6 Essential Questions for Evaluating the Threat Landscape of Your Embedded Linux Devices
By By Arlen Baker, Principal Security Architect, and Seth Cramer, Services Delivery Director
Let’s dispense with the usual horrifying stats and stories about the risks of a security breach in embedded Linux devices. We all know security threats and their associated costs are mushrooming, particularly in mission-critical and safety-critical devices.
The real question is how to get a realistic, accurate understanding of your threat landscape, so you can transform chaotic or haphazard security measures into structured, cost-efficient, effective security practices … and gain peace of mind.
In our recent webinar “5 Security Best Practices for Linux at the Intelligent Edge,” one of hottest topics was understanding the threat landscape. To follow up, ask yourself these 6 questions to fully analyze and illuminate your threat landscape. And watch for our next post, which will describe the building blocks for effective CVE (Common Vulnerabilities and Exposures) prioritization and remediation.
1. What needs protection? Your threat landscape is the totality of the cyber events that can impact your embedded devices. In most cases for edge devices, the primary asset to protect is the data, whether it’s configuration data, calibration data, or PII credentials such as usernames, passwords, and cryptographic keys and certificates. Protecting this data will help you protect the people and devices associated with the data. You will also need to consider the protection requirements of the environment in which the device operates, including everything that touches the end device and its operation.
2. What types of threats and vulnerabilities exist? The next step is to identify the current threats to the assets that need protection. While threats have the potential to impact the assets through unauthorized access, destruction, disclosure, modification, and/or disruption, vulnerabilities are weaknesses in a component of the device that can be exploited by a threat. This graphic highlights some of the key CVE types that have been identified in recent years.
3. What risk is tolerable? You will need a clear understanding, from both an organizational and a customer perspective, of what happens if the identified data or assets are compromised. This calculation should include multiple considerations, including harm to the devices and people who use them, the consequences of data loss, operational disruption, the possibility of a total failure of a critical device or system, damage to your company’s and your end customer’s reputation, and of course the financial impact in terms of penalties, compliance violations, and so on. Once you’ve itemized the risks you’re facing, you’ll know which risks to prioritize in your remediation efforts.
4. Which regulations apply? As part of the risk assessment process, it is important to specify which governing bodies have regulatory requirements for your devices and what the legal ramifications of those regulations are. This could include standards bodies, government agencies, security watchdogs, corporate IT, and more.
5. What is the right response? Let’s be frank. Cybersecurity events are going to occur, regardless of the precautions you take. The hard question is how you will respond. Will you be proactive and develop detailed playbooks for handling an event? Or will you adopt just-in-time policies and procedures? Will you continuously update and refresh your response tactics? Or will your approach be chaotic and reactive?
6. Who should respond? An equally important consideration, given the explosion in the use of open source platforms and technologies, is who will be involved in the response to a cybersecurity event. Your in-house team? The open source community? Contractors? Hardware vendors? Software vendors? Will you need to coordinate with regulatory agencies? Your answer to this question will have a huge impact on the speed, efficacy, and potentially the cost of the security measures you put in place.
Understanding your threat landscape is just the first step in developing an efficient, cost-effective, and successful security strategy for embedded devices.
Don’t know where to start? Don’t worry. Wind River® offers a low-cost Security Assessment service that can help you find solutions for all your security needs.
In the next post of this blog series, we’ll offer concrete suggestions for how to prioritize remediation of the CVEs you identify. Then we’ll take a look at the value of bringing a full lifecycle approach to securing your critical Linux devices.
So stay tuned. And in the meantime, take a look at our Wind River Studio Linux Services portfolio. We can help you resolve your cybersecurity issues, lower your technical debt, and shift your focus from worrying about risks to innovating for customers. Also, be sure to try our purpose-built Linux CVE scanner at no cost. For a more in-depth discussion, you can also contact us here.