Security for cyber-physical systems – 7 steps towards success
2020-05-18 | The importance of security considerations in cyber-physical systems is growing due to the increase in connectivity of smart edge devices that communicate via the Internet (e.g. remote operated systems, autonomous vehicles and machines or medical testing devices). More and more often, such systems become the target of cyber-criminal activities. When a system gets breached, consequences can be severe, ranging from sensitive data getting leaked to human lives being in danger, when safety-critical systems malfunction. In the following article, we guide through the design process for a secure embedded system using 7 steps based on our practical experience.
System security is more than just a technical necessity. If done correctly, it is a complex task that needs to be tackled with great care and a comprehensive approach by experts. Challenging questions that need to be answered include:
- Which parts of the system need to be secure?
- Which norms/standards/regulations are applicable?
- What level of security do they need?
- How can I achieve the required level of security?
- Should I have or do I need approval/certification?
- How can I maintain the level of security?
For a system to be reasonably secure, several attributes have to be considered and ensured in accordance with the acceptable risk level (i.e. the combination of probability and impact of a risk scenario). A commonly used model is the CIA triad showing the three most crucial attributes of security:
- Confidentiality: access to and disclosure of sensitive data is only granted to authorized entities
- Integrity: guarding information from unauthorized modifications and deletion
- Availability: ensuring that data and/or the system and its services are available when required
The ideal approach is to include security considerations from the beginning and integrate suitable measures in the system design to safeguard data and functionality. However, the following process can also be applied to legacy systems.
Step 1: Scope Definition
The first step is to define the scope and boundaries of the system. This includes a detailed description of the system, its interfaces, use cases, interacting personnel and the environment the system is embedded into.
The next challenging task is defining and selecting appropriate norm(s) for security risk assessment and security implementation in the ever-evolving landscape of security related standards in the field of embedded system. The most recent and most applicable up-to-date standard series is IEC-62443, which targets industrial communication networks, security for industrial automation and control systems. However, other industry-specific norms and regulations might also be applicable. Hence, the task is to select the appropriate set of standards for the respective product and the assessment at hand.
Step 2: Define Security (Risk Assessment)
In the course of the design process, we offer our customers a detailed Security Risk Assessment according to the applicable norms, e.g. NIST SP-800-30, IEC-62443-4-1, ISO IEC 27005 or AAMI TIR 57. The purpose of the risk assessment is to identify risks to determine what events could happen that have a harmful impact on the system. Important questions that must be answered are the following:
- What to protect? (Assets, e.g. software, hardware, data, processes)
- Protect from whom? (Agents, e.g. cyber criminals)
- Protect from what? (Threats, e.g. disclosure of sensitive information, manipulation of firmware)
- What makes these threats possible? (Vulnerabilities, e.g. missing or weak means of authentication, unsecured communication channels, software vulnerabilities, poor password policies)
Based on the results as well as the previously determined system scope and description, our security experts determine risks and evaluate them together with the customer’s product team in in our structured Security Workshop. Each risk is assigned a probability and an impact to determine the risk level. Based on this prioritization, the objectives / strategies / measures are then defined in order to mitigate the risk to an acceptable level in accordance with the given norms and standards.
Mission Embedded provides guidance and accompanies you during this process. As a result, we thus provide you with the conceptional foundation to establish a secure environment and to reasonably secure your product.
Mission Embedded Services and Solutions:
- Experienced experts with intelligent strategies
- Existing blueprints/references from similar projects
- Document templates for Risk Assessment, Trust Case, Security Profile
- Certification/approval support
Step 3: Design Security (Security Profile)
In a Security Profile tailored to your application the implementation of the objectives and strategies defined in the Risk Assessment are detailed and technical requirements are specified. I.e. what will be implemented and how it fits together. In this detailed concept specification, we ensure that all previously specified targets/objectives are met.
An exhaustive overall analysis of the security objectives would go beyond the scope of this article. The image below aims to demonstrate the complexity of security considerations and processes. The Mission Embedded experts are happy to help you with any questions you may have.
Step 4: Implement Security
Based on the Security Profile, Mission Embedded establishes a chain of trust for the complete system or application (i.e. a linked path of validation and verification from a trust anchor down to an end-entity certificate). Depending on the system security scope the implementation activities might address several phases in the product lifecycle – from supply chain and production to maintenance processes.
For the devices themselves, secure hardware (processor, trusted platform module) is the foundation for safeguarding a system and ensuring the integrity and authenticity of the bootloader as well as the dedicated application. Building on the chain of trust, Mission Embedded secures the system and its interfaces by verifying and safeguarding the file system, encrypting communication channels, or protecting sensitive information. This hardened system efficiently protects data, functionality, and services from unauthorized third parties.
Examples for the implementation of other Security Profile objectives may include unique device identification, credential management, key management and PKI (public key infrastructure), device authentication, remote device update, over-the-air updates, secure data exchange.
Step 5: Test and Validate Security
Penetration tests are then carried out either by Mission Embedded or, if requested, by an independent third party in order to verify all implemented measures and to ensure that system security complies with the latest state of the art.
Step 6: Get Approval (if applicable)
The results and artefacts of all previous steps are finally compiled into a Security Trust Case documenting
- the system definition,
- the conducted security risk assessment including threat identification, evaluation, and prioritization,
- the defined Security Profile(s),
- the implementation according to an adequate development process and
- test and validation reports.
This is the basis for the final security approval. Our expert team is also happy to support you during the approval of your product – or we can even take care of the whole certification process for you. Mission Embedded’s well-proven and tested security process provides a roadmap to approval and secure system.
Step 7: Sustain and Maintain Security
Security is not a one-time job during system development or certification, but rather a continuous process throughout the entire lifecycle of a system. The Mission Embedded lifecycle team can monitor the system for possible emerging vulnerabilities ensuring a rapid incident response to security gaps, e.g. with a timely rollout of updates.