CompTIA Security SY0-601 Exam: A Simple Guide To Embedded and Specialized Systems

Objective: Explain the security implications of embedded and specialized systems.

Topics:
- embedded system
- field-programmable gate array (FPGA)
- supervisory control and data acquisition (SCADA)
- industrial control system (ICS)
- Internet of Things (IoT)
- heating, ventilation, air conditioning (HVAC)
- multifunction printer (MFP)
- real-time operation system (RTOS)
- system on chip (SoC)

Embedded Systems
Embedded systems that are used to capture, store, and access data of a sensitive nature pose some unique and interesting security challenges. Embedded systems are found in printers, smart TVs, and HVAC control systems, among other devices.
Security protocols and encryption address security considerations from a functional perspective, but most embedded systems are constrained by the environments in which they operate and the resources they use. Attacks against embedded systems rely on exploiting security vulnerabilities in the software and hardware components of the implementation and are susceptible to timing and side-channel attacks. Nonvolatile memory chips are found in many hardware devices, including TV tuners, fax machines, cameras, radios, antilock brakes, keyless entry systems, printers and copiers, modems, HVAC controls, satellite receivers, barcode readers, point-of-sale terminals, medical devices, smart cards, lockboxes, and garage door openers. The best protections for maintaining embedded device security include requiring software and hardware vendors to provide evidence that the software has no security weaknesses, perform remote attestation to verify that firmware has not been modified, and maintain secure configuration management processes when servicing field devices or updating firmware. In addition, organizations must provide proper security oversight and monitor the contractors and vendors that perform work on installed systems.

SoC and RTOS
System on chip (SoC) technology is basically a hardware module in a small form factor. SoC devices have good processing power, and the small footprint makes this technology ideal for reduced power consumption, lower cost, and better performance than are available with larger components. Some examples of developing technologies that take advantage of this are nanorobots, video devices for the visually impaired, and wireless antennas.
SoC involves integration between a microcontroller, an application or microprocessor, and peripherals. The peripherals could be a graphics processing unit (GPU), a Wi-Fi module, or a coprocessor. The processor is usually powerful enough to run an OS such as Windows, Linux, or Android. Intel’s Curie module is about the size of a shirt button and contains all the components required to provide power for wearable devices.
A real-time operating system (RTOS) is a small operating system used in embedded systems and IoT applications that are typically run in a SoC environment. The primary purpose of an RTOS is to allow the rapid switching of tasks, with a focus on timing instead of throughput. An RTOS allows applications to run with precise timing and high reliability. RTOS technology is used in microcontrollers and implemented in wearable and medical devices and in in-vehicle systems and home automation devices.

Vulnerabilities associated with RTOS include the following:
- Exploitation of shared memory
- Priority inversion
- Interprocess communication (IPC) attacks
- Code injection
- DoS attacks
SoC designs integrate intellectual property (IP) blocks, which are often acquired from untrusted third-party vendors. Although the design of SoC requires a security architecture, it relies on third-party vendors and little standardization of the security architecture in the design. An IP that contains a security vulnerability can make an entire SoC untrustworthy, and the lack of standardization allows for actions such as device jailbreaking and DRM overriding.

It is possible to make a SoC design more secure following several ways:
- The device should be shielded from electromagnetic interference at the maximum level.
- Sensitive data should not be stored in the register or cache after processing.
- A separate security verification tool should be used to check the design.

The level of security built into SoC devices should take into consideration how easily a known vulnerability can be exploited and the amount of damage that can occur if the security of the device is compromised.
SoCs can also be implemented using a field-programmable gate array (FPGA). An FPGA is an integrated circuit that can be programmed or modified in the field. This means it is possible to make changes even after the FPGA has been deployed.
Working with or prototyping embedded systems today is incredibly simple and inexpensive, thanks to recent innovations such as the Arduino and Raspberry Pi. These low-priced, single-board computers are great for teaching, hobbies, and prototyping. The Raspberry PI contains a Broadcom SoC complete with integrated peripherals and an integrated CPU and GPU. These types of systems are now available with onboard FPGAs, combining the board’s ease of use with reprogrammable chips.

SCADA and ICS
An organization might be able to exert better control over the management of security risks in environments that are considered static or less fluid than a cloud or virtualized environment. Environments such as SCADA systems, some embedded systems, and mainframe systems are considered static because the technology behind them has been around for a long time. Thanks to business needs and vendor access, many of these systems that previously were on their own secure networks have become targets because they are connected to the Internet.

Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICSs) include critical infrastructure systems across a number of sectors, such as infrastructure, facilities, industrial, logistics, and energy. Some common relatable examples include automation, monitoring, and control of the following:
- Electrical, nuclear, and other power generation, transmission, and distribution
- Just-in-time manufacturing and robotics
- Water distribution, water and wastewater treatment centers, reservoirs, and pipes
- Mass transit systems such as trains, subways, and buses, as well as traffic lights and traffic flow
- Airports, shipping, and space stations

SCADA is a subset of ICS. An ICS is managed via a SCADA system that provides a human–machine interface (HMI) for operators to monitor the status of a system. Other ICSs include industrial automation and control systems (IACSs), distributed control systems (DCSs), programmable logic controllers (PLCs), and remote terminal units (RTUs).
A targeted terrorist attack against an ICS poses a threat to the infrastructure. Ideally, two separate security and IT groups should manage the network infrastructure and the ICS or SCADA network. Because ICS security requirements differ, IT architects and managers who do not have previous experience on this type of system need to be trained specifically in ICS security and must be familiar with guidance documents. Otherwise, the stronger security controls required for an ICS might be inadvertently missed, putting both the organization and the community at increased risk. In addressing SCADA security concerns, one of the first lines of defense against attacks is to implement physical segregation of internal and external networks to reduce the attack surface by segregating the SCADA network from the corporate LAN. The SCADA LAN can be further segregated from the field device network containing the RTUs and PLCs by establishing an electronic security perimeter.
Guidance for proper security and established best practices for SCADA systems is available in ISA99: Industrial Automation and Control Systems Security, North American Electric Reliability Corporation (NERC): Critical Infrastructure Protection (CIP), and NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security.
A key control against attacks on SCADA systems is to implement physical segregation of internal and external networks to reduce the attack surface by segregating the SCADA network from the corporate LAN.

Smart Devices and IoT
Thanks to the Internet of Things (IoT), your smartphone can control household devices, and your voice can instruct devices to find information or perform certain functions. The IoT enables embedded system devices or components to interact with physical devices for the collection and exchange of data. While manufacturers continue to improve the built-in security of IoT devices, you need to be aware that some of them lack security controls or are configured with weak default settings.
The previous edition of this book said that Gartner predicted that 8.4 billion IoT devices would be connected in 2017, increasing to 25 billion by 2020. These numbers are about right, given the average estimates today, and the numbers are expected to grow!
Wearable technology has been around since the 1980s in the form of wearable heart rate monitors for athletes. The Fitbit debuted in 2011, and wearable technology came to the forefront with the release of the Apple Watch in 2015. Since then, other manufacturers have released devices such as smartwatches, wearable GPS trackers for pets, and the body-mounted cameras that many police departments now require.

Device manufacturers are being pushed to strengthen user data protection and implement security in designs in order to secure wearable technology. For organizations that use wearable technology in their everyday business, many devices can be controlled through policy. For example, organizations that use wearables to capture video and audio can create an acceptable use policy outlining parameters for use. Policy enforcement controls should also be put in place. Other areas of concern related to wearable devices include the following:
- Bluetooth and Wi-Fi communication between wearable devices and smartphones
- Sale of sensitive information tracked by wearable devices
- Wearable device information stored in a public cloud

Organizations can restrict wearable device capabilities by disabling certain features through mobile device management (MDM) and restricting locations where wearable technology is allowed through geofencing.
Home automation is a rapidly growing field. The first widely used home automation device was the Roomba robot vacuum, which can be scheduled to automatically start whether or not the owner is near. One of the most popular home automation devices is the Amazon Echo. The Echo technically is a Bluetooth speaker, but it uses a digital assistant that can perform a variety of functions. This technology has even found its way into court cases. For example, recently Amazon handed over data from an Echo pertaining to a 2015 murder case.
Other home automation devices include smart thermostats, smart lighting, and smart locks. Interestingly, many of the home automation devices involve kitchen appliances such as refrigerators, coffee makers, garbage cans, and slow cookers. Smart forks can even track what you eat.
Home automation devices need to be protected. If an attacker can compromise your smart lock, house entry is possible without lock picking. Even without the inherent dangers of compromise, an unsecured device could be taken over with malware and used to participate in DDoS attacks. In addition, consider that the IoT goes well beyond the consumer. There are now commercial, industrial, infrastructure, and military IoT applications.
An easy way to tell whether any home automation devices are susceptible to public attack is to use an Internet of Things scanner.
Several IoT scanners are available. The most widely used is Shodan, which is basically a search engine that looks for publicly accessible devices. It’s critical to understand the communication methods, which may be short range, medium range, or long range. Examples include cellular (for example, 4G, 5G), radio, and Zigbee. Zigbee is a wireless set of protocols for wireless personal area networks (WPANs).

Consider these tips for securing such devices and, especially, home IoT devices:
- Secure the wireless network.
- Know what devices are communicating on the network and what they do.
- Install security software on devices that offer that option.
- Secure the smartphones and mobile apps that communicate with IoT devices.

Heating, Ventilation, Air Conditioning (HVAC)
Heating, ventilation, air conditioning (HVAC) devices use embedded systems to efficiently run environmental systems and reduce wasted energy. These devices switch on only when necessary through the control of individual circuits. Circuits are switched off when no guests, visitors, or employees are present.
In a large-scale system, an embedded system controls work through PC-based SoC boxes located near the HVAC elements they control. The boxes are usually rugged enough to function reliably in extreme-temperature locations and have extensive communication capabilities.
Some HVAC monitoring software is not well updated or runs on older vulnerable versions of software. In addition, organizations often connect their HVAC equipment to the rest of their network, which leaves the network vulnerable.
The Target intrusion case is a great example. The initial intrusion into Target’s systems was traced back to network credentials that were stolen from a third-party vendor. Target had given the HVAC subcontractor remote access to perform energy-consumption monitoring for regulating store temperatures.

Multifunction Devices
Most organizations have a multitude of printers and multifunction devices (MFDs) connected to their networks. These devices are just as susceptible to attacks as the PCs and devices that send print jobs to them, but they are often overlooked when it comes to security and employee security awareness training. The following security issues arise from use of printers and MFDs:
- Improper IP addressing
- Unsecured wireless printers
- Unattended sensitive information printouts
- Unpatched OSs
- Unnecessary services running
- Exclusion from data destruction policies
- Unchanged default logins and passwords

Enterprise printers and MFDs need to be included in security policies and protected just like any other network devices. Often security tools neglect to block access from a printer running old, vulnerable firmware. In addition to addressing the listed vulnerabilities, an organization should use encrypted connections for printing and accessing administrative control panels. If the budget allows, an organization should replace outdated models that have known vulnerabilities with newer models that provide better security options.
Embedded applications such as Follow Me Print extend single sign-on capabilities to allow users to log in to MFDs with their network password and print to virtually any printer. The embedded enabled MFD integrates with the directory services of all major OS vendors. The embedded copier interface, for example, allows users to immediately see the cost of print jobs.
Organizations must realize that an MFD is a computer that has storage, runs an embedded operating system, and provides network services. These devices are subject to the same attacks as other network devices and embedded systems, including information leakage and buffer overflows.

Protections for these devices include the following:
- Proper access control to the device and functions
- Inclusion of printers and MFDs in security planning and policies
- Implementation of protections for data in transit/motion and data at rest

Surveillance Systems
The use of camera surveillance systems has grown significantly in the past few years. The current market for smart cameras and camera systems is expected to grow rapidly. These systems will be used more and more for video surveillance, traffic monitoring, human interaction, and industrial automation.
Camera systems use smart cameras, which are basically video cameras that use embedded systems. Camera systems can contain embedded lighting, lenses, sensors, and processors.
Because these systems collect, store, and transmit data, they require the same security considerations as any other devices that hold sensitive data.

Noted camera system vulnerabilities include the following:
- Buffer overflows
- Disconnection of the camera from the Wi-Fi network
- Backdoors that allow Telnet or SSH to be remotely enabled

Vulnerabilities can be exploited through hard-coded weak default credentials or default usernames and passwords that have not been changed. In addition, the camera firmware and software should be regularly updated, just as in any other networked device.

Special-Purpose Devices
The embedded systems discussed so far work in a variety of industries. A special-purpose embedded system is devised for one industry in particular. The architecture is often based on a single-purpose processor and is designed to execute exactly one program. Special-purpose embedded devices are common in the medical, automotive, and aviation fields.

Medical Devices
Perhaps one of the fastest-growing IoT implementation industries is the healthcare sector. Medical devices have the capability for wireless connectivity, remote monitoring, and near-field communication (NFC). Medical advancements have enabled hospitals to deploy more IoT devices. One such advancement uses a neural–machine interface (NMI) for artificial legs that can decode an amputee’s intended movement in real time. The attacker community has also taken notice, and more incidents in recent years have taken place in the healthcare sector than in the financial sector.
In 2013, concerns arose that Vice President Dick Cheney’s pacemaker could be hacked, causing his death. In another instance, Johnson & Johnson publicly released a warning in 2016 to diabetic patients about an insulin pump security vulnerability. Shortly afterward, a team of researchers found several potentially fatal security flaws in various medical implants and defibrillators.
Vulnerabilities in embedded medical devices present not only patient safety issues but also the risk of lateral movement within the network, which allows the attacker to move progressively through the network in search of a target.
If an attacker were able to exploit a vulnerability in a medical device and laterally move within the network, sensitive medical records could be at risk. According to industry professionals, U.S. hospitals currently average 10 to 15 connected devices per bed, amounting to 10 million to 15 million medical devices. A recent quick Internet search using Shodan revealed more than 36,000 publicly discoverable healthcare-related devices in the United States.

Government regulators such as the Food and Drug Administration (FDA) have responded to recent incidents with a fact sheet on cybersecurity. They offer the following recommendations for the mitigation and management of cybersecurity threats to medical devices:
- Medical device manufacturers and healthcare facilities should apply appropriate device safeguards and risk mitigation.
- Hospitals and healthcare facilities should evaluate network security and protect their hospital systems.
Like all other embedded devices, medical devices require security and updates. Because this area relies on third-party components that could be vulnerable, robust security protections must be implemented from the start.

Vehicles
Automobile in-vehicle computing systems have in the past been inaccessible to attackers. But the landscape is changing, thanks to the integration of wireless networks such as Global System for Mobile Communications (GSM) and Bluetooth into automobiles. Even parking meters have been upgraded, and connected systems smart meters may soon be able to directly communicate with vehicles. Current in-vehicle systems are capable of producing and storing data necessary for vehicle operation and maintenance, safety protection, and emergency contact transmission. An in-vehicle system typically has a wireless interface that connects to the Internet and an on-board diagnostics interface for physical access. Many vehicles have data recorders that record vehicle speed, location, and braking maneuvers. Many insurance companies make use of such systems to offer discounts for safe driving. A device inserted into the on-board diagnostics (OBD) port of the vehicle sends the collected data to the insurance company for analysis.
All communication between controllers is done in plaintext. Because in-vehicle communications do not follow basic security practices, risks include unauthorized tracking, wireless jamming, and spoofing. A lot has been published regarding the capability to override a vehicle’s controller area network (CAN) bus communications. For example, researchers Charlie Miller and Chris Valasek remotely attached to a Jeep Cherokee and were able to disable both the transmission and the brakes.
Risk mitigation recommendations include secure system software design practices, basic encryption, authentication of incoming data, and implementation of a firewall on the wireless gateway.

Aircraft and UAV
An aircraft has many embedded control systems, ranging from the flight control system to the galley microwave. A highly publicized article in 2016 highlighted a security researcher that used a flaw in an in-flight entertainment system to access a plane’s controls. (Aviation experts asserted that this was technically impossible because the design isolates the infotainment system from the other systems performing critical functions.) Another vulnerability found in aviation control equipment is the use of hard-coded logon credentials that grant access to a plane’s communications system using a single username and password. Other security issues are similar to those of medical embedded systems: use of undocumented or insecure protocols, weak credential protections, and the use of backdoors.
The technology associated with unmanned aerial vehicles (UAVs), or drones, has been widely used in military, agriculture, and cartography applications, among others. Drones are most often used for aerial photography, surveillance, and surveying. They have become mainstream and now are being used for delivery services such as Amazon. The first drone service delivery occurred in New Zealand in 2016, with a Domino’s pizza. The Federal Aviation Administration (FAA) manages rules for drone delivery and other advanced drone operations. This includes a certification process for package delivery via drone.
Drones are subject to many of the same vulnerabilities as other embedded systems and lack strong security. They are susceptible to hijacking, Wi-Fi attacks, GPS spoofing attacks, jamming, and deauthentication attacks. These attacks can allow an attacker to intercept or disable a drone and access its data.

Resource Constraints
Security systems often require trade-offs. Already we’ve seen instances in which IoT devices couldn’t be upgraded or even patched after a vulnerability was discovered. Many systems have poor authentication, and only recently are we starting to see widespread use of two-factor strong authentication for such devices. Because of the black-box nature of many of these devices, a level of implied trust is necessary. Whereas large organizations have governance and programs in place to verify security controls with vendors, for consumers, this can be difficult to verify. Other constraints include network, computer, power, and cryptographic capabilities. Cryptography, for example, carries a cost that needs to be considered along with our other factors particularly with devices containing limited resources.
Embedded and specialized systems are particularly subject to resource constraints. First, consumers of such systems often need to accept a level of implied trust. Further, these systems must deal with limited resources that may affect power, computer, networking, cryptography, and authentication and the inability to fix vulnerabilities.
Particularly with the advent of the IoT, an increasing number of smart objects now require low power, including devices using radio-frequency tags. These devices require the same security demands but are at odds with strong cryptography and usually require significant amounts of resources. Or consider embedded cryptography, such as chips with integrated circuits on smart cards and credit cards. Essentially, these are tiny computers, capable of performing limited cryptographic functions. Research in these areas and the evolution of secure ciphers will continue to seek to sustain high levels of security while minimizing latency and meeting power and surface area requirements.

Quiz:

1. Which of the following are the most important constraints that need to be considered when implementing cryptography, particularly for embedded devices? (Select three.) A. Security B. Time C. Performance D. Power

2. Which of the following are associated with critical infrastructure systems where segmentation from public networks should be strongly considered? (Select two.) A. SCADA B. IoT C. ICS D. NIST

3. Your organization manufactures SoC technology. You have been tasked with ensuring secure design for these systems on chip. Which of the following suggestions are most appropriate? (Select two.) A. Sensitive data should not be stored in the register after processing. B. The device should be shielded from electromagnetic interference at the minimum level. C. A separate security verification tool should be used to store sensitive data. D. A separate security verification tool should be used to check the design.

4. Which of the following is a small operating system used in embedded systems and IoT applications that allows applications to run with precise timing and high reliability? A. RTOS B. FPGA C. NERC D. UAV

Answer 1: A, C, and D. With smaller and lower-power devices, trade-offs and resource constraints need to be considered when implementing cryptography. These constraints include, for example, security, performance, and power. As a result, answer B is incorrect.
Answer 2: A and C. Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICSs) include critical infrastructure systems such as networks related to manufacturing, logistics and transportation, energy and utilities, telecommunication services, agriculture, and food production. Answer B is incorrect. Internet of Things (IoT) devices are connected to public networks. This does not necessarily mean they aren’t important, however, and IoT devices should be secured properly. Answer D is incorrect. The National Institute of Standards and Technology (NIST) publishes various papers, including guidance for protecting critical infrastructure.
Answer 3: A and D. System on chip (SoC) design should ensure that the device is shielded from electromagnetic interference (EMI) at the maximum level (not a minimum level); sensitive data should not be stored in the register or cache after processing; and a separate security verification tool should be used to check the design. Answers B and C are incorrect.
Answer 4: A. A real-time operating system (RTOS) is a small operating system used in embedded systems and IoT applications that allows applications to run with precise timing and high reliability. Answer B is incorrect because a field-programmable gate array (FPGA) is an integrated circuit that can be programmed or modified in the field. Answer C is incorrect because North American Electric Reliability Corporation (NERC) develops reliability standards that are overseen by the Federal Energy Regulatory Commission (FERC). Answer D is incorrect because a UAV is an unmanned aerial vehicle, such as a drone.