Security Pattern has extensive experience in the security domain and has a broad technical proposal in the context of training on cyber security for embedded systems. Therefore, we are the right partner to support our customers with training and courses in the field of cyber security.
We propose various formative modules that aim to increase knowledge in the cyber security context. According to specific needs, they can be assembled and adapted. We can also develop further modules with ad-hoc content, following the customer's needs.
We will provide a copy of the slides used during the training to all participants.
An introduction about the basic concepts of information security is required to understand, evaluate and deal with the context of cybersecurity. In this training module, we introduce the main properties of security and present the cryptographic tools that allow the creation of schemes for information protection. Also the main authentication guidelines that the users and devices need to follow are presented.
Transport Layer Security (TLS) is the protocol employed on the Internet to protect communications. Wi-Fi and Bluetooth are the two most widespread technologies of wireless connectivity. These technologies provide some security schemes, but they have also been subjected to many attacks in the past. In this module, we present the goals of these protocols and the points where they have shown weaknesses.
This training module covers different IoT security vulnerabilities starting from real case attacks that occured on several IoT devices. Leveraging the OWASP Internet of Things Project as reference security framework, we present each class of IoT vulnerability and a real case attack which exploited it. Finally, we suggest several security requirements that aim to mitigate the explored security issue.
In this module we describe the main schemes to protect IoT devices against different types of attacks. We explain the technological solutions offered by the suppliers of SoCs in order to secure an IoT device. We provide an overview of the security primitives available in microcontrollers such as STM32 and ESP32, Bluetooth modules, microprocessors such as NXP i.MX and Microchip’s SAMA5D, Secure Elements from NXP and Microchip.
This module gives an overview of main initiatives in the field of IoT security. For instance, standard 62443-4 (parts 4-1 and 4-2) is presented as a starting point for setting up a cyber security framework. Subsequently, we discuss similarities and differences between the standard ISA/IEC 62443 and other two security standards, specifically designed for network-connectable products: UL 2900 and ETSI 303 645.
This module is based on ISA/IEC 62443 standard, and in particular on tier 62443-4, parts 4-1 and 4-2, defined for the industrial context. It is the reference cybersecurity standard in the field of industrial automation and control systems, also applied in transportation systems. We present the requirements proposed by the standard and the essential ingredients that must be considered to create a secure product.
An essential step to define a strategy of protection for a system, is the modeling of the system and the threats that it is subjected to. The protection strategy must be efficient and proportional to the potential damages that the system may face. We show the concepts needed to create a strategy of risk management, and discuss why this strategy has to be considered as a fundamental element of a security standard.
Writing secure code in C language requires the developers to set up quality control processes, which can be implemented through static analysis tools. These tools are used to check that the implementation is in line with standard rules. In this module, the SEI CERT rules and their motivations are analysed. We also propose an introduction to Rust, a memory safe language, which aims to improve the analysis of code security.
Amazon and Google provide cloud platforms to create complex IoT systems. We analyse their security features and the main differences. Apple HomeKit is an Apple vertical example, which allows the control of home automation devices from the iOS devices. Amazon Alexa is an application for the managing of the vocal assistant, integrated in the embedded systems. For its integration, Amazon sets specific security requirements.
Penetration testing is a manual activity performed by a security expert in order to evaluate the target security. The goal is to find previously unknown vulnerabilities, both in software and hardware. We present the main tasks covered during a penetration testing activity. Specifically, leveraging a vulnerable IoT device, we discuss the methodology and present several practical tools used for analysing an IoT device.
This module focuses on physical attacks, mounted on devices processing secret information. We present side-channel attacks, which exploit information leaked by the devices during computations (e.g. power consumptions and electromagnetic radiations), and fault attacks, which are techniques that stress the device and lead it to improper functioning. Both the attacks aim to gain sensible data or bypass countermeasures.