What is the Response to Security Incidents in the Embedded World?
By Tim Radzykewycz
It is simply a reality that no computer system is impervious to threat or some sort of compromise. However, it is an industry best practice to deploy Intrusion Detection Systems (IDS) to detect intrusions, have rapid access to an Incident Response Team (IRT) to investigate the intrusion, and have a plan on how to deal with certain, pre-identified types of intrusion.
That’s for a typical IT environment, but how does this best practice apply in the embedded world? The world of embedded is quite large and diverse, and the response differs depending on the area. What’s appropriate in an automotive or medical environment might be quite different from what’s needed on a factory floor, and that might be quite different from what’s appropriate for a home appliance.
In all cases, a security evaluation is appropriate, as well as creating specific plans on how to deal with intrusion. Some evaluations may be quite simple, and the plans that derive from them might be very straightforward. In other cases, the evaluation and planning may be significantly more complex than a typical IT environment. To be most effective, the evaluation and planning should happen before deployment, and in fact, usually during product design. Retrofitting functionality into a device that was designed without these requirements can be difficult and ultimately, bring about significant consequences. In today’s connected world, security cannot be an afterthought.
Once the evaluation has been performed and response plans are being created, it is time to look at requirements for IDS and the features that are needed. This can be divided into two broad divisions: how to detect the intrusion and how to report it. During secure boot, measurements are taken, which can also be integrated into an intrusion detection plan if that is desired. Do you want detection to be based around network traffic? If so, the Wind River Linux snort and suricata packages can be helpful. Do you want detection to be based around file integrity? The Wind River Linux IMA Appraise feature can be helpful to assist with detection of compromised executable files, or at a broader level, detection can be integrated with system backups so that the process is integrated with the duplicity remote backup system and the actual detection is performed remotely.
Typically in the embedded world, detection relies heavily on information local to the device, rather than information within an intranet. But that depends in part on the type of device and in part on the industry and environment where it’s deployed. Consider, for example, the case of a robot on a factory floor. Of course, the robot should have some level of detection capability, regardless of the network environment. But, it may not need to spend as much time trying to detect intrusion if the network it’s connected to is partly isolated from the internet. In that case, the gateway device can likely provide protection more easily. But that same factory robot would need more protection if the gateway does not provide sufficient isolation. In a much different scenario, a spacecraft would have different intrusion detection requirements and different contingency plans in case an attack was detected. Then, consider a tablet used to display medical records, it may rely on a remote server for more of its intrusion detection capabilities.
OK. So there’s a security evaluation, and requirements for intrusion detection. And, contingency response plans are being created. In the IT world, the next consideration is a team for incident response. Again, embedded is a quite varied market, and incident response plans can vary as significantly as the markets themselves. In some cases, there may not even be real response teams, other than marketing or public relations teams to manage the communications around an incident. In other instances, it may be necessary to identify what has been compromised for legal or other reasons, in which case a response team must be available.
In summary: the IoT world has a huge and diverse range of security environments that affect security planning and response. Wind River, the world’s leader in embedded, can help both with the technology to help meet requirements, and with consulting expertise to help perform evaluations, create response plans, and conduct incident response investigation. To learn more, have a look at our comprehensive range of security expertise.