How to secure an embedded system from its conception?
Whether the systems are automated or manual, the quality of the data is critical to make the best decision as soon as possible. In order to collect the most accurate, rich and immediate data possible, on-board defense systems are increasingly connected to each other and to communication networks. Running parallel to this interconnection is the multiplication of intrusion options, resulting in an increase in the number, type and severity of cyber threats to systems. In order to cope with this, it is imperative that equipment raises its level of protection and integrates adequate features.
The difficulty is that the technologies and methods used by hackers evolve extremely rapidly. However, in the particularly sensitive sectors of aeronautics and defense, where projects are spread over a period of 10 years, the equipment is expected to remain operational for several decades.
So how do you develop secure embedded systems that have to deal with technological evolutions that could threaten them? Since it is difficult to predict the parallel evolution of threats and security standards, it is essential to anticipate, from the very beginning of system design, scalable cybersecurity measures that will not impact the integration and availability of the system once implemented.
Hardware architectures and solutions to secure embedded defence systems
The first lever for securing embedded systems is to integrate a secure technical architecture and hardware from the design stage. If the design of the system structure is itself designed in a secure manner, then the risks of intrusion are minimised. In this way, it will not be necessary to integrate security overlays later on that could affect the performance or availability of the system – for example, an antivirus that requires too much computing power.
This is possible because embedded systems are in a special domain, which relies on many specific components and on the atypical implementation of standard technologies. Connectivity, pinouts and physical compartmentalisation of components can thus offer radical solutions, even though they are completely different from the approaches recognised by the usual cybersecurity.
Let’s take the example of a USB or Ethernet connector: these protocols will be common in a civilian context, but the physical interface of these connectors will not be standard for defence: they will be physical interfaces specific to the system, and meeting the security requirements of defence equipment.
Another advantage of such solutions is that they are specific to each component: it is therefore impossible to thwart them without first obtaining precise information about them, confidential information that is itself secure. Effective, economical and durable in the face of evolving threats, architectural solutions combine all the advantages… as long as you have considered them in time!
“Cyber secure by design”, redefined project management
The cybersecurity of an embedded defence system must be considered from the very beginning of the project by clearly defining the risks, the environmental constraints (space, heat, humidity, dust…), the operational requirements (real-time processing, data integrity…) and the implementation costs. This can only be done in close collaboration with the customer, because only they can evaluate the right balance to be found between these four parameters. A common mistake, for example, is to protect against cyber threats to the point of excess, at the risk of compromising the implementation, the usefulness or the practicality of the embedded system, which must be available in critical conditions (open sea, threatening environment, …). It is therefore essential to involve the certification and control bodies at a very early stage, as their experience and testing capabilities are highly valuable. In addition, they are the ones who will ultimately evaluate the system to be implemented. Because some of the requirements may be out of the ordinary, this process can take time and persuasion, so it is best to have anticipated it. This dialogue must continue throughout the project in order to validate first the main principles during the Preliminary Design Review (PDR), then the technical solutions during the Critical Design Review (CDR). The management of such a project must therefore be reviewed and enriched with these crucial safety design/validation steps, in order to ensure the delivery of a critical system that can be implemented and that meets the requirements.
Specialised in the design of embedded systems for defense platforms, the Air Land Sea electronics (ALSe) activity of the Atos Group develops methods and technological know-how to meet their specific cybersecurity challenges:
- comply with information systems security requirements;
- respect the specifications related to the constraints of critical environments;
- maintain the appropriate level of performance;
- guarantee the operational readiness of the systems to ensure that mission execution is not compromised.
About the authors
Norbert Di Costanzo
Chief Operating Officer and senior member of Atos scientific community
Norbert is Chief Operating Officer of Air Land Sea electronics solutions at Atos, a position he has held since 2012. Norbert is part of the Atos communities of experts specialised in advanced computing and hard/firmware.