At the recent Take Down Conference, a scheduled talk on security vulnerabilities in SCADA (Supervisory Control And Data Acquisition) systems was cancelled due to direct requests from the Department of Homeland Security and Siemens (CNET - "SCADA hack talk canceled after U.S., Siemens request" . The request was made because the details of the vulnerabilities and the exploits associated with these vulnerabilities were too sensitive at this point in time. (The researchers have announced that these will be revealed at the upcoming Black Hat conference in August 2011).
This type of request is unusual since the common approach of researchers in the security field is full disclosure so that vulnerabilities are well understood and hopefully, quickly fixed. What this does indicate is the emerging importance of embedded system security in the eyes of the government, the security research community and the technology media in general. The Stuxnet malware initiated this new awareness since its public revelation in 2010.
Embedded systems are the key control and data acquisition point for much our infrastructure - power grid, nuclear power plants, dam control, factory control, robotics, etc. Unlike well known cyber attacks such as denial of service or information breaches (typically on enterprise systems), the possibility of doing real physical harm damage is possible with attacks on infrastructure and the embedded systems that control them.
The new emerging front in cyberwarfare is embedded systems. In particular, control systems that are controlling and monitoring key infrastructure. Attacks on these systems can mean loss of life, injury, financial loss and reduction or loss of key resources such as water, electricity, gas and oil. Its now time for the embedded systems industry to make security a leading topic of discussion and to introduce secure design principles into control systems software. As we move into the Machine-to-Machine (M2M) era where every device is connected and networked, security is paramount design consideration.
We'll be looking at various topics in embedded systems security in upcoming posts, stay tuned.