Establishing Cyber Resilience in Embedded Systems for Securing Next-Generation Critical Infrastructure

04/06/2020
by   Fahad Siddiqui, et al.
Queen's University Belfast
0

The mass integration and deployment of intelligent technologies within critical commercial, industrial and public environments have a significant impact on business operations and society as a whole. Though integration of these critical intelligent technologies pose serious embedded security challenges for technology manufacturers which are required to be systematically approached, in-line with international security regulations. This paper establish security foundation for such intelligent technologies by deriving embedded security requirements to realise the core security functions laid out by international security authorities, and proposing microarchitectural characteristics to establish cyber resilience in embedded systems. To bridge the research gap between embedded and operational security domains, a detailed review of existing embedded security methods, microarchitectures and design practises is presented. The existing embedded security methods have been found ad-hoc, passive and strongly rely on building and maintaining trust. To the best of our knowledge to date, no existing embedded security microarchitecture or defence mechanism provides continuity of data stream or security once trust has broken. This functionality is critical for embedded technologies deployed in critical infrastructure to enhance and maintain security, and to gain evidence of the security breach to effectively evaluate, improve and deploy active response and mitigation strategies. To this end, the paper proposes three microarchitectural characteristics that shall be designed and integrated into embedded architectures to establish, maintain and improve cyber resilience in embedded systems for next-generation critical infrastructure.

READ FULL TEXT VIEW PDF

Authors

page 1

page 2

page 3

11/04/2019

Design Considerations for Building Credible Security Testbeds: A Systematic Study of Industrial Control System Use Cases

This paper presents a mapping framework for design factors and implement...
06/26/2020

CyRes – Avoiding Catastrophic Failure in Connected and Autonomous Vehicles (Extended Abstract)

Existing approaches to cyber security and regulation in the automotive s...
12/08/2021

Cyber-Security Investment in the Context of Disruptive Technologies: Extension of the Gordon-Loeb Model

Cyber-security breaches inflict significant costs on organizations. Henc...
12/06/2018

On Critical Infrastructures, Their Security and Resilience - Trends and Vision

This short paper is presented in observance and promotion of November, t...
01/19/2022

Defining Security Requirements with the Common Criteria: Applications, Adoptions, and Challenges

Advances of emerging Information and Communications Technology (ICT) tec...
05/26/2022

The Opportunity to Regulate Cybersecurity in the EU (and the World): Recommendations for the Cybersecurity Resilience Act

Safety is becoming cybersecurity under most circumstances. This should b...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Proliferation of intelligent connected technologies are opening venues to new service and computing models, providing diverse socio-economic benefits. These technologies are giving rise to wide range of intelligent applications including smart home, smart city, smart grid and intelligent transportation systems [33][25]

. Estimates from market leading industry predict that intelligent connected technologies will proliferate to a trillion devices by 2035 

[28]. This rapid growth of intelligent consumer and industrial solutions is leading to significant growth in smart embedded devices, such as wearables and critical infrastructure components, that provide information and communication functions to the users and businesses.

These smart embedded devices will be integrated and deployed in public and private environments for commercial and non-commercial purposes, to enhance business and consumer experiences by sharing and analysing generated data [4][30]

. This data can be used in a variety of ways, enhancing the customer’s experience, bringing new business models and market opportunities using artificial intelligence, machine learning and data analytics, to make better informed decisions. However, where this sharing of data brings benefits and opportunities, it simultaneously presents risks 

[31]. The large-scale integration and deployment of smart embedded devices and related services within critical infrastructure environments to control critical tasks, poses serious design, supply chain, security and safety challenges [25][20][1][24].

As reliance on these technologies has grown, opportunities have arisen for adversaries to attack and compromise public and commercial critical infrastructure systems [4][30][31]. Therefore, international government agencies have released cyber security regulations [8][22][10] to curtail this problem by advocating businesses and technology manufacturers to comply and adhere to these regulations. These cyber security regulations pose a need for smart embedded devices and intelligent technologies to be Cyber Resilient. Device manufacturers therefore should design, develop and deploy security within their products to maintain compliance, consumer confidence and market share. However this need for harnessing security to comply with cyber security regulations, has compelled embedded designers and security architects to deploy defences that are often ad-hoc and passive in nature. As they have been designed to mitigate a certain class of known attacks [18]. Nevertheless, this strategy has been found vulnerable and compromised due to software vulnerabilities, microarchitectural weaknesses and poor use of secure design practices [1][5][17][35][15][14].

Open literature and reported events show that attack methods are evolving and becoming sophisticated, software vulnerabilities are inevitable, embedded architectures are insecure and are therefore susceptible to diverse attacks [18][35]. A successful launch of an attack on a device can expose private and confidential data of the user and enterprise to adversaries. To best of our knowledge, no existing embedded security microarchitecture or defence mechanism provides continuity of data stream and the information that can be extracted to gain and establish an evidence caused by the security breach for Cyber Forensics.

Considering these diverse cyber security challenges, there is a need for adopting a holistic rather than continue pursuing passive approach to achieve cyber resilience in embedded systems. The architecture shall harness, maintain and ensure design and operational security. Moreover, it shall be capable of both detection and recovery from a launched attack, and preserve crucial security requirements of embedded device deployed within public and private critical environments.

This paper will present the core security functions set out by the international security authorities in Section II. A comprehensive review of existing embedded security practices and mapping of core security functions to existing embedded security landscape will be presented in Section III which will be used to derive the security requirements of a cyber resilient embedded system. The shortcomings of well established embedded security microarchitectures will be discussed in Section IV and microarchitectural characteristics of a cyber resilient embedded system will be proposed in Section V.

Ii Cyber Resilience & Cyber Security Regulations

Currently, major differences exist in the way companies are using technologies and adopting security practices into their design, development and operational processes making it more difficult to mitigate and fight against cyber attacks [5]. This problem has been elevated by the lack of adoption of security and cyber resilient posture by the stakeholders. IT Governance is a global provider of cyber risk and privacy management solutions that defines Cyber resilience [34] as:

”The ability of a system to identify, prevent, and respond to cyber attacks, intended to disrupt the system’s operational capabilities while maintaining confidentiality and integrity of the data”

To streamline these security issues, the National Institute of Standards and Technology (NIST) and the National Cyber Security Centre (NCSC) have released the following frameworks and regulations to improve security:

  • NIST Risk Management Framework (RMF)

  • NIST Cyber Security Framework (CSF)

  • NSCS Security of Network and Information Systems Regulations (NIS)

The NIST Risk Management Framework [22] is a guidance document designed to help organisations and enterprises assess and manage risks to their information and infrastructure. It enables a process that integrates security and risk management activities within the system development life cycle as shown in Figure 1. It provides means to select, implement, assess, authorise and monitor controls. This involves identification of critical components based on their security requirements followed by selection and implementation of effective monitoring controls, that are aligned with the system’s operational behaviour. This process enables security architects to identify risks, select suitable mitigation strategies and deploy countermeasures. This also avoid vulnerabilities which might be overlooked in product functional specification.

Fig. 1: Core security functions, principles and activities of NIST Risk Management Framework [22], NIST Cyber Security Framework [8] and NCSC Security of Network and Information System Regulations [10].

The NIST Cyber Security Framework [8] aims to improve the security of critical infrastructure from cyber attacks. It provides a set of guidelines for technology manufacturers to follow and better prepare to handle cyber attacks, particularly where a lack of security standardisation exists. The framework defines five core security functions (identify, detect, protect, respond and recover) to establish, maintain and improve cyber resilience as illustrated in Figure 1.

The primary focus of NCSC Security of Network and Information Systems (NIS) [10] regulation is to respond to rising cyber security challenges faced by public/private organisations and enterprises by minimising the risks of disruption to services caused by the failure of digital technologies. One of the key objectives is to establish and improve cyber resilience of intelligent technologies by identifying and managing risks of potential causes of failure by gaining and establishing an evidence of the caused security breach. For this purpose, the regulation introduces four security principles (managing security risks, protecting against cyber attacks, detecting cyber security incidents and minimising the impact of incidents) as shown in Figure 1.

The discussed frameworks and regulations advocates that it is essential for technology manufacturers and their involved partners, including semiconductor and original equipment manufacturers (OEMs), to manage their risks by implementing appropriate and proportionate embedded security measures for next-generation critical infrastructure.

NSCS NIS NIST CSF Operational Security Cyber Resilient Existing Embedded Security Practices,
[10] [8] Requirements Embedded Security Requirements Methods and Microarchitectures
Asset Management Embedded Security Modelling
Managing     Understand and Assess     Risk Assessment

STRIDE, PASTA, CVSS, DREAD, HARA

Security Identify     Identify Risks     Threat and Security Modelling ❖ IEC 61508, ISO2626 (ASIL A-D), ISO/IEC 15408
Risks     Prioritise and Evaluate     Attack surface identification ❖ Common Criteria, FIPS 140-2, ETSI TVRA
    Comply and Review     Secure-by-design practises ❖ ISO/IEC 27005, SAE J3061, ISO/IEC 27001
Awareness Control Protection Method
Protecting     Protect Data     Chain of Trust Root of Trust, Trusted Technologies, ✪ Secure boot
against Protect     Protection Technology     Data Confidentiality and Integrity ✪ AES, ECC, RSA, EDSA, ECCDSA, SHA, SSL
Cyber attack     Manage & Adopt     Secure Provisioning & Attestation ✪ Digital Certificate, Public-Private Key Infrastructure
    Isolation and Segregation ✪ ARM TrustZone, Intel SGX
Event Discovery Detection Method
Detecting     Discover & Determine     Platform Security Architecture ✪ ARM Platform Security Architecture
Cyber Security Detect     Continuous Monitoring     Trusted Execution Environment ✪ Global Platform, ARM TEE, QSEE, Kinibi
Incidents     Detect Anomalies     Static & Dynamic Flow Integrity ✪ Dover [7], ✹ ARMHEx [32]
    Alert Events     Access Control and Policing ✹ SECA [6]
Response Planning Response Method
    Analyse detected events     Platform Security Manager ✪ Trusted Platform Module
Minimising the Respond     Response Strategy     Physical Security ✪ Side-channel countermeasure
impact of     Mitigation Strategy     Passive countermeasure ✪ Reboot, Reset, Key zeroisation
    Report & Improve     Active countermeasure
cyber security Recovery Planning Recovery Method
incidents     Repair and Update     Roll-back and Roll-forward ✪ Secure Firmware Update, On-the-air update
Recover     Improve and Train     Fault avoidance and tolerance ✪ Single event upset, Parity, Error Correction Codes
    Communicate     Static and Dynamic Redundancy ✪ Hardware/Software redundancy, Process pairs
    Evidence Collection     System Monitoring ✪ Voltage, clock and temperature monitors
  • ❖ International Standard ; ✪ Commercially Available ; ✹ Academic Research Frameworks/Solutions

TABLE I: Association of NIS security principles and CSF core security functions, their respective operational security and derived embedded security requirements for a cyber resilient embedded system. Mapping of existing embedded security landscape on to the driven security requirements is also presented.

Iii Security Requirements of
Cyber Resilient Embedded System

Cyber Resilience in embedded systems can be achieved by identifying the security requirements and incorporating them into the product life cycle. Intrinsically, the discussed Cyber Security regulations in Section II do not render security requirements for cyber resilient embedded system. Instead they yield a blueprint which can be used to articulate and derive security requirements for cyber resilient embedded system. Table I shows the association between NIS security principles and CSF core security functions and their operational security requirements. This includes asset management, awareness control, event discovery, response planning and recovery planning which are used to derive the security requirements of a cyber resilient embedded system. To bridge the research gap between information security and embedded security, the mapping of each driven embedded security requirement onto existing embedded security landscape is presented in Table I.

1⃝ IDENTIFY and manage cyber security risks by conducting asset management which involves detailed understanding of an application use case and respective deployment scenario. This requires decomposition of system components and evaluation of their interactions with internal and external entities to identify their associated risks and threats [13]. This is followed by evaluating and prioritising tasks, where potential damage to the system and its infrastructure for each identified threat.

In embedded domain this process is well established which involves creating an abstraction of the embedded system [21] known as Threat and Security Modelling [12][11]. This builds profiles of a potential attacker, their goals and methods, which then used to define and deploy countermeasures either to mitigate, minimise the impact of the attack or making less attractive for an attacker. Table I list some of the risk and threat assessment modelling methods and international standards. They provide detailed guidelines and specifications to model, implement and comply diverse security in embedded systems.

2⃝ PROTECT against cyber attacks by introducing system awareness control. This required deployment of appropriate data security and protection methods to build a security foundation based on the principles of information assurance [21].

  • Confidentiality: Ensuring that information is disclosed only to intended individuals, entities and processes.

  • Integrity: Maintaining and assuring the accuracy and completeness of information over its life cycle.

  • Availability: Ensuring that information must be available when needed by individuals, entities and processes.

  • Authentication: Ensuring that information is accessible by only authorised individuals, entities and processes.

In the embedded security domain, well-established cryptography-based protection methods have been published as shown in Table I. These protection methods require strong trust anchor to establish and maintain confidentiality, integrity and authentication [21][16][26]. In addition, embedded access control protection methods such as ARM TrustZone and Intel SGX have been widely used to achieve resource isolation and segregation by dividing system into subsystems and isolating their memory spaces.

3⃝ DETECT cyber security incidents using event discovery methods. This requires detection of malicious activity by continuous monitoring of system critical resources and comparing it against the healthy behaviour. Once malicious activity is detected, generate an alert to initiate a mitigation strategy.

In the embedded security domain, there is a significant published literature on signature, anomaly and information flow-based detection methods [32][6] as shown in Table I. Within embedded architectures, these security mechanisms have been deployed at hardware and software layers managed by a Trusted Execution Environment (TEE) [23].

4⃝ RESPOND to detected threats and malicious activities by planning and deploying an effective response and mitigation strategy to limit and reduce the impact of the cyber attack. Machine-to-Machine (M2M) communication is an enabling technology for critical infrastructure [33], which brought serious security challenges to secure, verify and avoid man-in-middle attacks in embedded systems. The existing embedded systems lack the capability to respond against attacks, making a need for active response against attacks a fundamental security requirement for cyber resilient embedded systems. Nevertheless, constantly evolving cyber attacks demand continuous re-evaluation for effective response and mitigation strategies.

Existing embedded security microarchitectures are largely focused on trust-based security and protection. They are limted and provide passive countermeasures such as watchdog timer, brownout reset, voltage and temperature monitoring and anti-tamper. Where, the vast majority system do not have any response mechanism and curtail such attacks using system reboot and reset. Nevertheless, trust management between device manufacturers and service providers is still a formidable challenge [25]. Clearly, there is a strong need for embedded response methods and microarchitectures that fulfil the security requirements of cyber resilient embedded system.

5⃝ RECOVER system data and resources back to the device healthy provisioned state, by repairing, updating and patching the system. However, effective cyber strategy requires identification of the causes and method of system failure by collecting evidence from the compromised system. It allow to establish, conduct and communicate critical administrative tasks with the actors involved, during the system life cycle, to effectively ensure and maintain safety and security of the critical systems.

The existing embedded security architectures are limited to the principles of reliability to achieve recovery, and thus are insufficient to provide a system-level information or evidence that can be used to improve the cyber strategy. They often make use of fault avoidance and fault tolerant design practises by incorporating redundant system resources and roll-back patches to return the system to a healthy state.

The mapping of existing embedded security approaches in Table I clearly indicates a research gap and need for active response and recovery methods. Section IV extends this by discussing challenges and shortcomings of existing embedded security microarchitectures.

Iv Challenges and Shortcomings in existing Embedded Security Micorarchitectures

Embedded Security has been the subject of extensive research in the context of general-purpose computing, signal processing, programmable architectures and communications systems [20], with significant published work on various fine and coarse grained embedded security challenges [20][1][24][19]. Security is often misapprehended by security architects and system designers as the addition of security features to make the system secure. Instead, security is a process that should be considered and managed throughout the life cycle of the embedded system specially for devices deployed in critical infrastructure. Therefore, this section first presents challenges of existing security microarchitectures:

  • The majority of embedded security microarchitectures follow Device Trust Architecture [9]. It is a specification that provides a method to design and develop secure component technologies by building trust and secure services from the boot mechanism to the device operating system and application layer. Hence, the security of the system is strongly reliant on building and maintaining a strong chain of trust [31] which comprises of a series of nested assumptions and as vulnerable as its weakest link. If broken, compromises the security of the whole system. In the commercial domain, Secure Boot is a well established and widely used secure component, which has been found vulnerable [17][35].

  • A lack of clear ownership of device security, insufficient adoption of security-aware practises and an absence of baseline security requirements. Practically design engineers do not perceive themselves accountable for security requirements and effectively embedding them into the device life cycle. This includes a lack of formal security risk assessment, with management of security technology outsourced to third parties for design, development and formalised security patch management process. As a result, this integration of third party services leads to security inconsistencies and vulnerabilities.

These challenges have posed immense need for harnessing security, in compliance with cyber security regulations. This in turn, has compelled embedded security architects to design and deploy defence mechanisms that are often ad-hoc and passive in nature, targeting and mitigating certain attacks or classes of attacks after they have been discovered [18]. This approach may be effective to rectify software vulnerabilities or bugs through a software update, but insufficient to realise effective microarchitecture security which cannot be updated after release. The following are widely adopted embedded security methods has been found vulnerable due too poor usage of secure design practises, software vulnerabilities and microarchitectural weaknesses:

  • Trusted Computing: Trusted software services uses cryptographic digital signatures to verify the integrity of the firmware and applications which has been exploited to gain access to the device [35]. This has occurred due to lack of roll-back prevention, as the system was using the same digital signature to verify the application. A similar attack has been performed against commercial TEE [29].

  • Processor virtualisation and logical isolation of resources: In existing embedded security architectures, processor virtualisation has been used to achieve logical isolation between secure and non-secure system resources. This has been attacked through a covert cache-based attack, resulting in leaking of information using microarchitecture side-channels. The recently demonstrated Spectre [14] attack leverage speculative loads which circumvent access checks to read memory-resident secrets, transmitting them to an attacker using cache timing or other covert communication channels. Meltdown [15] is another microarchitectural attack that exploits out-of-order execution to leak the target’s physical memory. These attacks exploit the fact that both secure and non-secure processes shares the same physical memory resource and pointer. Maene et al. have proposed a data encryption mechanism [16] that allows automatic encryption and decryption of data between the main memory and cache though found infeasible due to large area overhead.

  • Pointer Authentication: To circumvent the microarchitecture side-channel leakage attacks, a pointer authentication mechanism has been introduced [2]. This guarantees the integrity of pointers by extending each pointer with authentication code, allowing verification using special instructions that are part of the code executing on the same physical computing resource and managed by the software. Similarly, to mitigate branch prediction attacks, deployment of separate stacks and their pointer registers has been introduced in ARM Cortex-M33 processors.

  • Vulnerable system communication: A security evaluation of the ARM TrustZone technology has demonstrated that it is possible to modify hardware security attributes and communication bus handshaking signals [3]. This has demonstrated by integrating ARM TrustZone technology with reconfigurable hardware logic.

These microarchitectural weaknesses clearly indicates the need for cyber resilient embedded security microarchitecture that support active detection, response and recovery mechanisms to effectively realise diverse cyber security strategies through the life cycle of an embedded device. To this end, Section V proposes micro-architectural characteristics of a cyber resilient embedded system.

V Microarchitectural Characteristics of
a Cyber Resilient Embedded System

As discussed, there is no active method in existing embedded microarchitectures to establish and maintain the security of a device once its trust is compromised. This leads to exposure of confidential data to the adversary, often without leaving any evidence trail. Considering the derived security requirements of cyber resilient embedded system (Table I), security functionality is not limited to protection. The device must detect malicious cyber activities and attacks, respond against them by deploying active countermeasures and recover system back to its healthy state. These are crucial security requirements for embedded devices deployed in critical infrastructure as well as to facilitate forensic analysis, to study behaviour and method of cyber attacks. Using existing embedded security microarchitectures, this is difficult and implausible to recover data due to lack of continuity of data stream, runtime monitoring and system-level visibility. The following are proposed three core microarchitectural characteristics that shall allow to establish historical system data stream by continuous monitoring of system resources and activities, keeping track of events to achieve system-level visibility:

  1. An Independent Active Runtime System Security Manager shall be responsible for protection, detection, response and recovery security functions while complimenting existing security mechanisms. It shall continuously monitor system resources, use gathered information to detect benign or malicious system behaviour, respond to detected malicious (system or resource-specific) activities by deploying active countermeasures and recover system back to its healthy state. It is crucial that system security manager must be physically independent and isolated so its memory resources from the general purpose processor. This physical limiting of attack surface, will make the system robust and significantly less susceptible to software vulnerabilities and attacks as was in the case of the TEE. As TEE shares the same physical processor and memory resources with the general purpose processor. Effective realisation of this system security manager requires resource-level visibility and monitoring of system’s critical components which leads to the second characteristic.

  2. An Active Runtime Resource Monitors shall actively monitor resource specific behaviour to detect malicious activity and report it to the System Security Manager. These active monitors are essential as embedded architectures are becoming complex, designers are consolidating diverse functionalities into a single application often involves mixing of sensitive data with non-sensitive data and physical actuation. These active monitors shall generate fine-grained resource specific information which would enable the system security manager to articulate, analyse and evaluate system-level behaviours and initiate appropriate response and recovery strategies. In addition, this gathered information would facilitate continuity of data stream and to extract crucial information necessary to establish evidence of the caused security breach.

  3. An Active Response Manager shall be responsible for implementing response and recovery embedded security requirements of a cyber resilient embedded system. It shall actively enforce and execute the response and recovery strategies initiated by the System Security Manager. This involves initiating active countermeasures to mitigate and curtail the detected threat to maintain and ensure security of the system. Moreover, depending on the microarchitecture of the active runtime resource monitors, the active response manager can enforce various system-level security strategies, where a compromised resource can be physically isolated from the system. This would allow opportunities to gracefully degrade the system functionality while maintaining critical services in next-generation critical infrastructure.

A detailed System-on-Chip (SoC) platform architecture [26][27] and security modelling approach [12] that realises the proposed embedded microarchitectural characteristics of a cyber resilient embedded system have been published.

Vi Conclusion

This paper has presented the increasing security challenges and requirements, in light of international cyber security regulations for intelligent connected technologies deployed in critical infrastructure. Embedded security requirements has been derived from these regulations to improve cyber resilience and achieve conformance. The paper establishes a strong need for embedded cyber resilience for smart technologies, due to lack of active detection, response and recovery security functionalities within existing embedded security systems.

This is due to the majority of embedded security technologies being guided by trust, which has been compromised due to a lack of runtime monitoring and system-level visibility of resources and system activities. Therefore, this paper proposed three embedded microarchitectural characteristics, allowing independent active runtime system monitoring and active response functions to enhance, maintain and ensure secure operation during the life cycle of the device.

References

  • [1] N. Apthorpe, D. Reisman, S. Sundaresan, A. Narayanan, and N. Feamster (2017) Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic. CoRR abs/1708.05044. Cited by: §I, §I, §IV.
  • [2] R. Avanzi (2017-03)

    The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes

    .
    IACR Transactions on Symmetric Cryptology 2017 (1), pp. 4–44. Cited by: 3rd item.
  • [3] E. M. Benhani, L. Bossuet, and A. Aubert (2019) The Security of ARM TrustZone in a FPGA-based SoC. IEEE Transactions on Computers, pp. 1–1. Cited by: 4th item.
  • [4] Cabinet Office, National security and intelligence, HM Treasury, and The Rt Hon Philip Hammond MP (2016) National Cyber Security Strategy 2016 to 2021. Technical report HM Government, UK. External Links: Link Cited by: §I, §I.
  • [5] M. Choraś, R. Kozik, A. Flizikowski, W. Hołubowicz, and R. Renk (2016) Cyber Threats Impacting Critical Infrastructures. In Managing the Complexity of Critical Infrastructures: A Modelling and Simulation Approach, pp. 139–161. Cited by: §I, §II.
  • [6] J. Coburn, S. Ravi, A. Raghunathan, and S. Chakradhar (2005) SECA: Security-enhanced Communication Architecture. In Proc. International Conference on Compilers, Architectures and Synthesis for Embedded Systems (CASES), New York, NY, USA, pp. 78–89. Cited by: TABLE I, §III.
  • [7] (2016) Dover Architecture: Hardware Enforcement of Software-Defined Security Policies. Technical report Dover Microsystems. External Links: Link Cited by: TABLE I.
  • [8] (2018-04) Framework for Improving Critical Infrastructure Cybersecurity. Technical report National Institute of Standards and Technology (NIST). External Links: Link Cited by: §I, Fig. 1, TABLE I, §II.
  • [9] GlobalPlatform (2018-07) Introduction to Device Trust Archietcture. Technical report GlobalPlatform. External Links: Link Cited by: 1st item.
  • [10] (2018-10) Guidance on implementing the EU Directive on the security of Network and Information Systems. Technical report National Cyber Security Centre (NCSC). External Links: Link Cited by: §I, Fig. 1, TABLE I, §II.
  • [11] M. Hagan, F. Siddiqui, S. Sezer, B. Kang, and K. McLaughlin (2018-12) Enforcing Policy-Based Security Models for Embedded SoCs within the Internet of Things. In Proc. IEEE Conference on Dependable and Secure Computing (DSC), Kaohsiung, Taiwan, pp. 1–8. Cited by: §III.
  • [12] M. Hagan, F. Siddiqui, and S. Sezer (2018-09) Policy-Based Security Modelling and Enforcement Approach for Emerging Embedded Architectures. In Proc. 31st IEEE International System-on-Chip Conference (SOCC), Arlington, USA, pp. 84–89. Cited by: §III, §V.
  • [13] R. Khan, K. McLaughlin, D. Laverty, and S. Sezer (2017-09) STRIDE-based threat modeling for cyber-physical systems. In Proc. IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), pp. 1–6. Cited by: §III.
  • [14] V. Kiriansky and C. Waldspurger (2018) Speculative Buffer Overflows: Attacks and Defenses. CoRR abs/1807.03757. External Links: 1807.03757 Cited by: §I, 2nd item.
  • [15] M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg (2018) Meltdown. CoRR abs/1801.01207. Cited by: §I, 2nd item.
  • [16] P. Maene, J. Gotzfried, T. Muller, R. de Clercq, F. Freiling, and I. Verbauwhede (2018) Atlas: Application Confidentiality in Compromised Embedded Systems. IEEE Transactions on Dependable and Secure Computing, pp. 1–1. External Links: Document, ISSN 1545-5971 Cited by: §III, 2nd item.
  • [17] M. McClintic, D. Maloney, M. Scires, G. Marcano, M. Norman, and A. Wright (2018) Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain. CoRR abs/1802.00092. External Links: Link Cited by: §I, 1st item.
  • [18] D. Meng, R. Hou, G. Shi, B. Tu, A. Yu, Z. Zhu, X. Jia, and P. Liu (2018-06) Security-first architecture: deploying physically isolated active security processors for safeguarding the future of computing. Cybersecurity 1 (1), pp. 2. Cited by: §I, §I, §IV.
  • [19] D. Papp, Z. Ma, and L. Buttyan (2015-07) Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In Proc. 13th IEEE Internation Conference on Privacy, Security and Trust (PST), Izmir, Turkey, pp. 145–152. Cited by: §IV.
  • [20] S. Ravi, S. Ravi, A. Raghunathan, P. Kocher, and S. Hattangady (2004-08) Security in Embedded Systems: Design Challenges. ACM Trans Embed. Comput. Syst. (TECS) 3 (3), pp. 461–491. Cited by: §I, §IV.
  • [21] S. Ray, E. Peeters, M. M. Tehranipoor, and S. Bhunia (2018-01) System-on-Chip Platform Security Assurance: Architecture and Validation. Proc. IEEE 106 (1), pp. 21–37. Cited by: §III, §III, §III.
  • [22] (2018-12) Risk Management Framework for Information Systems and Organizations. Technical report National Institute of Standards and Technology (NIST). External Links: Link Cited by: §I, Fig. 1, §II.
  • [23] M. Sabt, M. Achemlal, and A. Bouabdallah (2015-08) Trusted Execution Environment: What It is, and What It is Not. In Proc. IEEE Trustcom/BigDataSE/ISPA, Helsinki, Finland, pp. 57–64. Cited by: §III.
  • [24] D. N. Serpanos and A. G. Voyiatzis (2013-03) Security Challenges in Embedded Systems. ACM Trans. Embed. Comput. Syst. (TECS) 12 (1s), pp. 66:1–66:10. Cited by: §I, §IV.
  • [25] V. Sharma, I. You, K. Andersson, F. Palmieri, and M. H. Rehmani (2019) Security, Privacy and Trust for Smart Mobile-Internet of Things (M-IoT): A Survey. CoRR abs/1903.05362. External Links: Link Cited by: §I, §I, §III.
  • [26] F. Siddiqui, M. Hagan, and S. Sezer (2018-03) Embedded policing and policy enforcement approach for future secure IoT technologies. In Living in the Internet of Things: Cybersecurity of the IoT, pp. 1–10. External Links: Document Cited by: §III, §V.
  • [27] F. Siddiqui, M. Hagan, and S. Sezer (2018-09) Pro-Active Policing and Policy Enforcement Architecture for Securing MPSoCs. In Proc. 31st IEEE International System-on-Chip Conference (SOCC), Arlington, USA, pp. 140–145. Cited by: §V.
  • [28] P. Spark (2017) White Paper: The route to a trillion devices: The outlook for IoT investment to 2035. Technical report ARM. External Links: Link Cited by: §I.
  • [29] (2017-07) Trust Issues: Exploiting TrustZone TEEs. Technical report Google: Project Zero. External Links: Link Cited by: 1st item.
  • [30] U.S. Department of Homeland Security (2016) Strategic Principles for Securing the Internet of Things. Technical report US Government. External Links: Link Cited by: §I, §I.
  • [31] A. Ukil, J. Sen, and S. Koilakonda (2011-03) Embedded security for Internet of Things. In Proc. IEEE National Conference on Emerging Trends and Applications in Computer Science, Shillong, India, pp. 1–6. Cited by: §I, §I, 1st item.
  • [32] M. A. Wahab, P. Cotret, M. N. Allah, G. Hiet, V. Lapôtre, and G. Gogniat (2017-Sep.) ARMHEx: A hardware extension for DIFT on ARM-based SoCs. In 2017 27th International Conference on Field Programmable Logic and Applications (FPL), Vol. , pp. 1–7. External Links: Document, ISSN 1946-1488 Cited by: TABLE I, §III.
  • [33] J. Wan, D. Li, C. Zou, and K. Zhou (2012-10) M2M Communications for Smart City: An Event-Based Architecture. In Proc. IEEE International Conference on Computer and Information Technology, Chengdu, China, pp. 895–900. Cited by: §I, §III.
  • [34] (2018) What is Cyber Resilience?. Technical report IT Governance UK. External Links: Link Cited by: §II.
  • [35] C. Yue, Z. Yulong, W. Zhi, and W. Tao (2017-07) Downgrade Attack on TrustZone. Computing Reseach Repository (CoRR). Cited by: §I, §I, 1st item, 1st item.