Recent news of the VxWorks security breach raises the unsettling question that those of us in the embedded computing industry have grappled with for decades.
How do we secure an embedded operating system from a nefarious attack?
The ICS Advisory (ICSA-19-211-01) released on July 30th by the Cybersecurity and Infrastructure Security Agency (CISA) is chilling to read. According to the documentation, VxWorks is “exploitable remotely” and requires “low skill level to exploit.” Elaborating further, CISA risk assessment concludes, “Successful exploitation of these vulnerabilities could allow remote code execution.”
The potential consequences of this security breech are astounding to measure, particularly when I look back on my own personal experiences in this space, and now as an Account Executive for Embedded Systems here at SUSE.
Security is Paramount
My first two decades in the embedded industry was focused on aerospace and defense computing: A network of stove-piped, single-function, single-purpose platforms functioning on proprietary operating systems. Non-deterministic desktop options – such as Windows and Linux – were regarded with caution in my world of mission-critical, hard real-time monitoring and control functions. Latency and jitter were measured in microseconds, and lives depended on bandwidth efficiency from the sensor to the processor to the warfighter.
At the time, VxWorks was the standard go-to OS in the majority of the embedded production platforms I worked with. It was an ideal way to replace the legacy stove-piped platforms with an Open Architecture (OA) COTS solution. In light of the recent CISA warning, however, it is concerning to know that many of those affected systems processed highly-classified intelligence data at home and abroad.
With the continued rise of AI, machine learning, and IoT workloads and devices, the total amount of worldwide data is expected to swell to 175ZB by 2025, and the level of critical security once reserved for military embedded systems is now relevant cross-industry. From autonomous vehicles to retail POS to medical devices, complex embedded systems must be hardened and fail-operational, whether it’s on-premise or in the cloud. Everything is critical, from business intelligence and analytics to personal information.
The VxWorks security breech obliges embedded developers to consider their options and make OS security a top priority with proven vendors. With more than 200 million devices affected by the critical flaws recently discovered in VxWorks, the time is right to weigh the advantages of market-ready alternatives. With more than 25 years of experience in Linux and Open Source technology, SUSE provides a powerful alternative to proprietary systems, with secure, embedded operating systems. Based on an Open Architecture, SUSE Embedded delivers development and support services, a stable and hardened kernel, and real-time security with full transparency into code fixes, patches and updates.
If the recent news about VxWorks has reinvigorated your focus on security, drop a line to our team or connect with me on LinkedIn, and let’s talk about the challenges or successes you’ve encountered. We strive to earn the trust and respect of everyone we work with by listening to, and learning from end-users. It’s at the core of the open, open mentality we thrive on at SUSE.