Media Relations for a Connected World
Why Now Is the Time to Invest in Security
Now part of the expanding web connected network, embedded devices are very different from standard PCs or other consumer devices. These industrial operational assets are commonly fixed function devices that have been designed specifically to perform a specialized task.
Many of them use a specialized operating system such as VxWorks, Nucleus, INTEGRITY or MQX, or a stripped down version of Linux. Installing new software on the system in the field either requires a specialized upgrade process or is often not supported.
In most cases, these devices are optimized to minimize processing cycles and memory usage and do not have extra processing resources available to support traditional security mechanisms.
As a result, standard PC security solutions won’t solve the challenges of embedded devices. In fact, given the specialized nature of embedded systems, PC security solutions won’t even run on most embedded devices.
At their recent annual Security Analyst Summit (SAS), Kaspersky Labs’ researchers presented a report detailing a number of advanced threats that target critical infrastructure devices including the electric grid and factory control systems. This included comprehensive evidence of embedded surveillance tools and pervasive malware that have largely gone undetected for over a decade.
The report details a number of very sophisticated cyber threats. Some of the more startling revelations were:
- Some of this malware has existed since around 2001 and has gone undetected until now
- Malware operating at the firmware level that enabled discovery of encryption keys, cracking of encryption algorithms and that remained in place through an operating system reinstall
- Malware that replaced hard-drive firmware to create a secret storage area on a hard disk that would survive drive reformatting
Why air gap DOES NOT WORK