Many countries are actively working on passing and implementing legal regulations related to embedded systems security. The European Union, together with organizations uniting universities and technology companies, has developed a cybersecurity strategy.
One element of this strategy is the implementation of the EU-RED and EU-CRA directives. The first will come into force on August 1, 2025, and the second will become legally binding in less than three years (a transitional period began in March 2024 and will last 36 months).
This article outlines what to focus on to implement security principles in embedded systems properly.
New legal regulations
The upcoming legal regulations will not only aim to raise the security level of companies as organizations, but will primarily affect the products they offer directly.
The new directives will introduce a range of additional obligations, rules, and principles. Companies creating products will be required to implement and comply with them.
Decision-making processes take time
In most technology companies that design and/or manufacture embedded devices, the decision-making process for implementing various legal regulations takes time. As engineers, we may not always understand why this process is so lengthy. But a company is usually not just one project – it’s a whole list of projects, more or less interconnected.
Complex business processes, intricate design and production workflows, and the need to train personnel all impact the time required to complete such initiatives.
A step toward security
We must understand that new legal regulations and standards will not automatically make our systems secure. The people responsible for implementing and designing the product will play the key role in the entire process. This group includes software engineers, testers, architects, and hardware designers.
By working on current projects, we have already influenced the level of security our products will offer. Of course, implementing all legally required principles without changing the budget, project process, business model, or providing additional training will be very difficult or even impossible.
However, we can start improving the security of our products step by step, while also raising the knowledge and awareness of the engineers responsible for designing and implementing them.
List of practices and actions to improve security
Below are areas and suggested actions that can be implemented in ongoing projects without significantly affecting their timelines. Not all of them will be easy or quick to adopt – it depends on the project’s status and many technical and non-technical factors. Still, they are worth considering today.
Passwords
- Do not store access passwords in code – hardcoded passwords will eventually become publicly accessible. The inability to change them further complicates matters in case of a leak. Adding a password generation mechanism during device production and storing them in an encoded form makes public exposure more difficult.
- Do not use the same password for all devices – a single password for all devices or system components means that if it’s leaked, unauthorized individuals can access all devices on the market. Implementing a password generation mechanism per device (e.g., based on serial number or microcontroller ID) is a good practice. Time-limited passwords can also be effective.
Code
- Start conducting regular code reviews – a second pair of eyes can evaluate the code, assess solutions, and check for security issues or memory leaks, helping avoid many future problems. The time spent on reviews often pays off compared to fixing bugs later.
- Apply secure coding principles – implement standards like MISRA C or CERT C in newly developed code.
Communication
- Do not send data in plain text – embedded systems often communicate with other systems or between components. Sending data in plain text without elements like CRC and start/end markers makes it easier to analyze transmissions and detect issues. However, such data can be easily read or altered by unauthorized individuals. Use standardized protocols or encryption to ensure data integrity.
- Disable all unnecessary network ports – devices may have many unused open ports. Disable all unnecessary ports and services to reduce the attack surface.
- Use secure protocols for network communication – always use encrypted network protocols to prevent data from being read or modified.
- Disable unused communication ports – embedded devices often have extra ports for diagnostics, programming, or service functions. Disable all such ports and interfaces in production versions to prevent full device access.
Libraries
- Monitor vulnerabilities in libraries – external libraries help speed up development but may contain vulnerabilities. Public databases exist where developers and organizations report such issues. Monitor these databases to check if any libraries you use are affected.
- Disable unused library functions – often, only a subset of a library’s features is used. Disable unused functions during compilation or configuration to reduce potential entry points.
Awareness
- Protect private and sensitive data – modern embedded systems process large amounts of data, some of which is private or sensitive and a prime target for attackers. Cryptographic algorithms and encryption methods are used to protect this data.
- Raise team awareness – legal regulations and standards alone won’t secure your device. Engineers must have the necessary knowledge, skills, and awareness. Implementing required features may require additional training time.
The next step toward security
The practices described above are a good starting point for improving the security of the products we work on. The next step will require more engagement and focus on advanced system elements, such as:
- Software updates and installation
- Secure data storage
- Secure communication
- System analysis and threat modeling
- Monitoring vulnerabilities in used libraries
- Creating a secure software development process
Future articles will explore these topics in more technical detail and how to approach their implementation.
Summary
Properly implementing security principles in embedded systems will undoubtedly be a challenge for many engineers, companies, and organizations. Changing mindsets and workflows will take time and involve many unforeseen tasks. The entire process can be compared to a marathon. But to avoid turning it into a sprint, we must start today.
Remember – your system is only as secure as its weakest component.
***
If you’re interested in embedded systems, check out other articles by our authors.
Leave a comment