalent concepts. While they are often related and
combine to provide the appropriate degree of each, they have different motivations.
One can imagine a system that is so secure that without a master key its operating
parameters could not be changed, even in an emergency. This could easily result in
a severe threat to the safety of the operators, customers, equipment, or the
environment. Similarly, the overzealous pursuit of safety could result in a system
that was neither secure nor operable. When considering the replacement of life
critical embedded systems to improve safety and security, the goal should be to
achieve a harmony between them that is appropriate for the environment.
6
The guidance in this document is framed to shape certifications and specifications to
come. The strength of word choice (e.g., MUST) indicates the criticality of
implementing the tenet in order to mitigate the threat to human life, equipment, or
the environment. Use cases are included in Appendix A to illustrate the potential
consequences of not implementing the tenets. The use cases also indicate which
portions apply to specific tenets.
7. The tenets are organized into seven areas:
• General Security;
• Communications Security;
• Boot-Time Security;
• Run-Time Security;
• Managing Life Critical Embedded Systems Securely;
• Security for Back-end Systems; and
• Monitoring for Advanced Threats.
The tenets emphasize system integrity for a few reasons. First, strong guidance
already exists in many communities for engineering resilient, high-availability fault-
tolerant systems in the face of natural and man-made risks. Second, the façade of
availability presented by systems and components whose integrity is compromised
can often be more lethal than situations in which failure of those components and
systems is not masked and quickly recognized. Third, strong guidance exists for
ensuring confidentiality of information, but not all life critical embedded systems
depend on confidentially of information. In fact, confidentiality and privacy are
occasionally sacrificed to ensure integrity and availability of life critical embedded
systems. Throughout this document, the word “compromised” is synonymous with
corrupted or destroyed and must be considered an unacceptable outcome.
Consistently, where system integrity is compromised, human life is either
endangered or lost, there is loss or severe damage to equipment, or there is
environmental harm.
7
8. C. TENETS
1. GENERAL SECURITY
a. Systems MUST have documented threat models.
The imperatives in this section of general security tenets are cornerstone
starting points. Implementation decisions should depend on a formally
detailed threat model as much as they depend on the physics of energy
constraints and processing capabilities and these things should take
precedence over cost concerns. In the overall context, risking lives to save a
few dollars per microcontroller unit (MCU) is unacceptable. Good guidance
on formal threat modeling can be found with a quick web search. One
commonly used model is Spoofing, Tampering, Repudiation, Information
Disclosure, Denial of Service, and Elevation of Privilege (STRIDE).
While threat models are always going to be part of a larger ecosystem,
focusing on protection against those threats should be addressed. Threat
models should capture all assumptions and consider all aspects of the
system, including supply chain complexities where some equipment or
components are often supported by third parties who might be trustworthy
or untrustworthy to varying degrees. While the threats to supply chains and
other threats, such as malicious insiders, are beyond the scope of this work,
they too should be assessed and included in a threat model for life critical
embedded systems. Such an assessment could lead to changes in
8
9. procurement policies, personnel training, authentication protocols, and
access control management. The threat posed by physical access to a life
critical system is based on the specific environment and how the system is
used and maintained. Protection of systems against physical tampering is a
difficult undertaking, potentially resulting in much higher system purchase
prices and operational costs. Concerns related to physical tampering are best
approached through policy controls. For example, physical access process
control systems in a refinery must be well-defined and enforced.
It is no longer sufficient to consider any life critical embedded system as an
enclave adequately isolated from the rest of the world. The pretenses of
security in air gapped implementations have been continually proven false.
Air gaps are often still prudent measures so long as systems can be
effectively monitored and updated from within the enclave. However, air
gaps are no longer adequate. It is necessary to now assume threats will
penetrate the enclave, and security must be engineered to protect “from the
inside out” to provide additional security layered on the traditional “outside
in” security engineering.
As some life critical embedded systems become increasingly smarter, it
becomes increasingly important to consider each system end-to-end. For
instance, in some cars a Tire Pressure Indicator (TPI) originally only
informed the driver of a need to change a tire, but that same TPI now
9
10. sometimes feeds into digitally controlled braking systems. For each actuator,
consider the full waterfall of sensors and analysis that contribute to each
decision. These components no longer exist in isolation.
Furthermore, back-end systems can affect the threat model of the system at
hand. There is a possibility that they may go offline or, as with mobile
systems, may be out of communications range for substantial periods of time.
The threat model should address what happens if the back-end system is
retired permanently or its sponsoring organization is unable to maintain it
due to bankruptcy or other conditions rather than capturing these situations
under “fail safe” behavior.
10
It is also important to recognize and model the reality that in many life
critical embedded systems some components are far more life critical that
others. For instance, in an unattended vehicle, the emergency brake is more
life critical than the air conditioning (AC) system. In safety engineering, all
things electrical, even traditional AC systems carry specific fire risks,
particularly in the event of a crash. When planning for security, seemingly
benign things like streaming connections to the vehicle’s radio, as well as the
remote (cellular) ability to start the AC system, can each present infection
vectors to the rest of the car if security threats are not properly modeled and
security risks are not properly mitigated.
11. Ideally, a proper threat model will help induce a policy of separation between
critical and non-critical systems. This concept is sometimes referred to as
red/black separation, where signals and systems that carry sensitive
information and control safety critical systems are kept physically separate
from non-sensitive systems. As a threat model is developed, the sensitive
components of a system should be identified and ways to keep these
components physically, or to a lesser extent, at least logically separated from
less sensitive components should be developed and implemented. As an
example, one design option would be to have a car’s entertainment system,
which may be connected to the Internet (e.g., for receiving streaming media
content), kept completely separate from the car’s drive-by-wire controllers.
However, while maintaining a strict policy of separation is ideal, there may
be a need for the interconnection of systems to enhance safety and features.
When such systems are connected, extra precautions should be taken to
ensure logical separation of sensitive and non-sensitive components.
Threat models must recognize that some systems will need to be in place for
decades, while others may refresh annually or more frequently. The
imperatives for an update mechanism help mitigate some risks, but they do
not address the vulnerabilities introduced when non-updatable legacy
systems are connected directly to modern systems. Life critical embedded
systems should be engineered to include enough compute capacity for
stronger cryptographic and run-time protections that will need to be added
11
12. within the lifetime of the systems. The ideal is to include a hardware root of
trust and system integrity as without such system hardening, updates are
unreliable to untrustworthy. Even with these security mechanisms, systems
may be compromised or simply fail. Not addressing remediation and failure
plans can endanger lives or incur exorbitant, avoidable costs associated with
replacing the system when threats get ahead of the deployed hardware. The
resulting threat models can be used to instill remediation plans inclusive of
the update cycles and process flow.
b. Systems MUST be engineered to fail safely.
This security guidance is in addition to and not in place of traditional safety
engineering. Traditional safety engineering recognizes that distributed
systems and their failure modalities can be complex. Systems need to be
engineered to fail gracefully, and important decisions like “fail open versus
fail closed” need to be made carefully. Systems need to be engineered to “do
no harm” even when things are going wrong quickly. Simple primitives can
be tremendously invaluable, including a fully automatic (safe) shutdown
procedure that is easily initiated from any of many emergency stop buttons
throughout a facility. As the complexity of systems and requirements
continue to increase, fast, simple, and safe shutdowns become absolutely
crucial, regardless of whether they are triggered by a manual stop button or
automated detection of unstable states. Complexity is just one of many
reasons why security and safety within systems and their individual
12
13. components must be considered and decided in the design phase as many
aspects cannot be “bolted on” later.
c. The data usage, safety, and privacy aspects of life critical embedded
systems MUST be clearly documented in lay terms.
Ecosystems that employ life critical embedded systems must clearly
articulate the security and privacy risks in lay terms. It is expected that life
critical embedded systems must also articulate to the builders and
integrators of systems and shared environments, the security and privacy
threat models and risks. This ultimately allows for users and owners to
make a clear, informed choice in participation. Many people come near life
critical embedded systems, regardless of whether those life critical
embedded systems are embedded in a car, or an airplane, or a factory floor.
In each case, these systems are now making complex decisions. People must
know what to expect of such critical systems. For example, a vehicle’s Wi-Fi
system may automatically connect to open wireless systems in order to send
information outbound or request information or updates. This awareness
includes clarity on life critical failure modalities of the system, as well as
clarity on (otherwise) hidden dependencies such as the waterfall of sensors
and analysis that contribute to each actuation (In case such a person was to
note a sensor, processor, or actuator as faulty).
d. Devices MUST only run hardened code.
13
14. Before any code is signed for execution, it must be appropriately hardened
through recognized industry best practices for manual and automated
discovery of bugs and vulnerabilities, as well as remediation of the code. For
the purposes of this paper, hardening is defined as securing code by limiting
its attack surface. Additional remediation through obfuscation is desirable to
slow reverse engineering but is not required. Compiler based techniques for
hardening code is strongly desirable, among a variety of techniques for
providing run-time protection of the system.
e. Devices MUST enforce least privilege.
The concept of least privilege is that all system users and software operate
with the lowest set of privileges needed to perform their duties. Further,
access permissions are only available for the minimum amount of time
needed. As the quantity and level of privileges increase, the attack surface
and breadth of destruction increases. Employing least privilege provides
many security benefits including limiting the impact of malicious or
unwitting insiders. For example, consider the case of software that needs to
access an area of memory. If the minimum set of privileges (e.g., read, write,
execute) needed by the software when accessing the memory are read and
write, the memory should be configured with only those two privileges. By
not configuring the memory with the execution privilege, any rogue code
written to memory cannot be executed.
14
15. Least privilege must be architected into the device or system being
developed. For both major and minor components, it is important to identify
the functions to be performed and the privileges needed for the functions to
operate. Also, consider the privileges needed for communications across
components. When communications are necessary with devices or systems,
take into account the level of privileges they use and, where possible,
incorporate security techniques to mitigate any escalated privileges.
2. COMMUNICATIONS SECURITY
a. All interactions between devices MUST be mutually authenticated.
Authentication is the process of confirming the identity of an entity, such as a
person, device, or data. Authentication of data refers to confirming the
source of the data or validating that the data integrity has not been
compromised. All data, commands, and requests must be mutually
authenticated to be trusted. Any data, commands, and requests that cannot
be authenticated should be ignored. Authentication of data, commands, and
protocols matter because it is dangerous to accept data from unverified
devices and/or services. Such data can not only corrupt or compromise
devices, but also be the initial seed to grander threats and attacks. In
addition to the authentication of data, it is also important to authenticate the
devices, services, and systems that want to communicate, share data, and
enforce control. Using strong mutual authentication to restrict such
connections or communications at any layer helps protect the devices,
15
16. services, and overall systems from such threats.
Two common ways to perform mutual authentication as part of the
communications protocol are the use of secure sessions at the network link
layer (e.g., IEEE 802.11i (for Wi-Fi), DTLS in Constrained Environments
(DICE)) or via digital signatures on data, commands, and requests at the
appropriate application layer.
A generally accepted digital authentication approach is based on elliptic
curve cryptography (ECC), but over time other approaches may evolve. For
additional information please see FIPS PUB 186-4: Digital Signature Standard
(DSS) (2).
Note that from a performance perspective, mutual authentication is now
feasible in extremely constrained devices where such authentication was
previously infeasible. For example, recent implementations of the Elliptic
Curve Digital Signature Algorithm (ECDSA) have demonstrated that a
number of 8-bit MCUs running at 8 MHz with only 32 kb of RAM are now
capable of doing signature verification in a few seconds (3).
In addition to simple cryptographic authentication, it is desirable for devices
to provide an attestation of their current security state. Depending on the
threat model, this might actually be required. Such attestation could include
16
17. digital fingerprints of the device’s configuration and all code loaded, among
other important security metrics.
In this tenet, authentication implies authorization. However, for clarity,
connections and data are authenticated as coming from a given source. Once
authenticated, the device must choose to trust or not trust that source based
on not only authentication and attestation information, but also policy that
should be updated over time. Such dynamic control of authorization and
access control is crucial to safely handling components and devices that
become compromised as part of a much larger system. Some means of
efficiently providing such dynamic control include using mechanisms such as
Online Certificate Status Protocol (OCSP) stapling, Trusted Network Connect
(TNC), or other forms of dynamic Network Access Control (NAC) enforced
either at the endpoint devices or at gateways between such devices.
17
b. Continuous authentication SHOULD be used when feasible and
appropriate.
All data, commands, and requests should be continuously authenticated
where feasible and appropriate. Authentication could be verified either at
set intervals or with each set of communications processed as part of the
communications exchange. Note that there could be an impact to
performance depending on the functional requirements. Nonetheless,
function and risk should be weighed as part of the feasibility and
18. appropriateness of this tenet in light of the danger to human life.
c. All communications between devices SHOULD be encrypted.
The goal of encryption is confidentiality, while other cryptographic
techniques are employed to provide authentication or fraud
resistance/detection. Encryption protects the data so that only those who
have the appropriate keys may decrypt the data for reading or modification.
This provides protection from eavesdroppers along the path between devices
and/or systems. Such eavesdroppers might be able to maliciously leverage
the data in some way. For example, captured process control information
might provide hints to how some lucrative or dangerous process is
accomplished, and perhaps how to interrupt its operation.
Note that not all devices and environments are immediately amenable to
encryption, particularly in long life, low Central Processing Unit (CPU) power
embedded systems. For those cases, a threat assessment is necessary to
determine whether it would be prudent to replace/upgrade the device ahead
of schedule or to introduce additional devices that can provide encryption
capabilities for that device.
Encryption alone does not provide sufficient security. Encryption should be
part of a comprehensive approach to raise the overall security posture of a
system through improved confidentiality, authentication, and resistance
18
19. to/detection of fraud, both on the local system as well as across a distributed
computing environment. Using encryption in some parts of a system cannot
make up for security and safety failures elsewhere in the system design.
3. BOOT-TIME SECURITY
a. Devices MUST NEVER trust unauthenticated data or code during boot-
time.
Devices must never trust unsigned (i.e., unauthenticated) configuration files
or any other form of unsigned data. To ensure confidence in the code’s
authentication (and the device’s overall secure operation), devices must be
designed to boot into a known good state.
Configuration files can be trusted if they are signed by an appropriate
authority. They can be signed as part of a monolithic boot image or signed
individually with appropriate protections against threats, including but not
limited to rollback and replay and any other threats produced by diligent and
professional security threat modeling (See Tenet 1a). Trusting an unsigned
configuration file can result in malicious misconfiguration of the system,
leading to any number of significant consequences.
A generally accepted authentication approach is the use of digital signatures
based on ECC, but we recognize that over time other approaches may evolve.
When verifying the signatures, the device would use a root of trust (e.g.,
19
20. programmed into Read Only Memory (ROM) or fusible bits) that must be
under the control of the owner of the life critical embedded system. Allowing
execution of unauthenticated code easily gives control of a device to
aggressors. Depending on the threat model facing the system, the owner
might choose to authorize all of the manufacturer’s code to run on a given
system or choose to put in place additional controls whereby the owner is
able to control which code from the manufacturer is able to run on the
device. All code must be authenticated and authorized before it is loaded for
execution. This is true for the case of monolithic systems where the
signature on the boot image includes signing the application on the device, as
well as any operating system, firmware, and/or libraries. This is also true for
systems where an application is signed separately from an operating system.
It is recognized that there may be challenges associated with implementing
this tenet. For instance, there may be substantial additional engineering
efforts needed to ensure secure boot of any microprocessor or MCU.
However, secure boot and the imperative that devices must never be
permitted to run unauthorized code are essential for life critical embedded
systems to protect human life, equipment, and the environment.
b. Devices MUST NEVER be permitted to run unauthorized code.
Authorization is the process of granting or denying an entity, such as a
person or process, access to a resource or the ability to perform an activity.
20
21. Authorization is based on whether the person or process has the correct set
of permissions or privileges needed.
This tenet assumes Tenet 3a is being implemented correctly. Devices must
never run anything other than authenticated code, authorized by the party
responsible for managing the life critical embedded system. Typically, this
party is simply referred to as the owner of the life critical embedded system,
regardless of any financial ownership and/or property rights. Code refers to
both firmware and software.
4. RUN-TIME SECURITY
a. Devices MUST mitigate run-time security risks, including malicious data.
Unfortunately, even after devices are booted into an authorized
configuration, and even if the code has been reviewed and hardened via
manual and automated best practices, the code can still have unknown
runtime vulnerabilities that must be mitigated. Mitigation can include policy-
based lockdown of resources such as processes, or content based filtering of
potentially dangerous data. This mitigation can be done via techniques, such
as including some form of an intrusion prevention system (IPS) in the
device’s network stack or ensuring that the device is only capable of
connecting to a gateway that provides such an IPS function. Other
techniques include advanced methods for using memory introspection to
ensure that executable code changes remain unchanged from boot.
21
22. Additional techniques include host-based behavioral methods, application
sandboxing, application whitelisting, device and configuration control,
reputation based techniques, and cryptographic protections on run-time (not
just boot-time) resources. Through one mechanism or another, run-time
security of devices in a life critical embedded system should be continuously
monitored in a secure manner and continuously verified. Specific
mechanisms for providing run-time security will vary widely by system
architecture and environment.
There may be times when a suspected malicious access attempt is blocked,
yet the attempt was both safe and legitimate. In this context, extreme care
must be taken in protecting any life critical availability requirements while
attempting to mitigate run-time risks. In extreme cases, it can be acceptable
to build in a mechanism capable of blocking such access, but configured to
only monitor such access until risk levels change.
Denial of service attacks may also be mounted against life critical embedded
systems. For example, an adversary may attempt to saturate (i.e., flood) a
target device with communications requests to cause it to be unable to
respond, or perhaps drain a target device’s battery (i.e., a battery exhaustion
attack). Protections should be in place to mitigate these sorts of attacks. Any
solution must let the legitimate traffic flow while blocking the malicious
attack traffic.
22
23. It is recognized that industry’s ability to protect activities at run-time is
currently limited. Best efforts must be taken to address risks as best as
possible. However, some threats will still succeed, and for that reason
additional monitoring and mitigation is required for advanced threats as
described in Tenet 7a.
b. Devices SHOULD NEVER trust unauthenticated data during run-time.
In distributed systems, devices often receive data from other devices.
Consistent with the imperative that all interactions between devices MUST
be mutually authenticated, devices must never trust unsigned data. In this
context, as a minimum, each device must confirm the pedigree of data
coming from any device. Additionally, it is preferable that, where possible,
the pedigree flows with the data from the original sensor collection and
through any handler devices, gateways, translation, and subsequent
processing. Each device handling the data appends its signature for any
transformations and includes the original data when possible. This strategy
best mitigates the risk of the data being tampered in transit, as well as at rest
and/or in processing by a compromised device.
It is recognized that this strategy is rarely feasible in energy constrained
systems that depend entirely on batteries or energy harvesting. In the case
of legacy systems, it is expected that they will be upgraded overtime to meet
this tenet.
23
24. c. When used, cryptographic keys MUST be protected.
Protection technologies will vary based on the threat model and system
architecture, but cryptographic keys used for authentication must be
protected from leakage. Please note that while it is important to protect
private (secret) keys from leakage, it is equally imperative that public
(authorized) keys must be protected from tampering, particularly for keys
(or certificates) used as roots of trust in verification of other parties’
certificates or used in verification of signatures on signed code. It should not
be possible for an adversary to swap roots of trust or append their root of
trust to any device’s truststore.
Hardware protection for keys is desirable and might be required depending
on the threat model. Specific protection technologies include but are not
limited to Trusted Platform Modules (TPM), various types of security
architectures, and physical countermeasures to side-channel analysis and
both non-destructive and destructive types of reverse engineering.
5. MANAGING LIFE CRITICAL EMBEDDED SYSTEMS SECURELY
a. Devices and systems MUST be built to include mechanisms for in-field
update.
Vulnerabilities will be found in these devices, and they will need to be
patched to stay safe and secure. Additionally, many of the run-time
protections previously mentioned often require updates to security content.
24
25. All such updates must be done securely.
Over time, aggressors will reverse engineer devices, discover vulnerabilities,
and exploit those vulnerabilities. For these reasons, all devices must include
the ability to be quickly updated whenever vulnerabilities and/or
exploitation are discovered.
It is recognized that such updates are difficult and energy consuming in
energy limited devices that are either battery constrained or constrained by
energy harvesting. It is also recognized that such battery constrained devices
often need small, specialized batteries to last years or decades. In such
contexts, changing an entire firmware image could drain months or years of
battery life or, in worst cases where done badly, over half the battery life.
Many aspects of the embedded world of IoT are often radically different from
the simpler world of traditional Information Technology (IT).
The ability to update these devices is essential to ensuring the continued
proper and secure operation of these devices over the long term. Further,
these update mechanisms must be built into each device from the beginning
since adding them to existing systems would most likely be less effective, less
reliable, and less secure, if even possible. For such highly constrained
devices, it becomes crucial to include some form of update management
process that ensures updates proceed smoothly and that partial, failed, or
25
26. rolled back updates do not endanger the device’s functionality or place the
device into a vulnerable or dangerous state.
In-field updates are one component of an overall lifecycle management plan.
In cases where in-field updates are not possible, alternative practices for
ensuring the continued security and safety of those devices must be in place.
For these systems, an accelerated replacement schedule should be
established– essentially associating an “expiration date” with such systems.
Short-term extensions to this deadline should be provided if no suitable
replacements with improved life critical capabilities are available at that
time.
b. Devices and systems for managing updates MUST be mutually
authenticated and secured.
As these embedded systems and devices are deployed in remote and often
inaccessible locations, it is required that the software updates (whether from
a general feature update or due to a security patch) be done from using
remote communications. While it is understood that the system
infrastructure will be aware of the deployed devices it manages, the devices
themselves must also have a mechanism to acknowledge and authorize the
infrastructure communicating with it, especially as its configuration,
software, and firmware can be affected. Without the means for the device to
authenticate and authorize the system, the device can be vulnerable to
26
27. anyone or any system configuring and running any software on the device.
Visibility into a device’s identity is critical to the life cycle management of the
device.
Devices and systems should avoid communications with legacy and non
updatable devices and systems. Communication with devices that are
unknown, have little to no security, or cannot be updated should rely on the
ecosystem to establish trust, relationships, and verification of
communications. Devices should avoid accepting data from other devices
with unknown security properties.
6. SECURITY FOR BACK-END SYSTEMS
a. Systems communicating with life critical embedded system devices
MUST be protected in accordance with industry best practices.
Many IoT systems use cloud-based services and technologies. As IT and
Operational Technology (OT) collide in both IoT and life critical embedded
systems, it is important to remember that, where a device is driven by a
server or cloud-based service, failing to protect that server/service can
produce outcomes equivalent to failing to protect the device. Fortunately,
there are many best practice guidelines for protecting such back-end servers
and cloud-based services. For example, the Open Web Application Security
Project (OWASP) and SafeCODE provide valuable guidance in addition to
vertical specific guidance. Some of these organizations are currently
27
28. developing guidance for embedded systems. For instance, organizations like
the Trusted Computing Group (TCG) have developed technologies to
cryptographically attest the state of servers in the cloud. Trustworthiness
assessment of cloud-based services through attestation should be part of
best practices for protecting IoT devices.
7. MONITORING FOR ADVANCED THREATS
c. Systems MUST be monitored for threats capable of defeating or avoiding
these tenets.
Unfortunately, even with all of the previously mentioned tenets taken into
account, some of the most advanced threats, such as insiders, will still be
capable of defeating any best practice. To mitigate the risks from such
threats, it is important that life critical embedded systems include a
monitoring system where device states and communications between
devices can be monitored. Then, if an advanced threat is discovered, it can be
dynamically tracked and potentially mitigated via remediation. Such a
monitoring capability will require strong data collection and analytic
capabilities akin to those of Security Operations Centers (SOC) and/or
Computer Emergency Response Teams (CERT). It is also important to ensure
that a mitigation plan is in place when an issue occurs.
The capability to monitor will also require intimate familiarity with the
unique aspects of the life critical embedded system and the ability to
28
29. investigate and act on timescales appropriate for the specific life critical
embedded system being monitored. Such monitoring will need to span in
field devices and any servers and/or cloud-based services driving them.
Note that for systems already deployed, particularly those with devices that
are extremely limited and not easy (or possible) to update, such monitoring
can sometimes be achieved by deploying new devices to listen and/or sniff
between already deployed devices without disrupting them.
29
30. APPENDIX A - Use Cases
INTRODUCTION
The use cases that follow were designed to demonstrate real-world security threats
to life critical embedded systems and generally to devices that are part of the
Internet of Things (IoT). It is expected that these use cases will be disseminated, as
they will have value and applicability in other contexts.
The use cases themselves are intended to be standalone scenarios that illustrate one
or more poor security practices or common vulnerabilities that are often found in
life critical embedded systems today. The use cases or “scenes” are tied together by
an overarching story arc. The narrative is fictional, however, the ideas and concepts
are grounded in actual incidents or demonstrated security hacks.
Throughout the narrative, each vulnerability is assigned a number which maps to
one or more applicable security tenets. This is intended to show the value and
subsequent need for implementing the security principles found in the paper. The
mapping is listed in Appendix B.
USE CASE 1
The Widget Garage in the Bronx, New York is the main resource for many New York
City (NYC) taxi’s routine maintenance, service, and repair needs. The garage also
services ambulances as needed. In July, a number of taxis and limousines made
their way through this maintenance depot for common maintenance items like new
30
31. brake pads, oil changes, general repairs, and any on-board computer system
firmware and Technical Service Bulletin (TSB) updates. Each vehicle is typically
triaged and sent through different bays of the maintenance departments for service.
One bay in the garage usually performs the on-board computer system maintenance
related to firmware and TSB updates. Throughout the months of July and August, a
significant number of the taxis, limousines, and ambulances went through this bay
for routine updates to their control systems and creature amenities.
One of the recently installed creature amenities included an in-vehicle Wi-Fi
entertainment system for a more interactive rider experience. This Wi-Fi system
operated in a mesh configuration for connectivity, load, and cost, but eventually
communicated back to strategically placed base stations to provide rider internet
connectivity and dispatch communications. This mesh environment also enabled
car-to-car communications to indicate the speed and flow of traffic amongst each of
the taxis that communicate back to a number of the base stations that then
communicate back to dispatch. Some of these systems slightly adjusted the
acceleration available to each vehicle to allow for more fuel/battery efficiency. 1 The
Wi-Fi systems in the vehicles integrated directly to the computer based system
controls on the taxis and limousines in order to report accurate and detailed fuel
usage and battery charging statistics back to dispatch and the garage. 2
A terrorist cell consisting of an unknown number of industrial and consumer control
system hackers has spent months planning an attack on the Lincoln Tunnel.
31
32. Through their planning, they have researched and analyzed traffic flows and
patterns through the tunnel at various times to determine the optimum time to
strike. This cell, calling itself “Team F”, has implanted one of its members as a
mechanic at the Widget Garage. While employed at the garage for a few months,
Team F’s member has modified the code within the acceleration items and braking
items used by the taxis. 3 They also modified the code for the limousines to allow
remote execution of braking. 4 The limousines’ braking firmware also had elements
and updates that were shared with the ambulances from the manufacturer. 5
This modified code allows for direct communications via the Wi-Fi connection
utilized as part of the creature amenities in the vehicles. 6 This direct connection
also allows for communications to the Controller Area Network (CAN) bus units in
each vehicle. 7 Access to the CAN bus allows for direct control of acceleration and
braking elements of the vehicles. 8 Furthermore, the mesh networking elements
allow for communications from the CAN bus unit back to base stations and
dispatch.9
This modified code was utilizing a revoked certificate that was previously valid,
signed, and stolen from the CAN bus controls manufacturers earlier in the year. 10
The manufacturer would eventually realize that its signing certificates were stolen
in the months after the attack, which will prompt it to issue a TSB which forces an
update to the Certificate Revocation List (CRL).
32
33. The Team F implant placed a number of firmware update SD Cards in locations
around the garage with the latest dates and revisions for April/May mimicking the
style used by the vehicles’ manufacturers for look and appearance of the SD Cards. 11
Throughout the months of July and August, a large number of these vehicles were
brought in for updates to their on-board computer systems, battery systems,
braking systems and in-car Wi-Fi entertainment systems. There were no updates
that failed, as the certificate seemed valid. 12 The majority of updates were
performed utilizing the SD Cards containing the modified code.
USE CASE 2
At 4:00 p.m. on the Friday before the Labor Day holiday weekend, Team F
positioned itself at the north end of the Lincoln Tunnel in a vehicle traveling back
and forth through the tunnel. They had a specially configured PWNIEPRO device
with customized packages and a Software Defined Radio integrated. Team F’s
objective was to create a significant vehicle accident inside the tunnel with an initial
maximum casualty impact, followed by a disruption in traffic for those trying to
leave the city for the holiday weekend.
They wait for a number of the serviced taxis and limousines that would be from the
servicing company of Widget’s. As their PWNIEPRO gathers and connects to the Wi-
Fi systems within each car, they verify connectivity to the CAN bus unit to confirm
compromise and continuous connectivity. 13 Team F waits for compromised taxis
traveling at speed with a few large tractor trailers close behind them at speed. They
33
34. spot an opportunity to create the most impact with four taxis and two limousines
traveling at speed while dispersed throughout the three tubes.
Through their continuous connections to the Wi-Fi and CAN bus systems, Team F
executed a full brake on two of the taxis and an accelerate command on the other
two taxis. 14 They also executed full braking commands on both limousines. 15 This
caused a multiple car pileup at various places within each of the three tubes, and
several vehicle fires dispersed throughout. All traffic traversing the Lincoln Tunnel
came to a complete halt as several points along the 1.5 mile tunnel were blockaded
with wrecked vehicles. Team F watched and confirmed the destruction from a
vehicle in front of the fray, continuing on unscathed to the next stage of the attack.
USE CASE 3
Emergency response vehicles were dispatched within seconds via the closest fire
and emergency response location. A few other members of Team F were also
present directly on the traffic control system network via both physical locations
and remote means. 16
Over the past three months while the firmware updates were being deployed to the
taxis, limousines, and ambulances, Team F was physically pulling manhole covers
while dressed in apparent traffic control systems repairmen garb. This was done in
very low security and low risk locations that would most likely share infrastructure
with the same systems that would be utilized by the emergency response vehicles. 17
34
35. Team F placed a few wireless routers on network equipment that is used for the
traffic control systems, including traffic cameras, via these physical attacks. 18 Only
three routers were needed to gain persistent connectivity to the traffic control
systems.
The traffic light systems ride on a network that is not access control listed off from
the video control systems. 19 This allowed Team F to easily manipulate the traffic
light control system from both an emergency lighting standpoint as well as a
maintenance mode standpoint, placing lights to blink in directions that are contrary
to an emergency medical response.
Furthermore, the camera systems in and around the tunnel often utilize a set of
video communications that is claimed to be obfuscated end-to-end. However, often
times the methods of obfuscation are actually utilizing wrapper based end-to-end
communications. These common headers are well known within the traffic control
systems community. The fact that these are known headers allows for stripping of
the wrappers on the communications packets and thereby collecting the raw video
feeds in an un-obfuscated fashion. Consequently, this communications obfuscation
is no replacement for end-to-end encryption. 20
Team F has done this packet stripping and created a number of traffic video
recordings that indicate normal activity, including some with emergency vehicles
passing by. 21 They placed these recordings into the camera network’s live stream
35
36. for critical spots during the responder’s route. This created confusion and
miscommunications between the dispatchers and the emergency responders.
Team F had another method of attack to others already impacted by the traffic
system. This consisted of the mesh networks that the remaining compromised taxis
and limousines used to communicate amongst one another which allowed for more
direct control of the CAN bus units. 22 This mesh network allowed for Team F to
randomly apply brakes and acceleration throughout any of the compromised
vehicles and the connections they could acquire via their customized PWNIEPRO. 23
USE CASE 4
The mesh network also allowed for communications back to dispatch on the
vehicles that were not compromised through the firmware update affecting each
vehicle in the fleet’s mesh system. 24 These communications allowed for Team F to
modify the run-time parameters reported back to the dispatch through the mesh
systems and base stations. 25 The vehicles could erratically accelerate at different
rates thereby creating yet more confusion and accidents throughout the routes to
the two closest hospitals.
Intermingled with emergency responders were nearby NYPD police officers and transit
authority officials on the north end of the tunnel. It was immediately clear to the
local police that this was not an unlikely set of random accidents, but a coordinated
terrorist attack affecting all three tubes simultaneously. Due to the nature of the
36
37. incident and their recently updated standard operating procedures, the local
authorities activated their toxic gas detecting wristbands before driving into the
tunnel. The wristbands themselves wirelessly communicate with the patrol car’s
CAN bus system, sending clear text alerts automatically to dispatch for faster
dissemination of chemical and biological detection. 26 Almost immediately after
entering the tunnel, the sensors detect heavy concentrations of phosphine gas, a
colorless toxic gas that is extremely flammable and explosive. The wristband
worked flawlessly notifying the wearer and sending an alert to the local police
station; the police then notify all local authorities and emergency personnel to not
enter the tunnel without proper suits and respirators; significantly delaying any
rescue attempts to injured motorists inside the tunnel.
What the authorities did not know is that there was no phosphine gas in the tunnel,
Team F successfully hacked the wristband and created a false positive which was
then reported. Team F was able to accomplish this by using the PWNIEPRO to
exploit the lack of access control on the wristband itself. 27 A quick sniff for open
communications points in the area and interception of the wireless clear text
communications between the wristband and the CAN bus system in the patrol car
was all Team F needed to identify their next target. 28 Team F used this vulnerability
to gain access to the wristband, root the device with the scripts on-board the
PWNIEPRO, and generate a false positive alert which appeared to be authentic. 29 As
accident victims were able to walk out of the tunnel with no visible signs of
exposure, it took an additional 30 minutes before the confusion cleared and local
37
38. authorities realized there was no toxic gas.
USE CASE 5
Many of the victims that could be removed from the tunnel were taken to the closest
hospital via helicopter airlifts due to the traffic disruptions. This was a result that
Team F anticipated and had smaller teams waiting at each location to execute the
next set of events.
These smaller tactical teams had been running reconnaissance missions within the
hospital to gather the types of medical devices they use, their network architecture
mappings, and the most commonly used high-impact support devices as targets for
a few months. 30 They decided initially to focus on the pumps used to deliver fluids,
blood, and drugs to patients, heart monitors, and the medical record management
system.
However, they had also decided to target any vulnerable machines they could find as
a result of the tight integration with Bluetooth devices for dictation and wireless
communications devices that would communicate with the crash carts and
specialized pumps. 31 During their reconnaissance, they also noticed a number of
HVAC systems, three of the five elevator systems, and emergency power systems
sharing the same network. 32
Team F has more targets time to execute on the targets.
38
40. APPENDIX C - Distilled Tenets
1. General Security
a. Systems MUST have documented threat models.
b. Systems MUST be engineered to fail safely.
c. The data usage, safety, and privacy aspects of life critical embedded
systems MUST be clearly documented in lay terms.
d. Devices MUST only run hardened code.
e. Devices MUST enforce least privilege.
2. Communications Security
a. All interactions between devices MUST be mutually authenticated.
b. Continuous authentication SHOULD be used when feasible and
appropriate.
c. All communications between devices SHOULD be encrypted.
3. Boot-time Security
a. Devices MUST NEVER trust unauthenticated data and code during boot-
time.
b. Devices MUST NEVER be permitted to run unauthorized code.
4. Run-time Security
a. Devices MUST mitigate run-time security risks, including malicious data.
b. Devices SHOULD NEVER trust unauthenticated data during run-time.
40
41. c. When used, cryptographic keys MUST be protected.
5. Managing Life Critical Embedded Systems Securely
a. Devices and systems MUST be built to include mechanisms for in-field
update.
b. Devices and systems for managing updates MUST be mutually
authenticated and secured.
6. Security for Back-end Systems
a. Systems communicating with life critical embedded system devices
MUST be protected in accordance with industry best practices.
7. Monitoring for Advanced Threats
a. Systems MUST be monitored for threats capable of defeating or avoiding
these tenets.
41
42. APPENDIX D - References
1. Evans, Dale. The Internet of Things: How the Next Evolution of the Internet is
Changing Everything. CISCO Internet Business Solutions Group. April 2011.
2. National Institiute for Standards and Technology. FIPS PUB 186-4: Digital
Signature Standard (DSS). 2013.
3. MacKay, Ken. micro-ECC: A small and fast ECDH and ECDSA implementation for
8-bit, 32-bit, and 64-bit processors. GitHub repository. [Online]
42