Have you seen headlines like these lately?: “Skimmer Siphoning Card Data at the Gas Pump” or “Restaurants Sue Vendors After Point-of-Sale Hack.” How about “Insulin Pump Hack Exposes Medical Device Danger” or “Stunex Computer Worm has Vast Repercussions”?
ATMs, point-of-sale (POS) terminals, kiosks, medical equipment, SCADA systems and other embedded devices are being hacked in ever-increasing numbers. That’s because many of these systems are now connected to the Internet and enabled by commercial off-the-shelf (COTS) and open-source hardware, firmware, operating systems, and even application software. Furthermore, these devices are rarely patched for operating system or application vulnerabilities, and they often contain card data as well as customer or patient histories. So, it’s no wonder they are being attacked.
Simple anti-virus doesn’t cut it anymore
Ambitious cyberthugs and rogue employees are using targeted malware and configuration file or registry alterations to get around AV installations. And even well-meaning IT staff and service channel personnel are harming the integrity of systems with unauthorized changes. Embedded device security is anything but assured.
Building security into the manufacturing process
The best way to easily and cost-effectively protect embedded devices in the factory and beyond is to implement a security solution that features application whitelisting and change control technologies. Whitelisting lets you create a dynamic set of applications authorized for the device. A whitelist can be built into the embedded system’s gold image and applied automatically to all devices being provisioned. As for change control, a trust-model approach restricts who can change what, how they can change it, and when it can be changed. Unexpected changes are prevented and logged—and administrators are alerted. No programs or code snippets outside the authorized set can run, and no unauthorized changes can be made—not even Microsoft patches. Plus, an audit trail logs all access attempts and keeps you in regulatory compliance.
The security embedded devices need now
McAfee Embedded Control combines the power of application whitelisting and change control to establish and maintain the integrity of embedded devices for their entire lifecycles. It’s a small footprint, low-overhead, application-independent solution that provides deploy-and-forget security on embedded systems. Simply put, it turns an embedded device into a “black box” with the characteristics of a closed proprietary operating system. No unauthorized programs or changes get past it.
What’s more, McAfee Embedded Control plugs in to ePolicy Orchestrator, the powerful web-based console that enables easy software deployment and automatically manages configurations and policies from a single location. And it lets you monitor events in real time and generate reports automatically
McAfee Embedded Control software keeps embedded devices secure while reducing long-term support costs for manufacturers and their service channels. Anybody (and everybody) who’s concerned about embedded device security should give it serious consideration. To learn more, download this white paper.