Why are embedded systems being ignored?

 

In InfoSec, most of the focus and attention has been on the enterprise. When students are matriculating or getting certifications, the focus is on the enterprise. Granted, the enterprise is experienced through the business network, laptops, servers, and the infamous data center. One area though which has not received the relative attention it should are the embedded systems. These are present in many of the products we experience day in and day out, during the workday, and as consumers. These include the IoT devices that we use every day, the vehicles use these throughout their system, and other equipment. With these being in use through the majority of our lives, both at work and home, these should be more known, and more persons should be concerned with these. The issue, by extension, is there is not the focus on securing these there should be.

One point with this is the perception that building in cybersecurity from the beginning of the project, through development, and into production is expensive. Granted there is a cost with this due to the direct labor, materials, and overhead. With the direct labor tasked with this, a full-time employee is not required in most instances. The person may be tasked across several projects. The tasked cybersecurity expert may have their costs distributed across the various projects, making this less costly per project. Compare this with the cost of a breach. As an example, the FCA Jeep hack began at $17M and the costs have increased exponentially with the lawsuits.

Projects have a timeline. The project team lead has certain gates they have to meet at certain points in time. If these are not met, there can be rather significant financial effects. When a project is a bit behind, certain areas may need to be worked on at a later date if the client refuses to budge or work with the vendor. One of these, unfortunately, has tended to be cybersecurity. Somehow along the way, project managers created the idea cybersecurity could be added at the end of the project or later in time. There is the impression this can just be bolted on at some point to the project. Nothing could be more different from reality. The cybersecurity solution architected for the specific use case is not a simple, short process in most instances due to the technical nature of compromises and the complexity of connected systems. This requires a well thought through solution. This needs to be incorporated from the beginning of the project and built-in through every step.

The alternative to these is to have a product with an insecure embedded system and we have seen how this has not worked out well.