Secure by Design: Developing more secure connected embedded systems

Cybersecurity of connected embedded system devices has always been important, especially for systems supporting high availability, mission-critical applications.

In today’s heightened cyber threat environment, connected embedded systems for industrial controls, transportation, navigation, communications, aerospace, military applications, healthcare devices, logistics systems and many others require uncompromising security at deployment and throughout their product lifecycles.

For more than 20 years Timesys has been the industry’s trusted partner for secure embedded software design and development. We provide device makers and system developers with tools and services to accelerate time to market of more secure products.

security for industrial controls, transportation, navigation, communications, aerospace, military applications, healthcare devices, logistics systems;

Secure by Design: Developing more secure connected embedded systems

Cybersecurity of connected embedded system devices has always been important, especially for systems supporting high availability, mission-critical applications.

In today’s heightened cyber threat environment, designing connected devices with the strongest possible security posture is essential. Embedded systems for industrial controls, transportation, navigation, communications, aerospace, military applications, healthcare devices, logistics systems and many others require uncompromising security at deployment and throughout their product lifecycles.

For more than 20 years Timesys has been the industry’s trusted partner for secure embedded software design and development. We provide device makers and system developers with tools and services to accelerate time to market of more secure products.

Building secure products

Timesys’ embedded system development tools and services provide you with the industry’s best practices for Secure by Design, for building and maintaining secure connected embedded systems.

Compliance assistance with regulatory and government security requirements: US FDA Guidance, EU Cybersecurity, IEC 62304, SCADA, other security specifications

System hardening, secure boot, encrypted storage, trusted execution environments, high availability, for ruggedized and highly secure applications

Vulnerability detection and mitigation tools, secure incorporation of third-party components, automatic software patch and update notifications

See how Timesys has helped customers successfully bring products to market faster and with stronger security

View Case Studies

 

Securing the software supply chain

CIA Triad graphic, a triangle with Confidentiality on left, Integrity on right, and Availability at the bottom

Designing products with the CIA Triad principles

For four decades, cybersecurity practitioners have used the CIA Triad to assess the security posture of their IT devices and applications.

The CIA Triad categorizes security controls as supporting Confidentiality, Integrity and Availability of information and systems that process, store and transport it.

Timesys enables you to ensure your devices meet the CIA Triad’s parameters for the strongest possible security:

  • Encryption of data in storage, in processing, or in transit to maintain confidentiality
  • Access controls to prevent an attacker from gaining control and manipulating the device and violating integrity of the system and its data
  • Secure boot function to prevent running of unauthorized code that could compromise system or data integrity
  • Hardening and redundancy to ensure availability in the event of attacks such as denial of service, bricking or flooding
  • Security controls and system software maintained and enhanced over time to respond to new vulnerabilities, patches and upgrades

Software ‘Trustworthiness’

To compensate for go-to-market pressures, many connected embedded system product developers rely on third-party software components, including open source or proprietary licensed components to address foundational product functions.

But this practice can pose security risks because you are incorporating software that you have not created, sometimes referred to as “Software of Unknown Provenance” (SOUP), into your product.

The Industrial Internet Consortium (IIC) specifically addresses this point with its analysis of “software trustworthiness.”

In a recent white paper on the topic, the IIC laid out a set of design considerations for developing more secure code. Chief among them was analyzing how third-party code was developed, integrated and maintained.

Timesys offers Vigiles, a vulnerability monitoring and mitigation service, the industry’s first Software Composition Analysis (SCA) tool optimized for embedded systems. Now you can automatically generate an accurate Software Bill of Materials (SBOM) to understand exactly which third-party components are in your system. You can immediately identify vulnerabilities affecting each component and rapidly mitigate them.

The result is a significant increase in the trustworthiness of the software supply chain you use for developing your embedded systems.


Security shifts left and stretches right

Traditional security audits take place at the end of development and testing, right before products are released.

But the new security environment and customer requirements mean that security must expand across all stages of the Software Development Life Cycle (SDLC). In other words, your team’s security focus must both “shift left” and “stretch right.”

Security becomes a chief design consideration from the earliest stage of software planning, shifting left from the end of the process to the beginning. It becomes a core part of testing and release quality checks.

As software is built out, it is essential to ensure that secure by design principles aligned with the CIA Triad are incorporated into the product. Seamless integration of a vulnerability detection and mitigation process with your existing embedded Linux development tools, such as Yocto and Buildroot, further strengthens your product’s overall security posture.

security expanded role in software development lifecycle compare to security traditional role

Security also needs to “stretch right,” so that it is a continuous focus even after products are launched and released to market, in order to address post-market surveillance guidelines. That calls for security to be a fundamental part of software and product maintenance throughout a device’s production lifetime.

Have a project you’d like to discuss?

Fill out the form for a no-obligation consultation about your connected embedded system project. We offer best-practices guidance on:

  • Secure boot and encrypted data storage, two foundational security functions to be considered in embedded system design.
  • Securely incorporating third-party software into your products.
  • Deploying a Trusted Execution Environment (TEE) to reduce risk associated with third-party software.
  • Software / Firmware Update Design Considerations, including Over-the-Air (OTA) updates.
  • Device hardening.
  • Device security audits.
  • Vulnerability monitoring and mitigation.

* Denotes required field.