Consolidating Embedded Systems Security Through Education, Competition, and Business
Photo courtesy of Unsplash
Author: Amanda Andrei
Chances are, you’ve interacted with an embedded system today.
Did you use a thermostat? How about a car? Or maybe a mobile phone? Or a television, a game console, an elevator, a train, a pacemaker?
Embedded systems are foundational computing systems embedded in electronic devices that are typically not visible to the user. However, many of today’s embedded systems were designed before cyber threats became more prevalent. Consequently, securing these systems is a significant step in ensuring national safety and security. Over the past few years, MITRE has merged several independent yet related embedded systems security (ESS) activities to build and strengthen a multidisciplinary, expert workforce to tackle ESS problems.
Understanding and Securing Embedded Systems
Though embedded systems are found in a wide variety of contexts, they share some common characteristics. Typically, they:
- Connect to a physical environment and contain sensors collecting information and actuators (devices converting numerical values into physical effects) controlling the environment
- Run a minimal set of applications, often known at design time
- Cannot by programmed by the end-user
- Operate in fixed run-time constraints
Since they are directly connected to the environment, they need to be dependable, meaning that they have a low probability of failure (reliability), they can be repaired within a certain time-frame (maintainability), they are accessible for use (availability), they will not cause harm (safety), and they protect confidential data and authentic communication (security).
There are many challenges and opportunities in ESS, including dealing with highly connected platforms, training a skilled cyber workforce, and harnessing the insight and influence of the technical baseline. Legacy systems need to be updated, modernization times need to speed up, and newer technologies emerging from the Internet of Things and Smart Cities need to incorporate security measures.
“Embedded systems security is an emerging discipline,” explains Joe Ferraro, Department Head of Trust & Assurance Cyber Technologies in the Cyber Solutions Technical Center. “We’re seeing it becoming more inherent to how we design these systems, as opposed to being in a scrambling mode to fix them. We’re going to see a lot more robust commercial products and government solutions that are considering it from the get-go.”
Embedded Systems Security Learning Path
One of the ways MITRE has addressed this need is through the ESS Learning Path. In April 2015, Ferraro and Bob Heinemann, a technical integrator specializing in mobile and embedded security and supporting the National Cybersecurity FFRDC (Federally Funded Research and Development Center), anticipated the continued demand for professionals with multidisciplinary skillsets and deep knowledge of ESS. They organized several instructors and areas of expertise within the company, organized a curriculum, created educational materials, and delivered the course through the MITRE Institute, our internal schoolhouse, in 2016.
Karen Lamb, a senior cyber security engineer, took part in the 2016 cohort shortly after she started at MITRE and found the course invaluable. “The processes that you learn, such as about debugging and finding vulnerabilities, are more generalizable to different problems you’ll face,” she relates, “so even if I haven’t encountered the same problems as I did in the learning path, I have taken the same approaches and techniques and applied it to the sponsor.”
The course was so successful that they opened the course to several other government agencies. Between 2016 and 2018, they had seven cohorts go through the path. The course is also moving from government to academia—the instructors delivered a course at the University of Maryland, College Park campus this past spring. Though still in the planning stages, the instructors are considering a variety of delivery methods, such as turning the material into a book or an online course.
ESS Capture the Flag
While the Learning Path addressed the needs of current MITRE staff, there was also a need to address incoming staff, especially early career professionals and students. Dan Walters, a principal embedded security engineer in the Electronic Systems and Technology Technical Center, noticed that there were university resources for embedded systems development and cyber security, but scarcely any focusing on security of embedded systems.
“These are small resource constrained systems, and they’re often portable and used in places where they can be stolen or lost,” Walters explains. “Now your attacker has physical access to them. Those security issues are quite a bit different than what you traditionally do for cyber security.”
In response to the gap in embedded systems security knowledge, and to prepare graduating students and incoming professionals for these topics, Walters created an Embedded Capture the Flag (eCTF) competition. The first collegiate eCTF was launched in 2016 and has become an annual event, growing each year.
Embedded Systems Security Line of Business
As MITRE training and outreach in embedded systems security kicked into gear, the ESS Line of Business (LOB) launched in 2017 to help formalize ESS knowledge and resources. “We wanted to provide a mechanism to understand where the centers of gravity are within MITRE in terms of skillsets,” Heinemann relates. “We did an analysis, and turns out it’s spread out in several divisions.”
Adds Ferraro, “The purpose of the LOB was to give the ESS capabilities and subject matter experts a front door so that anyone could approach it more effectively and engage this community.” By coalescing the MITRE efforts across the company, “we were able to codify some of the products, approaches, and anecdotes that could be broadly applicable.”
Broadly speaking, a LOB is a corporate organizational structure that focuses on a product or family of products. Common LOB service offerings include training, staffing, market analysis and forecasting, rapid prototyping, external outreach, and work development and shaping. At MITRE, the ESS LOB is tailored across multiple domains, sectors, and platforms while ultimately serving as a focal point to allow anyone to reach across MITRE to find staff across many disciplines. As Ferraro notes, “You might want your cyber people together, but how you apply cyber might be very different.”
Current capabilities include modeling, system analysis, simulation and emulation, adversarial testing, risk assessments, and countermeasures. The LOB is currently expanding across other centers within the company and strategically targeting new LOB areas.
By 2020, there may be more than 20 billion connected devices around the world. Our phones, cars, trains, houses, even our entertainment systems and household appliances, are becoming more sophisticated and interconnected. Embedded systems are becoming more and more a part of our lives, and it is not only crucial that they are secure and safe, but that we have the talent and workforce who understand how to develop, design, and protect these systems.
The Embedded Systems Security team of Joe Chapman, Joe Ferraro, Lou Fogel, Jeff Hamalainen, Bob Heinemann, Eric Kedaigle, Dave Keppler, Ganu Kini, Chris Korban, Joe Mansour, Dan Walters, and Adam Woodbury were honored at MITRE’s 2018 Knowledge Advantage Showcase.
Amanda Andrei is a computational social scientist in the Department of Cognitive Sciences and Artificial Intelligence. She specializes in social media analysis, designing innovative spaces, and writing articles on cool subjects.
See also: Embedded Capture the Flag (eCTF): Learning about Embedded Systems Security One Flag at a Time
© 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited. Case number 18-2130
Solving problems for a safer world. The MITRE Corporation is a not-for-profit organization that operates research and development centers sponsored by the federal government. Learn more about MITRE.