3 steps to keep your product in the market and secure for longer

Embedded systems are becoming crucial components across various industries, but they face numerous challenges when it comes to security and long-term maintenance. In this blog, based on a webinar with STMicroelectronics and Witekio, we’ll explore the main obstacles embedded devices face and discuss the regulatory frameworks, compliance requirements, and best practices to keep your embedded systems secure for the long term.

Embedded systems cybersecurity challenges

Embedded devices, often designed to work autonomously for extended periods, are highly susceptible to cyberattacks. Here are some of the major security challenges:

Attack target & vector

Embedded systems are frequent targets of cyberattacks and can be exploited as attack vectors for larger, more critical systems.

Infrequent updates

The deployment of security updates is often overlooked in embedded devices, making them more vulnerable over time.

Long presence on the field

These devices can remain in the field for years without active monitoring, operating in “just-works” mode.

Limited monitoring

Unlike larger systems, embedded devices typically aren’t covered by centralized monitoring tools such as EDR.

Shared vulnerabilities

Many embedded devices use the same open-source components as larger systems, leading to new vulnerabilities emerging daily.

Large attack surface

Due to their high level of connectivity, embedded devices have a broad attack surface that hackers can exploit.

Transparency on vulnerabilities

Open-source samples and visible designs make it easier for attackers to study and identify weaknesses over time.

And it does not end there: the landscape of cybersecurity threats is becoming more and more complex. As more systems become interconnected, even non-critical devices can compromise critical infrastructures, underscoring the importance of securing all products.

Evolving regulations: another challenge to tackle

As the number of connected devices grows, so do concerns about privacy and security. Governments around the world are stepping up with regulatory frameworks to protect critical infrastructure and citizens’ privacy. Let’s dive into the regulatory frameworks in Europe and the United States that are setting the tone for embedded device security.

European regulatory landscape

Cyber Resilience Act (CRA)

The Cyber Resilience Act ensures that embedded systems remain resilient to cyber threats throughout their lifecycle. This includes security risk assessments, secure development practices, continuous vulnerability monitoring, timely updates, and mandatory reporting to authorities. The CRA’s comprehensive focus means that devices must not only be secure at launch but remain secure through continuous oversight and updates.

Read our in-depth dossier on the CRA for further details.

Radio Equipment Directive (RED)

The RED establishes a regulatory framework for the placement of radio equipment on the market, ensuring compliance with safety, electromagnetic compatibility, and efficient spectrum use. Additionally, it covers:

  • Privacy & Fraud Protection
  • Interoperability & Emergency Services
  • Compliance at Product Launch
  • Resilience & Updates
  • Security Risk Assessments

Other European regulations such as NIS2, DORA, and GDPR also play a crucial role in ensuring the security of embedded devices.

U.S. regulatory landscape

In the U.S., cybersecurity regulations are continually evolving, with a range of initiatives at both federal and state levels.

Executive Order 14028

Issued in 2021, the Executive Order 14028 introduces comprehensive cybersecurity measures for government networks, focusing on information sharing for cyber incidents, secure cloud services, zero-trust architectures, and multi-factor authentication. It also mandates the establishment of a Cybersecurity Safety Review Board and standardized response playbooks for federal agencies.

SEC Cyber Rules

The U.S. Securities and Exchange Commission (SEC) requires companies to disclose cybersecurity incidents and detail their cybersecurity risk management strategies.

Cyber Trust Mark

The Cyber Trust Mark is a voluntary cybersecurity labeling program being developed by the Federal Communications Commission (FCC) for wireless IoT products. This label will help consumers identify trustworthy devices and incentivize manufacturers to meet higher security standards.

Step 1: Assess the security risks your device is facing

The first step in securing your embedded systems is to conduct a thorough security risk assessment. This involves identifying potential threats, understanding the attack vectors, and evaluating the vulnerabilities inherent in your devices. Once the risks are understood, a strategy to mitigate these risks must be developed.

A risk assessment will provide a clear path forward in terms of what needs to be addressed before moving to development.

Step 2: Incorporate security features and best practices in your development

Once the risks are assessed, it’s time to integrate security directly into the development process. Key security features to incorporate include integrity protection, access control, attack surface minimization, and confidentiality protection.

In practice, this could mean implementing secure boot mechanisms to prevent unauthorized code from running on the device, encrypting firmware to protect against tampering, and deploying secure key management systems. Incorporating these elements from the start ensures a solid security foundation that can be built upon as the product evolves.

Monitoring the supply chain and provisioning secrets during manufacturing is also crucial. Ensuring that sensitive information, such as encryption keys, is securely handled throughout the development process is key to safeguarding embedded systems from malicious actors.

Step 3: Maintain the security with updates and vulnerability monitoring

Embedded systems are often deployed for long periods, sometimes a decade or more. This makes long-term maintenance, including regular updates and vulnerability assessments, critical. Without proactive monitoring and timely patching, embedded devices become sitting ducks for new cyber threats.

Security updates should be regular and responsive to emerging vulnerabilities. Periodic vulnerability assessments help identify potential issues before they are exploited, ensuring that devices remain protected throughout their lifecycle. CVE scanners can be used to automate the detection of vulnerabilities, allowing manufacturers to focus on mitigation strategies.

CVE Scan web interface - Dashboard view
Example of dashboard generated by CVE Scan

Solutions available on the market to keep your device secure

Hardware solutions

Many silicon vendors now offer hardware specifically designed to ensure long-term security, and STMicroelectronics is a prime example. Their STM32MP13 and STM32MP25 microprocessors come with certifications such as SESIP3 and PSA, which include essential security features like secure boot and real-time updates. These certifications provide an added layer of trust, ensuring that devices remain secure throughout their lifecycle.

STMicroelectronics also offers long-term product maintenance, providing up to 10 years of support that includes:

  • Ongoing security patches and updates
  • Participation in Linux community upstream efforts
  • CVE check and corrections via patches
  • A robust maintenance strategy aligned with the latest long-term support (LTS) Linux kernels

For more details, it’s advisable to consult your hardware provider’s website to understand the specific security solutions they offer.

Software solutions

For embedded software, several options are available to ensure security over the product’s lifetime.

Professional services

You can choose to externalize tasks like security assessments, secure development, and ongoing maintenance to professional service providers such as Witekio. They provide support at every stage of the development process, ensuring that security is built into your system from the ground up.

Ready-to-use tools & frameworks

Alternatively, you can opt for tools that already integrate all necessary security features. Solutions like Welma Yocto Linux, a secure embedded Linux distribution, offer comprehensive security compliance. Additionally, tools such as the CVE Scan provide continuous vulnerability monitoring, helping you keep your product secure by identifying and addressing threats in real time.

Long-term security isn’t just about compliance—it’s about ensuring the longevity, integrity, and reliability of your products in a world where cybersecurity threats continue to evolve.

Watch the replay of the webinar

Speakers

Vincent Desespringalle - STMicroelectronics

Vincent Desespringalle

MPU Ecosystem Marketing Manager, STMicroelectronics

Lauret Sustek

Security Technical Marketing, STMicroelectronics

Julien Bernet - Cybersecurity Leader - The Embedded Kit

Julien Bernet

Security Leader, Witekio

Pierre Gal, Head of Product Development at The Embedded Kit

Pierre Gal

Head of Product, The Embedded Kit

Our partners

Logo of Witekio, an Avnet company and partner of The Embedded Kit
STMicroelectronics logo - Welma Yocto Linux

Related content

Discover more from The Embedded Kit

Subscribe now to keep reading and get access to the full archive.

Continue reading