• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Microcontroller Tips

Microcontroller engineering resources, new microcontroller products and electronics engineering news

  • Products
    • 8-bit
    • 16-bit
    • 32-bit
    • 64-bit
  • Applications
    • 5G
    • Automotive
    • Connectivity
    • Consumer Electronics
    • EV Engineering
    • Industrial
    • IoT
    • Medical
    • Security
    • Telecommunications
    • Wearables
    • Wireless
  • Learn
    • eBooks / Tech Tips
    • EE Training Days
    • FAQs
    • Learning Center
    • Tech Toolboxes
    • Webinars/Digital Events
  • Resources
    • Design Guide Library
    • DesignFast
    • LEAP Awards
    • Podcasts
    • White Papers
  • Videos
    • EE Videos & Interviews
    • Teardown Videos
  • EE Forums
    • EDABoard.com
    • Electro-Tech-Online.com
  • Engineering Training Days
  • Advertise
  • Subscribe

Minimizing cyber threats via testing and evaluation

April 8, 2021 By Lee Teschler Leave a Comment

Few connected products have gone through independent testing and evaluations that could head off security problems during their use.

Wayne Stewart, Cyber Security, Canada • Intertek
It has become a truism that cyber security is one of the most significant risks for manufacturers today. These risks have the potential to cause a great deal of damage; identifying potential risks, security breaches and managing the aftermath all require valuable time and resources.

intertekYet many connected products today have not been designed with cyber security in mind. Even fewer have gone through independent testing and evaluations. Connectivity is often introduced as an add-on or upgrade to existing products not originally designed for the online world. For connected products, and at every stage of the product’s lifespan, proactive cyber security measures are a must. These measures include a risk management strategy for product design and development through manufacture and release, independent security testing, and security updates after products are introduced.

Cybersecurity testing and certification can help minimize cybersecurity risks, ensuring a successful and timely product launch. These steps can also be valuable tools in marketing products and assets because they help build a manufacturer’s reputation as a provider of secure products. To size up a product for cybersecurity risks, it is important to first understand the cybersecurity landscape and the most important threats.

Cyber threats

In the connected world, multiple points of entry provide pathways to increasingly sophisticated and complex attacks. There are many threats that developers and designers should consider when designing a connected product.

Malware: This is the most frequently encountered threat in today’s cyber landscape. Malware includes executable code, scripts, active content, and other software designed to damage a computer, server or network. Primary malware targets are vulnerable software products, non-secure devices, and users.

Phishing: Accounting for nearly 90% of social attacks, phishing is fraudulent outreach designed to trick targets into sharing sensitive information via electronic communication or social media. In addition to this initial security breach, most successful phishing attacks are followed by malware installation.

Viruses: This malicious software replicates itself by modifying other programs and inserting its own code, subsequently “infecting” a device or software. Viruses can cause system failure, corrupt data, waste virtual resources, increase costs or steal data and information. Viruses have been known to cause billions of dollars in damages.

Botnets: A botnet is a network of connected devices that have been compromised with malware. It is used to perform distributed attacks, steal data, send spam, or allow attackers to access devices and/or connections. A large percentage of IoT devices have been vulnerable to attack and, when compromised, have become unwitting participants in large botnets.

Denial of Services (DoS): A specific attack where the perpetrator seeks to make a device or network unavailable by disrupting services of a connected host. This type of attack is becoming more widely used, growing in frequency, size and duration, with numerous high-profile incidents in the past year.

Ransomware: Ransomware software holds data or systems “hostage” unless a ransom is paid. Incidents of ransomware are on the rise, with healthcare providers and critical infrastructure being particularly vulnerable to this type of attack.

Web-based Attacks: As implied by its name, these incidents are committed via exploiting security holes created through outdated web browsers and compromised websites and applications. They can be used to harvest data or infect systems.

Stolen Devices: Loss or theft of unencrypted devices can provide criminals easy access to personal information, leading to breaches and security risks.

A number of factors can further exacerbate cybersecurity risks. For example, tactics using higher technology, like artificial intelligence and machine learning, reduce the effort needed to attack and exploit products and networks. Likewise, higher-volume attacks intensify cyber risks through increased frequency and processed data. Finally, a shortage of skilled IT experts can make it difficult to respond to the increasing number, scale, and complexity of attacks.

Recently, we have seen targeted attacks that used compromised development systems in one company’s network to launch sophisticated malware deployed in the environments of their customers. The compromised systems were then used as platforms to infiltrate other sensitive networks, including government systems.

Products that are secure make it more difficult to breach other connected devices. Thus secure products help reduce damage as well as the time and resources needed to deal with the aftermath.

There are several options available to help ensure the cybersecurity of a connected product. These include testing against established standards and certification schemes. Additionally, voluntary testing can assure that products are designed and built with security in mind and implement best security practices.

Compliance and standards-based testing

Numerous standards can be used to assess connected devices. Applicable standards will vary based on product type. Some are appropriate only for consumer products while others apply only in quite different settings. So it is important to understand which standards apply and which certifications may be required for specific markets. Here are a few standards that apply to broad categories of connected products:

Common Criteria, also known as ISO 15408, is an international standard designed to specify and measure IT security through functional and assurance requirements, as well as product and system specifications and evaluation. Typically applied to the Information and Communication Technology (ICT) product category, Common Criteria certification is recognized by more than 30 countries, including the U.S., Canada, and many countries within the EU. It is recommended for IT product developers marketing products to government entities and for critical infrastructure.

In cryptography, Federal Information Processing Standard (FIPS) 140 is a U.S. standard also recognized in Canada. It has gained world-wide recognition as the de facto standard and certification for secure cryptographic implementations. Any products providing cryptographic services to the U.S. government or federal entities must be validated to FIPS 140. And it is recommended for products used by the Canadian federal government.

Payment assurance applications include pin-entry devices, encrypting pin pads, unattended payment terminals, secure card readers and hardware security modules used for payment. Payment assurance methods must be tested to schemes from various organizations, including the Payment Card Industry (PCI). These schemes ensure that products protect the buyer’s data. Testing includes physical security testing as well as network and unauthenticated application-level tests on systems and products. The payment space is evolving and now security testing and certification is also possible for mobile payment solutions under the PCI Secure PIN on COTS (SPoC) and Contactless PIN on COTS (CPoC) standards.

When it comes to the internet of things, the IEC 62443 and UL 2900 families of standards apply to connected products (e.g. IoT) used in the home. But they also apply for commercial settings, medical devices; and security and life safety signaling systems, such as alarm systems, locks, smoke detectors and similar devices.

Other standards such as ETSI EN 303 645 (Cyber Security for Consumer Internet of Things) uniquely target consumer products and are built upon a widely accepted security baseline. There are also private certification schemes such as Intertek’s Cyber Assured program. This scheme helps manufacturers clearly demonstrate a product’s security (covering the device, app and cloud) to consumers. It also provides security over the life of the product by continuously monitoring new emerging risks.

ISO 27001 is an internationally recognized standard covering the people, processes, technologies, and facilities used in daily activities. The process to prepare for compliance includes conducting a gap analysis, the creation and implementation of an Information Security Management System. Organizations using a risk management system focused on information security are eligible for certification under this standard.

Assurance testing

Standards are just one way to assess connected products. Optional assessments conducted by testing based on industry best practices can assure that a product is secure and resilient. Often, these are voluntary evaluations that provide peace of mind and enhance a product’s appeal. These evaluations–which include vulnerability assessments, penetration testing, design review, privacy impact and threat risk assessments–should take place independently from the teams responsible for product development.

Vulnerability assessments (VAs) can evaluate a product’s susceptibility to known weaknesses and vulnerabilities. A VA uses specialized tools and detailed examination of application functions to test systems, networks, and cloud-based services. VAs can also include specific assessments to expose weak implementations of well-known communication protocols and applications. These assessments undertake comprehensive auditing and device testing in the context of a product’s intended environment to understand the risks.

Penetration testing, also known as ethical hacking, provides an attacker’s perspective, with experts attempting to infiltrate networks, systems, products, and applications. This approach results in a detailed report identifying exploitable vulnerabilities and recommended mitigation, as well as strengths and weaknesses.

Security design reviews study cybersecurity early in the design process. An early review is more economical and efficient than trying to add security later in the process. Regularly assessing security controls or network design for effectiveness and adequacy throughout the design phase will help to ensure product security.

Privacy impact assessments provide a detailed review of organizational or product privacy policies and controls to ensure compliance to legislation and security standards. Besides addressing the risks to privacy or privacy-related security they also identify mitigation protocols.

A threat risk assessment identifies assets that must be protected, the value of those assets, and associated threats/vulnerabilities. The assessment considers the impact of damage or loss and, most importantly, how to mitigate exposure or damage. A typical assessment will deliver a prioritized list of issues to be addressed.

The development of any connected device should follow best practices and industry-specific standards. It is important to include security throughout the development cycle. Adding security after the fact is rarely effective and always costs more. The product should be designed to be intrinsically secure. It is important to define all security requirements, including the types of possible threats and product vulnerabilities. Then, consider what safeguards to implement. Test throughout the development process to ensure you are not introducing security risks along the way.

Independent testing and security certification illustrate compliance with regulatory or industry requirements. An independent opinion confirms that controls are working as intended. It also outlines road maps for security improvement, improved operating processes and identification of key business assets.

All and all, the creation of a connected device can be challenging in a world where technology continues to evolve at a rapid pace. It is critical to illustrate that adequate measures are in place to ensure the protection, integrity and resilience of products, systems, information, and data. A proactive approach to leverage existing standards and undertake additional assurance assessments can mean the difference between a success and a failure.

You may also like:

  • router security
    Worst suspicions confirmed: The terrible security of internet routers
  • BLE hacks
    Breaking BLE — Vulnerabilities in pairing protocols leave Bluetooth devices…
  • RF won't hurt you
    No, IoT RF radiation won’t cause a pandemic
  • lidar
    A better way to measure LiDAR
  • flash
    Flash memory keeps cars connected

Filed Under: Applications, FAQ, Featured, IoT, Security Tagged With: FAQ, intertek

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Featured Contributions

Five challenges for developing next-generation ADAS and autonomous vehicles

Securing IoT devices against quantum computing risks

RISC-V implementation strategies for certification of safety-critical systems

What’s new with Matter: how Matter 1.4 is reshaping interoperability and energy management

Edge AI: Revolutionizing real-time data processing and automation

More Featured Contributions

EE TECH TOOLBOX

“ee
Tech Toolbox: Internet of Things
Explore practical strategies for minimizing attack surfaces, managing memory efficiently, and securing firmware. Download now to ensure your IoT implementations remain secure, efficient, and future-ready.

EE Learning Center

EE Learning Center

EE ENGINEERING TRAINING DAYS

engineering
“bills
“microcontroller
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest info on technologies, tools and strategies for EE professionals.

RSS Current EDABoard.com discussions

  • Antiparallel Schottky Diodes VDI-Load Pull
  • interfacing gsm and gps in proteus
  • 12VAC to 12VDC 5A on 250ft 12AWG
  • What is the purpose of the diode from gate to GND in normal Colpitts oscillator Circuits?
  • My array have wrong radiation pattern

RSS Current Electro-Tech-Online.com Discussions

  • Actin group needed for effective PCB software tutorials
  • Kawai KDP 80 Electronic Piano Dead
  • Doing consultancy work and the Tax situation?
  • How to repair this plug in connector where wires came loose
  • Lightbox circuit

DesignFast

Design Fast Logo
Component Selection Made Simple.

Try it Today
design fast globle

Footer

Microcontroller Tips

EE World Online Network

  • 5G Technology World
  • EE World Online
  • Engineers Garage
  • Analog IC Tips
  • Battery Power Tips
  • Connector Tips
  • DesignFast
  • EDA Board Forums
  • Electro Tech Online Forums
  • EV Engineering
  • Power Electronic Tips
  • Sensor Tips
  • Test and Measurement Tips

Microcontroller Tips

  • Subscribe to our newsletter
  • Advertise with us
  • Contact us
  • About us

Copyright © 2025 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Privacy Policy