By Deb Radcliff, DevSecOps analyst and editor of CodeSecure’s TalkSecure educational content (syndicated at Security Boulevard & YouTube)
In this interview, Jay Warne describes his work on what he calls ‘far-side of research’ into low-level functions of embedded devices serving the energy, industrial, and manufacturing sectors. Having come from a development background himself, he looks at insidious issues with sensors, antennas, modulators and voltage to induce faults and take advantage of leaks and bugs in processors, architectures, and hardware designs that goes beyond typical code-induced vulnerabilities.
Warne believes in the power of community, so he holds a cutting-edge research conference RSTCON where experts take apart the hardware and software components of embedded systems supporting the infrastructure to come up with new exploits in order to build mitigating measures for operators providing the end service.
Hardware and software engineers play an equally important role, and their workflow should reflect that, he says. And always they should keep the system operator deploying these devices top of mind. “Developers are not going to prevent a magnetic field from messing up a device. But these are the type of issues the operators need to focus on because they provide the end service.”
Unfortunately, once these embedded systems fall into the operator’s hands, they get put in place and then get left there with little means of maintaining and patching them.
“Making sure that developers have a way to quickly and easily deliver patches to an operator is critical,” he notes. “In fact, my plea to embedded developers is that their updates and update systems need to be easily automated.”
He also talks about SBOMs for development and deployment. But, without automated analysis and workflow support, he feels that SBOMs are a hard lift for embedded system engineers and developers. “They need robust tools to make determination of changes in code based on provably correct information,” he adds.
Tune into this show and learn how this type of advanced research into the hardware and software elements of embedded systems will ultimately help protect the critical infrastructure.
Resources:
- MITRE Emb3d Threat Model
- DevSecOps best practices for embedded systems-TalkSecure video
- Whitepaper: IOTs impact on Software Engineering
