Don’t Forget to Lock Your Windows
Security is one of the most buzzworthy and sensationalized topics in the embedded market in recent memory. Even 60 minutes has devoted time to the topic. Although device security may not have been at top of Andy Rooney’s interest list, the threat is real.
In the same way that the devices across all facets of our lives have become more intelligent and more connected, they have simultaneously come under a sort of evolutionary entrapment. Their increased functionality has made them both more valuable and more attractive targets of attack. And this dynamic extends from everything from mobile phones to medical devices.
So why then do engineers not extend the same consideration of security across of all these device classes?
Certainly, there are some device classes more inherently at risk than others. In fact, many of the OEMs building these devices already use a range of operating systems specifically designed (or at least marketed) as addressing security, such as Green Hills Integrity, Lynuxworks LynxOS, or Wind River VxWorks. It is time that other OEMs pay attention too.
Or are they already?
Approximately 2/3 of the engineers we surveyed said that security was important to their current design. The ratio varied little based on the target OS cited as used on the engineers’ current projects. The acknowledgement of security’s importance appears ubiquitous.
A few weeks ago, I was attending the Amphion Forum in San Francisco, a conference hosted by Mocana that focused on device security. At the conference, neither engineers nor vendors made much mention of one of the leading OS vendors in the embedded market, Microsoft.
While Microsoft’s PC heritage may not lend a reputation of security staunchness, its embedded SKUs do offer augmented protection over many alternatives. Furthermore, Windows Embedded’s use within many of the more intelligent, connected devices means that engineers using the OS family should absolutely place a premium on security. So what gives?
- In many cases, engineers – especially those not working in safety-critical device classes – are not conditioned to care about security. But investment and attention often follow catastrophe.
- Some engineers also take security for granted, thinking that the use of a commercial OS yields hardened end products. Although commercial OSs can help, their increasing adoption makes them a more compelling target for potential hacking or attack.
- Microsoft needs to ante up. Some of the disconnect is due to marketing, but the rest of it is because of products. Operating systems will never solve the entire problem; Microsoft and its customers will benefit from a broader security-focused portfolio.
2013 will bring even greater security risk. It is time for OEMs and vendors alike to step it up.