2.6 Explain the security implications of embedded and specialized systems. (Page 10).

Question 1

Any form of computing component added to an existing mechanical or electrical system for the purpose of providing automation and/or monitoring.

Answer 1

EMBEDDED SYSTEMS

Question 2

A 64-bit microcontroller or a single-board computer. These types of microcontrollers provide a small form-factor computer that can be used to add computer control and monitoring to almost anything. It includes a CPU, RAM, video, peripheral support (via USB), and some include onboard networking. It includes its own custom OS, but dozens of alternative OSs can be installed as a replacement.

Answer 2

Rasberry Pi (EMBEDDED SYSTEMS)

Question 3

A flexible computing device intended to be programmed by the end user or customer. FPGAs are often used as embedded devices in a wide range of products, including industrial control systems (ICS).

(Page 197).

Answer 3

Field-programmable gate array (FPGA) (EMBEDDED SYSTEMS)

Question 4

An open-source hardware and software organization that creates single-board 8-bit microcontrollers for building digital devices. It has limited RAM, a single USB port, and I/O pins for controlling additional electronics (such as servo motors or LED lights), and does not include an OS. Instead, it can execute C++ programs specifically written to its limited instruction set. While Raspberry Pi is a miniature computer, It is a much simpler device.

Answer 4

Arudino (EMBEDDED SYSTEMS)

Question 5

A type of industrial control system (ICS). An ICS is a form of computer-management device that controls industrial processes and machines.

Answer 5

SYSTEM CONTROL AND DATA ACQUISITION (SCADA) / INDUSTRIAL CONTROL SYSTEM (ICS)

Question 6

These benefit from ICS/SCADA automation and monitoring by allowing the systems to manage door locks, control lighting, adjust temperature and humidity, and more.

Answer 6

Facilities/ Buildings (SCADA/ICS)

Question 7

These organizations often using ICS to automate and oversee large complex operations, such as oil refineries, waste management plants, cruise ships, and more.

Answer 7

Industrial (SCADA/ICS)

Question 8

These organizations often implement ICS solutions to automate and oversee their operations.

Answer 8

Manufacturing (SCADA/ICS)

Question 9

SCADA and ICS can be deployed to monitor and manage energy consumption to reduce cost and optimize capabilities and performance of managed systems.

Answer 9

Energy (SCADA/ICS)

Question 10

SCADA and ICS can be beneficial to site managers by easing the burden of logistics by automating operations and maintaining logging and monitoring of events across the entirety of the enterprise IT/IS or industrial/manufacturing area.

Answer 10

Logistics (SCADA/ICS)

Question 11

A new subcategory or maybe even a new class of devices connected to the Internet to provide automation, remote control, or AI processing to traditional or new appliances or devices in a home or office setting.

Answer 11

INTERNET OF THINGS (IoT)

Question 12

A common IoT device deployed in a business environment that can measure just about anything, including temperature, humidity, light levels, dust particles, movement, acceleration, and air/liquid flow. They can be linked with cyberphysical systems to automatically adjust or alter operations based on the sensor’s measurements such as turning on the A/C when the temperature rises above a threshold.

Answer 12

Sensors (IoT)

Question 13

A mobile device that offers the user a plethora of customization options, typically through installing apps, and may take advantage of on-device or in-the-cloud artificial intelligence (AI) processing.

Answer 13

Smart Device (IoT)

Question 14

Offshoots of smart devices and IoT devices that are specifically designed to be worn by an individual. The most common examples of these are smart watches and fitness trackers.

Answer 14

Wearables (IoT)

Question 15

These include smart thermostats, ovens, refrigerators, garage doors, doorbells, door locks, and security cameras. These IoT devices may offer automation or scheduling of various mundane, tedious, or inconvenient activities, such as managing the household heating and cooling systems, adding groceries to an online shopping list, automatically opening or unlocking doors as you approach, recording visitors to your home, and cooking dinner so it is ready just as you arrive home from work.

Answer 15

Facility automation devices (IoT)

Question 16

Often this element of IoT devices will be insecure. Always evaluate the setting and configuration options of new products and make changes that optimize security and support business functions. This is especially relevant to default passwords, which must always be changed and verified.

Answer 16

Weak defaults (IoT)

Question 17

This type of equipment is anything designed for one specific purpose, to be used by a specific type of organization, or to perform a specific function.

Answer 17

SPECIALIZED

Question 18

A growing number of medical systems are specialized devices that have been integrated with IoT technology to make them remotely accessible for monitoring and management.

Answer 18

Medical systems (Specialized)

Question 19

These computing systems can include the components used to monitor engine performance and optimize braking, steering, and suspension, but can also include in-dash elements related to driving, environment controls, and entertainment.

Answer 19

Vehicles systems (Specialized)

Question 20

These systems allow the partial and sometimes fully autonomous operation of an aircraft without the need of a human pilot.

Answer 20

Aircraft systems (Specialized)

Question 21

A remotely accessible electrical meter. It allows the electricity provider to track energy use remotely. Some of these grant the customer the ability to view collected statistics as well.

Answer 21

Smart Meters (Specialized)

Question 22

A tunneling mechanism used to transport voice and/or data over a TCP/IP network.

Answer 22

VOICE OVER IP (VoIP)

Question 23

A business feature that can be controlled by IoT devices to affect the temperature and humidity of a given location.

Answer 23

HEATING, VENTALATION, AIR CONDITIONING (HVAC)

Question 24

Printers that may also include fax, scanning, and other functions, and they are often network connected.

Answer 24

MULTIFUNCTION DEVICES (MFDs) or MULTIFUNCTION PRINTERS (MFPs)

Question 25

Designed to process or handle data as it arrives onto the system with minimal latency or delay. An RTOS is usually stored on read-only memory (ROM) and is designed to operate in a hard real-time or soft real-time condition.

Answer 25

REAL-TIME OPERATING SYSTEMS (RTOS)

Question 26

Any device that is intended to monitor and track assets and/ or subjects. These can be embedded systems, or they can be dedicated sensors.

Answer 26

SURVEILLANCE SYSTEMS

Question 27

An integrated circuit (IC) or chip that has all of the elements of a computer integrated into a single chip.

Answer 27

SYSTOM ON A CHIP (SoC)

Question 28

When any device is used, especially embedded, ICS, SCADA, IoT, or specialized equipment, attention should be paid to the means and methods of communications used. The primary concerns are that connections are authenticated and encrypted.

Answer 28

COMMUNICATION CONSIDERATIONS

Question 29

5G is the latest mobile service technology that is available for use on mobile phones, tablets, and other equipment. Many ICS, IoT, and specialty devices will have embedded 5G capabilities.

Answer 29

5G

Question 30

Narrow-band is widely used by SCADA systems to communicate over a distance or geographic space where cables or traditional wireless are ineffective or inappropriate. Use of narrow-band should be monitored and encrypted.

Answer 30

Narrow-band

Question 31

Baseband radio is the use of radio waves as a carrier of a single communication. WiFi and Bluetooth are examples of baseband radio. All uses of baseband radio should be identified, monitored, and encrypted.

Answer 31

Baseband Radio

Question 32

Subscriber identity module (SIM) cards are used to associate a device with a subscriber’s identity and service at a mobile or wireless telco.
SIMs can be easily swapped between devices. SIM cards can be cloned to abuse a victim’s telco services.

Answer 32

Subscriber identity module (SIM) cards

Question 33

Zigbee is an IoT equipment communication’s concept that is based on Bluetooth. Zigbee has low power consumption, a low throughput rate, and requires close proximity of devices. Zigbee communications are encrypted using a 128-bit symmetric algorithm.

Answer 33

Zigbee

Question 34

Embedded and specialized systems are usually more limited or constrained based upon their design or hardware capabilities. These constraints can have security implications.

Answer 34

CONSTRAINTS

Question 35

Some embedded and specialized systems run off of replaceable or rechargeable batteries. Others only receive a small amount of power from a USB plug or special power adapter/ converter. These power limitations can restrict the speed of operations, which in turn can limit the execution of security components. If additional power is consumed, the device might overheat. This could result in slower performance, crashing, or destruction.

Answer 35

Power

Question 36

Most embedded and specialized systems use lower capable CPUs. This is due to cost and power savings or limitations. Less computing capabilities means less functions, which includes less security operations.

Answer 36

Compute

Question 37

Many embedded and specialized systems have limited network capabilities. This could be limited to wired only or wireless only. Within wireless, the device could be limited to a specific WiFi version, frequency, speed, and/or encryption. Some of these types of devices are limited to special communication protocols, such as Zigbee or Bluetooth Low Energy (BLE).

Answer 37

Network

Question 38

Many embedded and specialized systems are unable to process high-end encryption. The crypto on these special devices is often limited and may use older algorithms, poor keys, or just lack good key management. Some devices are known to have pre-shared and/or hardcoded encryption keys.

Answer 38

Crypto

Question 39

Some embedded and specialized systems are difficult to patch, while others might not even offer patching or upgrading. Without updates, vulnerable code will remain at risk.

Answer 39

Inability to patch

Question 40

Some embedded and specialized systems do not use authentication to control subjects or restrict updates. Some devices use hard-coded credentials. These should be avoided. Only use equipment that allows for customized credentials, prefer devices that support mutualcertificate authentication.

Answer 40

Authentication

Question 41

Some embedded and specialized systems have a limited transmission range due to low power antennae. This can restrict the device’s usefulness or require signal boosting to compensate.

Answer 41

Range

Question 42

Due to the low cost of some embedded and specialized systems, they might not include necessary security features. Other devices that do include needed security components may be too costly to be considered.

Answer 42

Cost

Question 43

Similar to supply chain issues, when an embedded or specialized system is used, the organization is automatically trusting the vendor of the device and the cloud service behind it. This implied trust may be misguided. Always thoroughly investigate vendors before relying upon their product and even then segregate specialized systems in their own constrained network segment.

Answer 43

Implied trust