More and more devices are connected to the internet. The Internet-of-Things (IoT) has therefore seen a strong rise in recent years. This reduces the development costs of connected devices. In addition, products are equipped with various communication facilities, and smartphones are used as controllers for other devices. Simple devices such as sensors, coffee machines, refrigerators or lighting can now be controlled remotely via the smartphone. Linking smart embedded devices with computer systems via networks offers many advantages, but it also has a downside. After all, they become subject to cyber attacks. Kaspersky, for example, detected about 105 million attacks on 50 self-installed IoT devices (“IoT honeypots”) in the first half of 2019. A year earlier, this was only 12 million. These devices are often equipped with limited resources and little attention is paid to security during development in order to reduce the cost price. Some devices have been developed to be used in a shielded IT infrastructure and have been protected in this way. However, by deploying these devices in complex environments and connecting them to the internet, they are exposed to many new threats. Successful attacks can lead to reduced quality-of-service, loss of data, takeover of the devices, breakage or breaches of the surrounding network infrastructure. A positive aspect is the fact that many new technologies have been developed in recent years that can be used to secure the devices connected and embedded. On the other hand, attacks are also becoming more sophisticated. It is therefore very difficult for companies to assess which measures and technologies are suitable for their speciﬁc needs. The range of technologies is very wide. In addition, the technologies are becoming more and more advanced, so that absorbing the required knowledge about the security technologies is certainly no easy task.
This project is part of the policy plan of the Flemish government with regard to cybersecurity, and focuses on improving the security of embedded devices. The target group therefore consists primarily of developers and manufacturers of embedded devices, both for small and large companies.
This project aims to transfer knowledge of security analysis, security-by-design methodologies and security technologies to useful tools for developers of secure embedded systems. The target user group consists of at least 20 active members. The results of this project (i.e. guidelines, tools, …) are bundled in an embedded security guide. First, insights are provided on contemporary attacks, common vulnerabilities, and the security technologies that can help us avoid such problems. Depending on the available resources (eg battery, memory and processing power), the autonomy requirements and the environment in which the device will be deployed, different guidelines are drawn up. These include hardware and communication technologies, as well as OS facilities and software libraries. Second, the know-how and tools are provided to identify the vulnerabilities of existing devices and assess their impact. Third, methodologies and steps to achieve effective security management are provided, ranging from the security-by-design principle to monitoring the security of products after marketing. Specifically for existing systems, guidelines and techniques are also being established (a) to protect them from more sophisticated attacks, and (b) to create opportunities to deploy the devices in more hostile environments. In consultation with the guidance group, three demonstrators are developed to validate the various guidelines and methodologies. In addition, at least 3 test setups are also set up to demonstrate existing vulnerabilities and respective measures.
Expected results and impact
For the partners in this project, it is expected that the results of this project will provide support to their main activities and be immediately deployable. To maximize the further dissemination of the project results, the embedded security guide for developers is being developed. It bundles the key concepts, insights, best practices and guidelines, provides an overview of technological security building blocks, and documents the requirements of effective security management. The guide can be consulted online or downloaded. The networks of Agoria, DSPValley and LSEC – Leaders in Security are used to disseminate the project results to technology companies and to support the organization of dissemination activities. Because of this approach, and the sizeable size of the broader target group, we are aiming for several dozen developers – target 50 unique organizations – who will use the embedded security guide during the project with a multiplier effect after the project has ended. Through the integration of the project results in the curriculum of Industrial Engineering Sciences on the campuses of KU Leuven and VUB, the professional bachelor course ElectronicsICT at the technology campus Ghent, and through postgraduate training initiatives, several hundred students can be reached per year.