Cyber Security in Embedded Systems is just like a Digital Fortress

8 min readMay 13, 2022

Let’s talk about embedded systems.

In what way is the system’s security similar to a fortress?
How do security systems work?
Why are they so critical?
What should be taken into account when choosing third-party contractors?

Today we will answer those questions and much more. In this article, we will try to cover the subject of cyber security in automotive and embedded systems. Here you will find a bundle of useful tips and tricks we gathered from one of our projects for the automotive industry.

Make the Fortress Hard to Conquer

Since the beginning of mankind, we have always prioritized security systems. Back in the day, people built fortresses to protect what was valuable and important to them: treasures, weapons, and above all — human life.

The idea of protecting valuable information and treasures or controlling access to selected areas or lands is very old. For example, in the Middle Ages, fortresses were used to protect lands and places of strategic importance. However, designing and building such construction is an extremely challenging task.

There are plenty of factors to consider. You must always remember to adapt the construction to the surrounding environment and your current capabilities.

Here’s what you need to take into account:

the shape and size of the construction,
the size of defense elements,
the size and amount of offensive elements,

Your Security System is a Fortress (With a Castle Inside)

Building a fortress is quite demanding. To get the idea, let’s take a bit of a deeper dive into how medieval fortresses were built. Most often, we can observe several key elements in this type of building:

a moat surrounding the fortress,
a drawbridge over which the inhabitants enter the fortress,
defensive gates that protect selected parts of the fortress,
fortification walls that surround and protect the fortress,
defense towers where archers are stationed,
a barbican (a special construction that protects the drawbridge from attack).

All the elements above are essential and play a very specific role in the defensive system. Missing just one of them might significantly reduce the construction’s defensive potential.

How to Build the Fortress?

Where to begin when building a fortress? The best place to start is by building a moat that is deep and wide enough to make it impossible or at least very hard, to cross without a drawbridge. That makes sense, right?

As always, the devil is in the details. The width of the moat should be also adjusted to the capabilities of your army, e.g., to the range of archers or war machines, so that you are able to attack the enemy from behind your defense walls.

The Importance of the Moat

The moat is your first line of defense against a direct attack. It prevents from attacking the fortress by removing easy access to the defensive walls and gates. The potential enemy would have to use fancy-schmancy war machines to break them and get inside and then it would be a lot easier for them to launch all sorts of attacks on the fortress.

Imagine a little island with defense walls surrounded by a moat where our fortress is going to be built. The island is the “hardware,” for instance, the microcontroller, where we’ll embed our software in the future.

Now, hardware (HW) issues are extremely important when it comes to security. Here are some key hardware-related elements that you must make sure you never miss:

Ensure the flash memory read protection bits are set correctly.

Maybe that sounds obvious, but often we make mistakes in such areas. For instance, perhaps someone forgot to handle the new security registers in the microcontroller when it was changed to one with more flash memory.

Check if the microcontroller requires a tamper protection layer for your project.

The tamper protection layer in a microcontroller or secured components is not bulletproof and there are ways to get rid of it. There are also different types of anti-integration layers — both simple and more difficult to bypass. It is worth making a wise decision about which microcontroller you choose as well as the type of layer.

Make sure that the microcontroller has a high-quality RNG (random number generator) and that it works properly including after power-up and reset.

History has shown that such hardware components have internal faults, so testing them is recommended.

Read errata of microcontroller from a cyber security point of view and verify errors in security modules as well as all events that can cause exceptions, resets, and so on.

Unhandled exceptions or other reset mechanisms in the system can be a potential vulnerability.

Software/Hardware (SW/HW) Interfaces

Having built a moat and part of the defense walls, the next step is to build drawbridges and gates. That is another element that requires special attention. All traffic goes through the drawbridges and the gates. From a bandwidth point of view, these roads should be as wide as possible and free of obstacles, such as gratings, to avoid disturbing the flow. The other option to ensure undisturbed bandwidth is to build as many gates as possible.

However, as you can guess, the devil is in the details. If the gates and drawbridges are too wide and without proper protection, they may encourage the enemies to attack. It is easier to attack gates that are not protected or so wide that full traffic monitoring almost becomes impossible. That is the reason to add such constructions as barbicans and gratings to help protect all the drawbridges and gates in the fortress.

How does it translate into the cyber security world: any unprotected system interface is asking for trouble. The goal is to reduce the surface area of attack in our system, rather than expand it unduly.

Summing it up, here’s what you always need to bear in mind:

deactivate your JTAG or another programming interface,
activate protection mechanisms for all HW interfaces if possible,
handle all possible exceptions,
focus on testing the parts of code responsible for handling interfaces (queues, ring buffers, DMA, copying data algorithms, headers checking algorithms, and CRCs).

If you are not sure which part of your code should be most thoroughly verified, always extensively test the code that is most exposed to the external environment (e.g., codes that handle frames directly).

Such measures will help to reduce the amount of attack surface area in specific parts of the system.

Cooperating With External Suppliers

Building such a big construction as a fortress is not a one-man job. To achieve cyber security within a set timeframe, it is completely normal to need external help from third-party companies. However, you mustn’t miss one fundamental thing here.

No matter how big and well-known the company is or how much you like the people who work there if they tell you that their quality of work is top-notch and all the required testing has been done internally — don’t take their word for it.

At the end of the day, you are the one that is responsible for the solution. All the codes delivered should be tested by them or by you. If your supplier performed the tests, you need access to the results to verify them and make sure that they meet your requests and are within the agreed scope. It is unacceptable if they say the test results are confidential.

Remember that lack of testing or certain deficiencies in testing did not occur due to the bad intentions of the supplier. The cyber security discipline is fairly new in the automotive industry. For the time being, not many companies deal with this area properly. On top of that, there are other factors such as deadlines and human error that come into play. Of course, if your partner follows their own methods and for some reason does not provide test results, you must carry out the tests on your own.

Always remember:

If your supplier is not proficient in cyber security, help them — that way you will both benefit.
Express your concerns if they claim that the delivered work is spot on.
Spend enough time to verify delivered code or test results and execute your own tests (in most cases, one or two weeks is not enough).
If possible, ask the relevant person to include a paragraph in the co-operation agreement about providing cyber security testing to the code you have created.
Defects can occur at the integration level, not just in delivered components.
The burden of reporting a bug is on you.

The Key Role of the Supervision of Hw and SW After the Development Process

Once the fortress is finally finished the real adventure begins. Now is the time when the previously made assumptions and completed work are faced with real threats. We need to make sure that our resources — are ready for the fight. We must train the knights and collect the required armor and weapons to sustain the stable protection of the fortress at the highest level possible.

We must prepare the action processes, servers, software, hardware, and tools. Then we ought to continuously expand our knowledge of possible new threats. Most often, this part of a project is underpaid and we lack resources such as people, skills, and time. When real exploitable vulnerability appears, it’s not the right time to:

create procedures that describe what should be done and by whom,
search for/through the right code repositories with code and whole tools to develop and test,
search for/through documentation of ASIL levels, interfaces, lists of protection mechanisms, and lists of suppliers, or check which part of the code is open-source,
scroll CVE databases to find any missed vulnerability.

That is why it is always important to remember to: