The 2018 Embedded Systems Safety & Security Survey was completed by more than 1,700 qualified respondents and is designed to gauge the state of worldwide product development practises of embedded systems engineers.
With the growing number of hacks and cyberattacks threatening IoT devices, Barr believes this result should serve as a warning that security breaches and attacks will continue to plague the embedded system industry in the short-term future.
Based on survey data from 2018 as well as results from prior years, the embedded industry is showing modest improvement when it comes to making security a design consideration during product development, rising from 6% in 2016 to 67% in 2018. However, last year's survey generated 2,000 responses from engineers around the world, compared to this year's 1,700.
“Prioritising security in every Internet-connected embedded device is essential to maintaining the integrity of the IoT,” said Barr’s CTO, Michael Barr. “As also indicated by our survey, for both new Internet-connected and non-internet-connected projects, developers are increasingly designing applications that use more than 4 CPUs per system. These complex systems significantly increase the potential attack surface and are inherently more difficult to secure. Failing to focus on security during the design process, especially for Internet-connected devices, may be putting the entire network and potentially the devices’ end users at risk.”
Further compromising the state of IoT security, the survey results reveal that engineers developing IoT devices are still neglecting to implement industry-recommended design practices known to raise security levels of embedded systems. According to Barr’s survey, among the engineers designing internet-connected devices:
- 54% lack regular code reviews
- 49% fail to perform static analysis
- 33% lack a written coding standard
- 17% lack a bug database
The survey also found that fewer than half of all embedded engineers designing for the IoT encrypt their data.
Last year's report noted that 'a lot of what needs to be done is well understood and easy to implement. What appears to be lacking is motivation.' And it appears that this year has seen modest improvement. In comparison last year it was reported that 17% of the subset didn’t use coding standards, 25% didn’t use code reviews – with a further 16% replying ‘maybe’ – and 32% didn’t use static analysis.
However, Barr believes these results are still ‘highly concerning’ and that there is 'a lot more work to do', despite the modest increase in focus on embedded systems security during product design.
The final analysis will be unveiled on February 27, 2018 at Embedded World.