Embedded System Security – CompTIA Security+ SY0-401: 4.5

We have added technology to almost every aspect of our lives. In this video, you’ll learn about the challenges with security embedded systems like SCADA, HVAC, multifunction printers, and even our automobiles.

<< Previous Video: Data PoliciesNext: Static OS Environments >>


On our PCs and our mobile devices we can make changes to the operating systems at any time. We can install new applications. We can modify or update the operating system itself, and really change the entire working environment of that computing device.

But in static computing devices things don’t change very much. In fact, there’s very little change that would occur on a static device. From a security perspective, this is great. We know exactly what type of protections we need in place. And we know that nothing is going to change outside the scope that we’ve now built in that static device.

We often see these static environments used when there is an embedded system. These are systems that are created to perform a series of functions. And it’s a very specific scope of functions.

If you go into a hospital and there’s an intravenous drip meter, that is an embedded computing system inside of that device. Or if you’re going to a water treatment plant, and you’re looking at the controls that are in use, those are designed, obviously, very specifically for the needs of that water treatment plant.

But just because these embedded systems are there, and they are static types of systems, doesn’t mean they will never be updated. There are very often, in fact, firmware upgrades for these that will at least update, or modify, some of the capabilities of that device. But even then, the scope of change is nothing like that you would have for a traditional PC or computer that you would have on your desk. Generally, these are bug fixes or minor changes to the operation of that embedded device.

Two types of very industrial embedded devices are SCADA and H-V-A-C. SCADA is the Supervisory Control And Data Acquisition System technology. These are used on very large-scale industrial devices. Another type of industrial device you’d run into is something like an H-V-A-C device. Obviously, in the Heating, Ventilation, and Air Conditioning devices we also have these embedded systems running to be able to run those particular environmental systems.

Usually there is a PC that manages these devices. And in the case of something like SCADA, you would have a computer that uses the SCADA communication and technology to be able to manage power generators, or refining equipment, or manufacturing devices. These are very large industrial devices. And it is this very specialized SCADA instruction set that is used to be able to manage and maintain these very specialized pieces of equipment.

When we built these devices then they were built with the idea that they’d never be connected to the internet. But obviously that’s now a significant concern because you don’t want somebody from the outside to gain access to the system that’s providing power for an entire city. And that’s exactly what is at risk with these SCADA systems.

So obviously, these days, there is an enormous requirement on protecting these SCADA systems. There are laws enacted that will ensure that these SCADA systems are protected. And there are best practices to be able to protect these from the outside.

You generally don’t have SCADA systems connected to the internet. You make sure there are firewalls protecting the access, and that the proper access controls are in place so that you can be assured that only the people who need access to these SCADA systems will be the only ones to ever touch it.

We’ve been printing, and scanning, and faxing for years. And today the technology around this has really improved so that you can combine all of these functions within one single all-in-one device. You may see these also referred to as multifunction devices, or MFDs. Everything that you would need is now in one device. You plug it in and it’s able to perform the printing, the faxing, and the scanning functionality all from the single machine.

It’s no longer a simple printer, of course. There’s some very advanced technology in the hardware. And, of course, some significant software that’s running inside of this particular kind of embedded device.

These multifunction devices have a lot of memory inside of them, and software. And it’s not uncommon for them to queue up and store print outs, scans, or faxes in the memory of the device. Even after that particular print out has come out, it may still have a copy of that in memory. And someone who knows what they are doing can press a few buttons and have all the contents of memory reprinted. And someone may have access to that data and you had no idea it was being stored on that machine.

There’s also, of course, a number of logs stored on this device. So if you are sending a fax, or if information is received from that device, someone may be able to go through that metadata to see exactly who is sending and who’s receiving information from that machine.

There’s an amazing amount of computing power just within our automobiles. We know that we’ve had computers in our engines for years and years. And these days, the technology has made itself inside of the car, and we use it for our satellite radio systems, our entertainment units, and our GPS systems themselves.

The technology in the engines themselves has improved through the years. And it’s not uncommon to have multiple computers managing different systems inside of your engine. These days you could take your car in and have a firmware upgrade applied to it, to improve the performance or the fuel consumption of your engines.

There’s also a side of your engine that’s maintaining a bit of telemetry. It’s not unusual to have data recorders inside of your systems that are recording the speeds that you travel, the locations you’re traveling. And it keeps all of this telemetry constantly stored in your system. And we’re just starting to see the legal ramifications of this, since now we’re starting to use this data for accident reports, and to show exactly what was happening to a particular device at a particular time of the day.

Maintaining the security of a static or embedded system is a little bit different than maintaining it for our traditional PC environment. But it’s still incredibly important to make sure that our information stays private and secure.