Panel: Embedded System Security - What does it change?
Oct. 7, 16.00-17.30
Sri Parameswaran, U New South Wales
Rolf Ernst, TU Braunschweig; Jörg Henkel, KIT; Sri Parameswaran, U New South Wales
Nathalie FEYT, Thales
Mark Steigermann, NXP
Georg Sigl, TU Munich
Security in embedded systems has, for a long time, received little
attention, both in the security and in the embedded systems communities.
Embedded systems were used in closed local networks (car, aircraft) with
rather fixed and well defined functionality requiring special skills to
intrude and providing little benefit to the intruder, with a few prominent
exceptions, such as the Stuxnet attack. This has changed in many ways:
Embedded systems use open networks, they address vital functions over such
networks, such as smart grid, traffic control, or ambulant medical service,
and the functions and architectures become more complex and dynamic with
dominant reuse and deep and global supply chains. Internet-of-Things adds
volume to this development challenging the classical embedded systems
approach of a thorough lab test. It appears that embedded system design must
fight on all fronts, at the same time becoming a very interesting target.
However, it is not obvious how to proceed. Security needs all levels of a
design: Hardware, software, networks, applications, user interface were
applicable. Only looking at a subset of these levels leads to ineffective
Security is expensive, it constrains the design process, just as safety
requirements have done this before, and it is not clear how much the
customers are willing to pay in the form of money and inconvenience for
improved security. What is the right approach under these circumstances?
Given the limited amount of human and monetary resources: Are there any
primary research targets, and, if so, which ones? Should we emphasize
reactive or proactive approaches? How do we bring the bits and pieces
together? And specifically to industry: Are there market risks with
introducing embedded system security?