I had a chance to attend an IEEE cybersecurity presentation recently and left wanting to ditch all my computers and smartphones to move into the deep woods as far off the grid as possible. The presentation included very high-level demonstrations of several common methods that attackers use to gain access to your PC or smartphone. Readily available hardware and software were used to illustrate how easy it is for someone to gain unauthorized access. Within a matter of seconds, a cyber attacker can monitor your every keystroke during a public hotspot session. To top that, allow them physical access to one of your devices and they can inject a worm in two to three seconds, which gives them complete remote access to your device and anything that it connects to in your personal or business environment.
The presenters were cybersecurity consultants that work with their clients to seek out vulnerabilities in their company networks. They pointed out that cybersecurity often starts out by conducting some basic penetration testing. Having penetration testers examine your computer networks can provide a comprehensive and prioritized view of what should be done to best protect them from the growing number of cyberthreats. Once penetration testing has exposed the gaps in security, the testers can make recommendations on how to close them.
Their demonstrations were on a common Windows 10-based PC with out-of-the-box protection, which isn’t much. A Windows PC is the most open system architecture possible, making it the prime target for attacks. Fortunately, there are basic steps that one can take to minimize the risk. Things like setting your Wi-Fi connection to require manual intervention, never leaving your laptop unlocked and unattended – anywhere, applying updates as they are released, installing a VPN, and using sound password practices raises the access high bar a bit. But true security is very elusive and very difficult on a general-purpose computer system such as a PC that is designed for multiple functions.
In the world of embedded computing, the motivation for accessing most devices is much lower than going through the files on your laptop or smartphone. The fact that most industrial devices are behind reasonable firewalls, that they use less scrutinized real-time operating systems, and are dedicated to specific tasks makes them a bit more resistant to attack. However, that does not mean that these devices are not a target. Sometimes the reward for attackers is much greater.
Many embedded applications have a Windows/PC portal that makes a soft entry point to the massive amounts of data on the inside and access to control functions. These portals usually depend on the same PC caliber of cybersecurity available to you and me.
While what we see in the movies with cyberattacks may not be possible to the degree glorified by Hollywood, you can rest assured that somewhere, someone is going to work every day, in a nice office, searching for ways to attack computer systems around the world. The threat is real, and it is only getting worse.
To illustrate just how critical cybersecurity is, the Department of Defense (DoD) formed the U.S. Cyber Command, charged with three missions: defend the Defense Department’s networks and systems, provide offensive support to other commands in the event of a contingency, and defend the nation from a cyberattack of significant consequence (less than two percent of incidents would qualify as “significant”). While the issue of who should “manage” Cyber Command is ongoing in the DoD, work is underway to address the cybersecurity of our nation.
Our industry is affected by the fact that many of you are designing, building, and using open standard architecture in embedded computing systems that are susceptible to cyberattacks. In the feature, “Securing Embedded Systems Based on Open System Architectures,” I touch on high level concerns and challenges facing designers using Open System Architectures such as VITA technology modules.
In the meantime, keep your devices up-to-date and secure, you never know when you might become a victim.