Security+: Security implications of embedded systems
The internet of things (IoT) is changing both how we live and how we do business. You can find embedded (or smart) devices everywhere, from the doctor’s office and the public transportation system to the agricultural supply channel and national defense systems. Various estimates put the number of connected devices at nearly 20 billion, which continues to grow.
Embedded systems — computer technology integrated into everyday devices to perform a specific function — present a unique set of challenges. On the CompTIA’s Security+ exam, candidates must demonstrate their knowledge of how embedded systems impact security.
Embedded systems have many of the same security challenges, but each type of system adds another layer of complexity and unique factors. For a long time, manufacturers didn’t pay much attention to the security of the embedded systems, partly because the security risks weren’t known. But even for newer devices, security is often an afterthought. A major driver of this trend is the fact that these devices are small, so adding security would reduce their functionality.
Become a SOC Analyst: get Security+ certified!
More than 47,000 new SOC analysts will be needed by 2030. Get your CompTIA Security+ to leap into this rapidly growing field — backed with an Exam Pass Guarantee.
Read on to learn more about the security implications of different embedded systems. For more information on the Security+ exam, download our free Security+ ebook or explore Infosec's Security+ Training Boot Camp.
SCADA and ICS systems
SCADA refers to supervisory control and data acquisition systems, which are used to manage industrial control systems (ICS). The use of ICS ranges from controlling manufacturing production to monitoring critical infrastructures such as power and water utilities.
Traditionally, ICS relied on passive defenses such as air gapping to separate them from the internet. Today, however, it’s hard to escape connectivity, and operations are also becoming interconnected. Industrial entities seek more efficient ways to control operations and use real-time data, deploying more internet-connected embedded systems.
Industrial control systems are typically designed to function for a long time — and many were designed before security came to the forefront. So, they’re vulnerable and not designed to be easily patched, if at all. Malicious actors who may be more likely to target ICS, on the other hand, are often state-sponsored, so they have more resources to exploit weaknesses than the average cybercriminal.
Smart devices
Smartwatches, fitness trackers, smart jewelry and garments — wearable technology can track and record every movement a person makes. When these devices get hacked, they can yield quite a bit of personal information.
From a consumer perspective, the biggest concern about wearables may be privacy. However, wearable technology is also becoming more common in the workplace as businesses adopt devices that monitor employees’ movements and performance. This kind of large-scale technology deployment continuously moving around and in and out of the physical premises poses new risks to the enterprise.
Smart devices used for home automation — anything from thermostats and security cameras to smart refrigerators — also have various privacy and security implications. One eye-opening example of how malicious actors can use connected home technology and other devices has been how they've been leveraged for distributed denial-of-service attacks that targeted popular services every year — sometimes leading to downtime, extortion attempts and other impacts for organizations.
HVAC
Once standalone units, HVAC (heating, ventilation and cooling) systems are now connected to the corporate network to automate building controls. In many cases, third-party vendors are also involved in the process, which adds another layer of risk.
The most famous example of this attack vector was the massive 2013 Target data breach, which started with the compromise of an HVAC vendor. While the vendor didn’t control the HVAC systems, the vendor was connected to Target’s billing and project management system, which gave malicious actors a foothold in Target’s network.
Connected medical devices
The golden era of medicine has ushered in a healthcare delivery model where patients can be monitored in real-time, patient records can be accessed instantly, and care can be delivered remotely. Much of this can be done with the help of embedded systems and medical devices such as insulin pumps, pacemakers and MRI machines.
Like ICS, many medical devices were manufactured before security became a concern, and updating their firmware or software must be done manually, if it can be done at all. Imagine the hundreds or thousands of these devices inside a hospital — many healthcare organizations don’t even have good systems in place to keep track of this inventory, let alone manage the security of products that are made by many different vendors, each with a different operating system.
In recent years, cybersecurity recommendations and standards around medical devices have been introduced to help reduce this risk.
Internet-connected vehicles
Even the cars we drive are essentially computers on wheels —dozens and dozens of tiny computers on wheels. Electronic control units are embedded with microprocessors that control critical functions like braking and navigation, and now many cars come equipped with internet connections as well.
Like any other code, software that runs vehicles can be hacked. As more vehicles have connected parts, researchers continue to find ways to exploit those connections. For example, in September 2024, Wired reported how a single website bug allowed researchers to track millions of cars, unlock doors and start engines.
Defending embedded systems
These are just a few examples of the challenges facing embedded systems and internet-connected devices that cybersecurity professionals face. The implications of this IoT explosion are tremendous because the focus is no longer only on the network or perimeter. Embedded devices expand the attack surface and require a shift in the security strategy.
Some of the strategies used to mitigate the risks include:
- Network segmentation: partitioning the network into secured network zones so IoT endpoints can be assigned specific communication policies and privileges
- Secure password practices: ensuring default passwords are changed and password best practices are applied
- Web application firewalls (WAF): incorporating WAF solutions to prevent web-based attacks and protect HTTP (web protocol) connections
- Firmware updates: having a process in place for automated updates as well as periodically checking the manufacturers’ websites
Understanding these risks are key for many different cybersecurity roles, which is why it's an important concept covered on the Security+ exam.
For more on the Security+ certification, view our Security+ certification hub.