Home > News & Blog > Why you Need Embedded Security
In today's interconnected world, the security of your embedded systems is not just an option, it's a necessity. Protecting your customers, safeguarding your intellectual property, and ensuring compliance with global regulations are critical to maintaining your business's reputation and success. Ignoring these aspects can lead to severe consequences, from financial losses to irreparable damage to your brand.
In our last article we discussed Who needs Embedded Security, now let's discuss Why you need it.
Security is often only considered when something has happened to cause malicious harm to our daily lives and we want to stop it from happening again. It’s often categorized as an extra expense – "we can probably manage without it, so let’s not bother until something happens".
Well, it's time to start taking the security of your connected product seriously. Year on year, the world is seeing huge increases in cyber-attacks on IoT products. A quote from Statista states, “the number of Internet of Things (IoT) cyber-attacks worldwide amounted to over 112 million in 2022. Over the recent years, this figure has increased significantly from around 32 million detected cases in 2018”. While it can be difficult to get an exact view of these attacks, the trend upwards is so significant that any embedded device manufacturer that is connecting their products to the Internet or network has to consider this a significant threat to their business.Most businesses would consider their customers as a very important asset. When a customer buys a product, it’s probably fair to say they are expecting it to be safe in every aspect. From a product safety perspective, you’ve most probably gone through rigorous tests for its electrical and functional safety, but is it resilient to attack from the network that it’s connected to? How is it going to affect your brand reputation if an IoT hacker has managed to access your customer's local network, stolen valuable private details, and even potentially caused malicious harm by accessing and manipulating your product's software/firmware?
The answer to the above is that this kind of damage is extremely expensive to your company. For the sake of implementing what are becoming standard practices in embedded security, is it worth taking the risk?
In today's interconnected world, the security of your supply chain is just as critical as the security of your end products. A compromised supply chain can introduce vulnerabilities at any stage of the product lifecycle, from design and manufacturing to distribution and deployment. Malicious actors can exploit these vulnerabilities to insert harmful components or tampered firmware, jeopardizing the integrity and functionality of your products before they even go on the market and reach your end-users.
Securing the supply chain involves rigorous vetting of suppliers, implementing stringent security protocols, and ensuring that all components and firmware are authenticated and verified. By doing so, you can prevent unauthorized modifications and ensure that only trusted, secure components are used in your products. This not only protects your intellectual property but also builds trust with your manufacturing partners and customers.
Securing your supply chain helps you maintain with regulatory standards, which increasingly mandate 'robust security measures' across all stages of product development and distribution. Investing in supply chain security is not just about protecting your products; it's about safeguarding your entire business ecosystem, ensuring long-term resilience, and maintaining a competitive edge in the market.
Embedded security can ensure the authenticity and integrity of components and firmware throughout the supply chain. By implementing cryptographic techniques such as digital signatures and certificates, manufacturers can verify that each component and firmware update comes from a trusted source. This prevents unauthorized modifications and ensures that only genuine, unaltered components are used in the final product.
This is the scary part and something all connected device producers should be aware of.
The IP of your product has most likely taken thousands of man-hours to develop and is a key driver in your company's success. Perhaps you've taken great care at protecting your IP before it leaves your company's premises, but what happens once it leaves your protected area?
During the manufacturing stage, conceivably hundreds of people could get access to the bare bones of your IP. If you have an unprotected firmware image, anyone could steal it and then reverse engineer it. Unfortunately we all know this is a business in its own right in many high-volume manufacturing areas.
While your product is on the market, it’s open for any malicious actor to gain access to it. If the correct protection isn’t in place, firmware can be accessed through special tools designed to break into your firmware and steal it. Even to the degree of dismantling a semiconductor device and using probes to access data stored within it.
Within a matter of hours or days, all the resources - time and money invested have been compromised. Maybe there's low-cost counterfeits of your product on the market (or 'dupes' as the cool kids say) or your product is encountering failures or breaches, potentially causing harm to your customer. Imagine what expense this is actually causing to your business compared to investing relatively small amounts of money in securing your software/firmware. The added-value of security is not something that should be underestimated. Don't wait to install an alarm after your business has been burgled.
Due to these threats, worldwide legislation is now being implemented to protect users of connected products. If you are not protecting your product against cyber-attacks, your company and executives are open to fines and potential prosecution.
For example, the UK's Product Security and Telecommunications Infrastructure (PSTI) Act enforces stringent security measures for connected devices, including banning default passwords and mandating vulnerability reporting. Similarly, the European Telecommunications Standards Institute (ETSI) EN 303 645 standard outlines 13 best practices for IoT security, such as ensuring software integrity and secure communication. In the US, the IoT Cybersecurity Improvement Act of 2020 sets guidelines for federal procurement of IoT devices, emphasizing secure development practices and regular software updates.
Even if you are ticking certain boxes of the legislation that is defined today, the requirements for protecting against cybersecurity are only going to get tighter, very soon. Getting ahead of the curve today using commercially available embedded security could save your company significant amounts of money down the line.
Jumping back to the first paragraph, “Security is often categorised as an extra expense – we can probably manage without it, so let’s not bother until something happens”. Yes, embedded security is an added expense but in relation to the issues we've covered here: customer protection, brand protection, and IP protection, it’s actually a relatively low-cost insurance policy for your business.
You could be thinking to yourself, cybersecurity or embedded security are very complex subjects, how do I even start to look at this?
Luckily, there are companies such as our technology partner IAR Systems who have taken the pain out of embedded security. You don’t need to have security experts in your business to achieve a high level of security around your product's firmware and software.
To implement, embedded security one of the most critical elements is what we call a High Security Module, or HSM. EPS Global has integrated the IAR Systems HSM into our automated programming machines, providing a very robust, secure, and efficient way to program your firmware and software. Importantly, as EPS Global programs semiconductors before they are mounted on PCBs on the assembly line in factories, secure firmware is programmed into the semiconductor at the earliest stage possible, eliminating the risk of attack during the early stages of manufacture. Using this approach, it’s impossible for malicious actors to intercept firmware or code during manufacture. As we move from programming a non-secure firmware file to a secure firmware file, we start to call the process “Provisioning” as opposed to “Programming”.
IAR Systems have also made the process of preparing firmware files for provisioning very straightforward and easy to implement. Utilizing a tool called ESecIP, encrypted firmware files are produced with ease and without changing the compiler. The encrypted firmware file is created so that the only thing that can decode it is the HSM, located inside a pre-designated programming machine in the EPS Global programming center specified during the firmware file creation. It is a one-to-one relationship which also eliminates overproduction.
EPS Global and IAR Systems are able to guide and advise you on how to securely provision embedded firmware, taking you from un-secure code, all the way to securely provisioned code, even in semiconductors which don’t have specific security features.
The key to navigating the complexities of embedded security lies in understanding the multifaceted nature of the challenges, embracing collaborative approaches, and choosing comprehensive, expert-driven solutions like those offered by EPS Global Component Services, trusted by Tier 1 OEMs and Contract Manufacturers all over the world.
By prioritizing code quality, recognizing the hidden costs of DIY (do-it-yourself) solutions, overcoming internal resistance, and adopting a holistic security framework that covers all stages of a product’s lifecycle, organizations can build robust, secure, and future-proof embedded systems.
At EPS Global, we understand the complexities and challenges of implementing robust embedded security. Work with us to ensure your products are secure, compliant, and ready to face the evolving landscape of cyber threats.
Don't wait for a security breach to take action. Secure your embedded systems today with EPS Global's expert solutions. Contact us now to learn how we can help you strengthen your connected products and protect your business.