Received November 22, 2020, accepted December 3, 2020, date of publication December 21, 2020,

date of current version January 5, 2021.

Digital Object Identifier 10.1109/ACCESS.2020.3045972

Analytical Review of Cybersecurity

for Embedded Systems
ABDULMOHSAN ALOSEEL 1 , HONGMEI HE1 , (Senior Member, IEEE),
CARL SHAW 2 , AND MUHAMMAD ALI KHAN1
1 School of Aerospace, Transport and Manufacturing (SATM), Cranfield University, Bedford MK43 0AL, U.K.
2 Cerberus Security Laboratories Ltd., Bristol BS34 8RB, U.K.
Corresponding author: Abdulmohsan Aloseel ([email protected])
This work was supported by School of Aerospace, Transport and Manufacturing (SATM), Cranfield University, Bedford MK43 0AL, U.K,
under Grant EMJ1001E.

ABSTRACT To identify the key factors and create the landscape of cybersecurity for embedded systems
(CSES), an analytical review of the existing research on CSES has been conducted. The common properties
of embedded systems, such as mobility, small size, low cost, independence, and limited power consumption
when compared to traditional computer systems, have caused many challenges in CSES. The conflict
between cybersecurity requirements and the computing capabilities of embedded systems makes it critical
to implement sophisticated security countermeasures against cyber-attacks in an embedded system with
limited resources, without draining those resources. In this study, twelve factors influencing CSES have
been identified: (1) the components; (2) the characteristics; (3) the implementation; (4) the technical domain;
(5) the security requirements; (6) the security problems; (7) the connectivity protocols; (8) the attack surfaces;
(9) the impact of the cyber-attacks; (10) the security challenges of the ESs; (11) the security solutions; and
(12) the players (manufacturers, legislators, operators, and users). A Multiple Layers Feedback Framework of
Embedded System Cybersecurity (MuLFESC) with nine layers of protection is proposed, with new metrics of
risk assessment. This will enable cybersecurity practitioners to conduct an assessment of their systems with
regard to twelve identified cybersecurity aspects. In MuLFESC, the feedback from the system-components
layer to the system-operations layer could help implement ‘‘Security by Design’’ in the design stage at
the bottom layer. The study provides a clear landscape of CSES and, therefore, could help to find better
comprehensive solutions for CSES.

INDEX TERMS Characteristics of embedded system, countermeasures, embedded system, cybersecurity of

embedded system, MuLFESC, risk assessment.

I. INTRODUCTION Programmable Logic Controllers (PLCs), microcontrollers,

The embedded system (ES) concept, in its simplest form, and microprocessors played a vital role in the advancing of
is manifested when a processing unit is integrated into a the capabilities of ESs, allowing them to be employed in a
larger physical system to steer its functions. For decades, ESs wide variety of applications. With the development of the
have gone through different stages of development until they Internet of Things (IoT), ESs have shown great potential
have reached what they are today. The capabilities of ESs in IoT network connected systems, and their capabilities
evolved in conjunction with several key technologies. The have been increasingly improved, moving closer to those of
most common technologies are integrated circuits (ICs), such traditional IT systems.
as Field Programmable Gate Arrays (FPGAs) and Appli- Technology is experiencing significant development
cation Specific Integrated Circuits (ASICs). The difference because of the expansion of Cyber-Physical Systems
between FPGAs and ASICs lies in the fact that FPGAs are (CPS), or IoT-enabled CPS. In all application domains of
reconfigurable, whereas ASICs must be pre-configured for IoT-enabled CPS, such as Smart Cities, Supervisory Con-
the purpose for which they are manufactured. During the trol, and Data Acquisition systems (SCADA), healthcare,
course of embedded system development, the inclusion of transportation, communication, military, unmanned vehicles,
smartphone, smart grids, gas distribution systems, avionics,
The associate editor coordinating the review of this manuscript and and wearable devices, ESs have played significant roles in
approving it for publication was Sedat Akleylek . sensing, computing, and controlling.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 9, 2021 961
 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

The IoT and its cyber-physical environment bring great Embedded System Cybersecurity (MuLFESC) are presented.
benefits by connecting people, processes, and data. However, Finally, Section VI concludes the findings of the review.
IoT-enabled systems can be threatened by a wide variety of
cyber-attacks from criminals, terrorists, and hacktivists [1].
II. EMBEDDED SYSTEMS
Connecting all devices to the Internet and using off-the-shelf
In the continuous pursuit of humankind to improve quality
solutions is causing the vulnerabilities of CPS to grow [2].
of life, techniques, and knowledge to meet the aspirations
If we look at what damage cyber-attacks can cause to tradi-
and needs of people, one of the most revolutionary aspects
tional computer systems despite their computing capabilities,
appeared in the field of technology when inventors tried
we will recognize the scale of the challenge that faces ESs,
to integrate computing operations into physical systems to
with their limited capabilities, when dealing with these cyber-
enable predefined functionality—so-called ‘‘Embedded Sys-
attacks. The high profile WannaCry ransomware attacks in
tems.’’ During this evolutionary period, significant advances
May 2017 showed how victims could be prevented from using
were made in various fields such as industry, health, aviation
their computers or accessing their data. The UK, Spain, Rus-
and communications. The difference between these systems
sia, Ukraine, and Taiwan were among the affected countries,
and traditional computers and servers is that they are, as a
with vital data, including confidential medical records, being
subsystem, integrated into a larger physical system to per-
held to ransom [3]. In another example, a malicious actor
form a specific, essential function. In contrast, computers
infiltrated a German steel facility in 2014. The adversary
and servers are designed for multiple purposes, of which
used a spear-phishing email to gain access to the corporate
computational operations for data processing are the main
network and then moved into the plant network, resulting in
purpose.
massive physical damage [1], [4], [5]. Cyberattacks clearly
There are many definitions of ESs based on different
have the potential to disrupt or damage physical systems
perspectives. As Vahid and Givargis [6] stated, it is not easy
in various application domains mentioned above [1], as the
to provide a precise definition of embedded computing sys-
previous developers did not take cybersecurity into account
tems, or simply embedded systems, and they stated that ‘‘an
in the design of ESs.
embedded system is a computing system built into a larger
With connectivity to the Internet, ESs are more vulnera-
system, designed for dedicated functions. It consists of a
ble to cyberattacks than ever before and with their limited
combination of hardware, software, and optionally mechan-
resources, the problem is exacerbated. In addition, the many
ical parts. Thus, the term refers to any computing systems
influencing factors and involved parties that should be taken
other than general-purpose PC or mainframe computers.’’ [7].
into account makes it difficult to determine where deficien-
It is noticeable that the main criterion in calling a system an
cies lie in security measures. Therefore, the study of CSES
embedded system is the embedding of a processing unit or
needs to consider the application context, and advanced and
the integration of computational functionality within a larger
comprehensive ESs security solutions are necessary because
physical system to steer the functions of that CPS. Thus,
of their crucial roles in a diversity of domains.
naming an embedded system does not depend on a specific
This survey aims to identify the security challenges and
type of logic circuit, CPU, or architecture.
gaps in CSES by determining the influencing factors and
related parties, thereby assessing the current status of coun-
termeasures and security solutions against cyber-attacks. A. ARCHITECTURE OF AN EMBEDDED SYSTEM
To appraise the factors that could affect cybersecurity, Understanding the construction of the embedded system in
we need to understand the structure of the embedded sys- terms of entry points and the attack surface leads us to
tem, its hardware and software components, security objec- predict which aspects should be protected from the risks of
tives, and the vulnerabilities that an attacker can exploit, cyberattacks. The field of ESs is vast. Due to the widespread
as well the role of the related parties, including manufac- application of ESs in different technical domains, the design
turers, operators, users, and legislators. In this way we can of the architecture of ESs in different applications is not lim-
draw the overall landscape of the CSES to help find better ited to a particular form. Manufacturers seek to configure the
solutions. design to fit the purpose it was designed for. An embedded
The remaining part of this paper is divided into five main system is typically comprised of CPU, RAM, ROM, and
sections. Section II addresses the concept of ESs, their char- input/output ports [8]. Also, the embedded system CPU can
acteristics, and related terminologies, as well as the prob- be constructed with instruction cache and data cache or with-
lems that are a result of the limitations imposed by those out the I/D caches to keep the CPU architecture simpler and
characteristics. In Section III, the security challenges facing less expensive. To support information exchange or commu-
ESs as a result of security requirements and, in contrast, nication, the bus system of an embedded system includes the
their capabilities are discussed. In Section IV, cybersecurity is system bus and the local bus. Figure 1 depicts the typical
addressed in relation to security objectives, countermeasures, architecture of ESs. The CPU is the heart of an embedded
and risk management. In Section V, security risk metrics, system, but other components must be added, such as memory
involved parties in CSES and the factors in the cybersecurity and peripheral interfaces, in order to construct the embedded
industry and the Multiple Layers Feedback Framework of system.

962 VOLUME 9, 2021

A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

resources’’. One of the essential characteristics that shape

the cyber-physical system concept is the ability to interact
with the physical world via actuators or sensors. Whereas
a cyber-physical system interacts with the external physical
world, the responsibility of computational operations lies on
the embedded system to steer the physical parts to perform
its predefined functions. An embedded system is a co-design
of hardware and software. The architecture of the hardware
system is shown in Figure 1. The software system of an
embedded system consists of the Operating System (OS)
and applications [1], [11]. One of the differences between
embedded systems and conventional computers is that they
are designed to perform specific functions and they are inte-
grated into a larger physical system. Sensors are used to sense
the external environment, and actuators are used to steer the
FIGURE 1. Typical architecture of embedded system.
larger physical system. From this point of view, the embedded
system is, as a computing unit, added to a physical system to
shape the concept of the cyber-physical system [11], [2], [12],
Designs range from small electronic circuits, through as shown in Figure 2.
microcontrollers with a small number of transistors and the
capacity of 8 bits, to multiple core 64-bit microprocessors
with speeds over 1 GHz. Various application-specific CPU
implementations and architectures are also used, such as
FPGA soft or hard cores, digital signal processors (DSPs),
or even recent cores optimized for machine learning. This
leads us to an important term, System on Chip (SoC): an
FIGURE 2. Relationship between embedded systems and cyber-physical
integrated circuit (IC, also known as a ‘‘chip’’) that integrates systems [11], [2], [12].
all components of a computer, in addition to the digital and
analogue interfaces. A SoC can be built based on a micro- Therefore, CPS is the result of the combination of informa-
controller or microprocessor, depending on the purpose of the tion processing and the physical environment by using com-
application. An embedded system can exchange information puting processing. Similarly, in [5], [13], ‘‘Cyber-physical
with external devices through I/O ports. To exchange infor- systems are integrations of computation and physical pro-
mation remotely, an ES usually is connected to a communica- cesses.’’ [12] The European Commission [14] also defined
tion subsystem. The power subsystem provides the power to the concept of cyber-physical systems as ‘‘the next generation
the components of the ES, with many being battery-powered. of embedded ICT systems that are interconnected and col-
There are various types of embedded systems currently on laborated through the Internet of things and provide citizens
the market. For example, Raspberry Pi is a series of small, and business with a wide range of innovative applications
inexpensive, single-board computers (SBCs) developed in and services.’’ Another definition of CPS is given in [15]:
the UK by the Raspberry Pi Foundation; Beaglebone is a ‘‘A system is comprised of a set of interacting physical and
low-power, open-source SBC produced by Texas Instruments digital components, which may be centralized or distributed,
in association with Digi-Key and Newark element14; and and provide a combination of sensing, control, computation
Jetson Nano is a small, powerful computer for embedded and networking functions, to influence outcomes in the real
applications and AI IoT that delivers the power of modern AI world through physical processes.’’
in a module. These SBCs have been used widely in education, Industrial Automation and Control Systems (IACS) and
experimentation, and innovation projects. Süzen et al. [9] Industrial Control Systems (ICS) are other types of CPS [15].
provided a benchmark analysis study addressing this category They are further associated with two concepts, Industry 4.0
of systems. and Industrial Internet of Things (IIoT), between which
there exists an overlap. ‘‘Industry 4.0’’ was initially coined
B. THE ROLE OF ESs by the German government as part of its ‘‘High-Tech
When discussing embedded systems, it is necessary to know Strategy 2020’’ in 2010 and is all about connected value
the relationship and difference between embedded systems chains—connecting and automatically integrating things and
and some terminologies, such as CPS and IoT. In 2006, the processes to form cyber-physical systems [16]. Within the
term ‘‘CPS’’ was coined by Helen Gill from the National modular structured smart factories of Industry 4.0, CPS
Science Foundation (NSF). According to [10], ‘‘The term monitor physical processes, create a virtual copy of the
of cyber-physical systems refers to the tight conjoining physical world and make decentralized decisions. With IoT
of and coordination between computational and physical technologies, CPSs communicate and cooperate with each

VOLUME 9, 2021 963

 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

other and with humans in real time. Via the Internet of cell phones, tablets, and wearable products, ESs have been
Services (IoS), both intra- and inter-organizational services used in various application domains. For example, in smart
are offered and utilized by participants of the value chain [15]. home applications they are used to implement surveillance
IIoT, first mentioned by General Electric, is a subset of IoT. cameras, remote control, cooling systems and temperature
It leverages the power of smart machines and real-time ana- control or thermostat systems. The applications of ESs can
lytics to take advantage of the data in industries such as man- be extended for governments, organizations, companies,
ufacturing, transportation, energy and health care, thereby institutions, national infrastructures, in transportation, or to
enhancing the productivity and reliability of communication implement the future trend towards smart cities. In terms
and control in mission-critical applications for transforma- of their application conditions, embedded systems usually
tional business outcomes [15], [17]. have such characteristics as low power consumption, small
In addition, there are two other terms: Distributed Control size, specific functionality, remote accessibility, unmanned
System (DCS) and Supervisory Control and Data Acquisition operation, real-time performance, and low cost. These char-
(SCADA). A DCS is a computerized control system for a acteristics of ESs demonstrate their superiority over con-
process or plant, usually with many control loops, in which ventional computers in pervasive and ubiquitous computing.
autonomous controllers are distributed throughout the system However, the connectivity of ESs to the Internet exposes them
but there is no central operator supervisory control. SCADA to the same cyber threats as conventional computers. ESs
is a system comprised of software and hardware to control are characterized as remotely unmanned operation devices,
and monitor a process or application. It allows an operator in and the nature of ESs, and the fact that they operate without
a local center to monitor widely distributed processes (e.g., human intervention, increases the chances of an attacker
an oil or gas field, pipeline system, or hydroelectric gener- exploiting vulnerabilities to penetrate these systems. Some-
ators), make set-point changes on distant process controllers times, embedded systems are required to operate in harsh
(e.g., opening or closing valves or switching), observe alarms, environmental conditions or under autonomous control where
and gather measurement information [4], [15], [18]. Figure 3 they are far from human supervision, increasing the potential
depicts the abstract relations between all the concepts men- for unauthorized physical access to these systems. This is a
tioned above. fundamental security problem for most IoT devices. Hence,
if the attacker gains a fully unauthorized physical access
to the system, the confidentiality, integrity, and availability
of the system could be breached. As a result, a new chal-
lenge has emerged: how to ensure that the security goals
of the system are maintained under these circumstances.
The resource limitations of ESs poses tight constraints on
both communication and computing capacity [19]. Moreover,
the resource constraint problem [13] has given rise to many
challenges in creating advanced security solutions for ESs
and makes it difficult to meet their cybersecurity require-
ments. As stated by Meshram and Sasankar [20], ‘‘the limited
processing power implies that an embedded system typically
cannot run applications for defending against attacks as in
conventional computer systems (e.g., virus scanner),’’ and the
limited energy also prevents the implementation of advanced
security measures. The limited computing resources of ES
cannot support complex security schemes [21]. Several
studies have addressed characteristics of ESs such as low
power consumption and limited computing power in terms
of CPU and memory data processing, not only with regard
FIGURE 3. The relations between all relevant concepts. to the system performance requirements but also the prob-
lems and weaknesses of securing ESs [22], [23]. The study
From Figure 3, it can be seen that embedded systems (ES) in [24] addressed the relationship between the characteristics
are the core component in all of these concepts. There- and the problems of an embedded system in implement-
fore, securing ESs is very important in all application ing IoT devices. Hence, the capabilities of ESs face the
domains. challenge of meeting the requirements of advanced secu-
rity solutions. Table 1 summarizes some of the limitations
C. CHARACTERISTICS AND LIMITATIONS OF ES of ESs due to their characteristics, and Table 2 presents
Embedded systems have been applied in broad fields. In addi- some of the security problems resulting from these
tion to their use in the daily life of individuals, such as limitations.

964 VOLUME 9, 2021

A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

TABLE 1. Limitations due to the characteristics of ESs.

TABLE 2. Security problems due to the limitations of the ES. they must be protected to ensure the security of ESs. Also,
the authenticity of an embedded system is vulnerable to
numerous attacks, such as forged, malicious, or incorrect data
or information produced by the system’s sensors, an unautho-
rized user, or unauthorized reprogramming.
The processor’s capabilities, which are the heart of the
embedded system, are at the top of the list, and they are
often unable to implement advanced security techniques such
as data encryption. Furthermore, the CPUs themselves have
insufficient hardware protection against logical and physical
attacks. A more robust CPU could mitigate a lot of attacks, but
these are more expensive and normally limited to use on smart
cards or as dedicated secure elements in SoCs. Assuming
that the performance of the processor has been improved in
accordance with the requirements of advanced encryption,
this creates a new problem: the need for a significant amount
of energy, which may not be available in the case of portable
systems. However, if these two problems are resolved, we will
III. SECURITY RISKS OF EMBEDDED SYSTEM face a new problem, which is that of cost. A small increase
A. SECURITY PROBLEMS in the cost of production, even if only a few cents, would be
Embedded systems are vulnerable to a wide range of attacks very expensive and would affect competitiveness if millions
that might breach their security. For instance, an exhaustion of units were manufactured [35].
attack could drain the power resource by increasing com- Cybersecurity specialists often try to know the attacker’s
putational tasks or the use of peripherals or sensors. Also, capabilities to prevent attacks. Indeed, the attacker’s abili-
ES is vulnerable to physical attacks: if attackers have physical ties depend on what is made available and unprotected in
access to the system, they might conduct a physical intrusion, terms of entry points in the attack surface. Hardware com-
tamper with the integrity of the system, and/or perform snoop ponents, such as Wi-Fi, Bluetooth, USB or other input/output
attacks on the system bus, as well as possibly causing sensor interfaces, and software systems, such as operating systems
or peripheral damage. or applications, increase the capabilities and flexibility of
No matter what kind of system is under consideration, ESs, but may provide a greater attack surface for hackers;
embedded or conventional, they all have generic security thus, the system becomes more vulnerable for cyberattacks.
objectives: confidentiality, integrity, and availability. For In other words, if the capabilities of ESs increase in terms
example, malware (e.g., buffer overflow attacks [24]) can of points of connection and input units, then attack surfaces
attack networked embedded systems. The stored data or cryp- increase, thereby increasing the probability that the system
tographic keys of an embedded system or electronic currency is hacked. Compounding this problem is the easy avail-
on smart cards are vulnerable to unauthorized access, and ability of advanced, low-cost physical attack tools such as
VOLUME 9, 2021 965
 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

ChipWhisperer and ChipShouter that can be used to generate gains access to a network and tries to remain undetected.
side-channel attacks (SCAs) or glitch attacks [36]. An APT attack usually seeks to monitor network activity and
On the other hand, although imposing restrictions on entry breach the confidentiality of data rather than to cause direct
points to the embedded system may contribute to reducing damage to the network or organization. APT attacks are often
the attacker’s chances, this conflicts with the importance of preceded by planning, require tremendous experience, and
system flexibility. The cybersecurity problems of embed- are intended to spy for a longer term [46].
ded systems are endless, and they differ according to the Cyber-attacks refer to the actions taken by an attacker
assessment perspective and technical domain of application. to cause damage or harm to the system or disrupt normal
For example, several security problems are related to Inter- operations by using different techniques or tools. There are
net connectivity; several studies have addressed this prob- many types of attacks: (a) physical attacks, (b) reconnais-
lem [2], [37], [38]. Furthermore, the problem of data privacy sance attacks, (c) denial-of-service (DoS), (d) access attacks,
and policies was present in a study on smart cities [30], and (e) attacks on privacy, (f) cyber-crimes, and (g) destruc-
the problem of resource constraint and the need to design tive [24], [47], [48], [49]–[52]. Several challenges were
lightweight encryption [39] and energy-efficient countermea- presented by [2], such as safety, security, and confiden-
sure strategies were discussed in [13], [19], [20]. The lack of a tiality, as well as reliability, reparability, and availabil-
unified theoretical framework in the design of CPS is an prob- ity; this highlights the importance of cybersecurity defense
lem that deserves attention [40]. Also among the problems countermeasures implementation in embedded systems. For
is the operation of ESs in an unattended environment, which network-connected systems, considering the four layers of
creates several security challenges and is easily accessible to Transmission Control Protocol/Internet Protocol (TCP/IP) in
the attacker, as well as the problem of the use of off-the-shelf early stages of designing the embedded system will contribute
solutions [19]. The initial design stages and their importance, to hardening the ES. The layers of TCP/IP are Application
as well as the neglect of the security requirements in the initial layer, Transport layer, Network layer, and Link and Physical
stages of design, are discussed in [38], which reinforces the layer [28]; these layers play an important role in terms of the
urgent need to adopt a ‘security by design’ concept, not only security of the embedded system, as the weakness of the mea-
for this reason but also because the embedded systems are sures taken in these layers will create many vulnerabilities
designed for fixed purposes; thus, a successful attack on one that the attacker can exploit, and in return, the implementing
sample of the embedded system’s applications could facilitate of best practices in these layers will enhance the stability
the repetition of the attack on other embedded systems of the of the system. The biggest challenge facing an embedded
same type without additional cost or effort. system is when it is connected to the public Internet, as it
faces unpredictable cyber threats. Although embedded sys-
B. CLASSIC ATTACKS AND IMPACT ON ESs tems usually sit at the bottom layer—the physical layer of
Abomhara and Køien [24] addressed security risks in terms IoT systems—it is crucial to take into account the four layers
of four aspects: vulnerabilities, exposure, threat, and attacks. of the TCP/IP model to consider cyber-threats from upper
Vulnerabilities refer to weaknesses in a system, design defi- layers and the direct threat at the physical layer in the design
ciencies, or weaknesses in policies or procedures that might stage of embedded systems. Ali et al. [4] extensively dis-
allow the attackers to have unauthorized access to data, cuss the security threats and vulnerabilities according to the
execute illegitimate commands or conduct attacks. Further- relationship between cyber-physical systems and the TCP/IP
more, vulnerabilities might be found in different software model. Fitz et al. [53] discuss the effect of network topog-
layers: applications, operating systems, or communication raphy on the stability of cyber-physical systems’ connectiv-
protocol stacks [24], [41], [42]. In the context of cyberse- ity. Networks can be categorized into six types: Star, Bus,
curity, a vulnerability is a weakness that can be exploited Linear, Ring, Tree, and Mesh. Mesh design, which could
by a cyberattack to gain unauthorized access to or perform be partially or fully connected, is the highest cost among
unauthorized actions on a computer system. Vulnerabilities these topologies to maintain the connectivity of CPS and
can allow attackers to run code, access a system’s memory, its sensors. The International Organization for Standardiza-
install malware, and steal, destroy, or modify sensitive data. tion (ISO) defines a 7-layer reference network model. The
Exposure risks refer to problems or mistakes in a system physical layer accounts for an important proportion of energy
configuration that might be exploited by an intruder. Threats consumption, in addition to the existence of a lack of unified
refer to the activities that take advantage of security weak- specific standards for designers and developers of CPS to mit-
nesses in a system to conduct a harmful impact [24], [43]. igate cyber risks. Figure 4 summarizes classic cyberattacks
A cyber threat is a potential malicious act that might exploit a on the TCP/IP layers.
vulnerability to breach security and, therefore, cause possible Several valuable documents in the field of research were
harm. This threat can be an intentional action, accidental published by the National Institute of Standards and Tech-
event, or an abnormal circumstance. Cyber threats include nology (NIST) and related to NIST standards [54]–[60].
unstructured threats, which use existing hacking tools, and The impact of cyber-attacks on the functions of a cyber-
structured threats, e.g., Advanced Persistent Threats (APTs), physical system was presented in [61] by reviewing a case
conducted by an expert attacker [24], [28], [44], [45]. APT study of a rail transport system. The case study was performed
is a prolonged and targeted cyberattack in which an intruder based on Hardware-in-the-Loop (HIL) simulation to avoid
966 VOLUME 9, 2021
A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

vulnerabilities of ESs open the doors to countless types of

cyber-attacks, and this is one of the biggest challenges fac-
ing ESs enabled by IoT technology [2], [37], [38]. Another
challenge for the cybersecurity of ESs lies in the fact that
ESs could work in a non-controlled environment [19], in a
stand-alone and independent manner. Industry 4.0 raises the
new concept of security by design. Cybersecurity should
be considered when designing an embedded system, with
specific regard to the security challenges caused by the char-
acteristics of that system.
One of the most challenging aspects of embedded system
security design is having to implement the security objectives
within the system’s capabilities and to do this without focus-
ing on a specific aspect and neglecting to take into account
other aspects, or providing non-comprehensive solutions.
FIGURE 4. TCP/IP layers and attacks [4]. Habibzadeh et al. [30] found that the problem of existing
any severe damage or danger for humans in the real world. cybersecurity research lies in the focus on a single component
HIL acts as an interface platform between the physical com- in a system, and they suggested that a robust CPS should have
ponents (sensors in this case) and an embedded system, acting the cybersecurity capabilities of all of its components and
as the computational part. The effect of a cyber-attack on the that the security of a system is typically determined by its
efficiency of the functions of CPS was studied. It was shown weakest link. Hence, Habibzadeh et al. considered ensuring
that digital attacks can affect the effectiveness of the functions the overall security of the system is the weakest link that
of CPS, causing significant delays transiting a signal between needs to be addressed to have a robust CPS. The ‘‘weakest
a sender and a receiver when the infrastructure is attacked. link’’ concept has been discussed at length in [62], and we
Prevention of cyber-attacks is a critical challenge due to can define it in this context as ‘‘A guardian is an entity in
the diversity of attacks and the constraints of ESs. One of the system that the attacker could try to pass to gain access
the most critical stages in dealing with a cyberattack is the to an asset. The cost of passing a guardian determines the
detection of the attack itself. Late detection of an attack could negative utility for the attacker when deciding to pass. The
allow severe consequences, such as system damage, to occur, cost is typically dependent on the entities an attacker already
whereas early detection allows for a suitable response. How- has access to, such as keys or passwords’’ [62].
ever, detection may require significant resources and limit It is important to clearly understand the terminology of
the functionality of the system. An inappropriate response security risks, security threats, cyberattacks, vulnerabilities,
itself could also contribute to an attack and even be used by and exposure risks [24], [7]. The distinction between these
an attacker. For example, suppose a system disables network terms contributes to clarifying the vision of the nature of the
connectivity to prevent an attack. In this case, it could be risks facing ESs and their applications and, thus, facilitates
used to direct the re-connection to a fake access point, not the diagnosis of the problem and the finding of an appropriate
to mention the loss of availability during the disconnection security solution. A detailed explanation of these terms is
time. Some unfinished or unnecessary responses could also provided in Section B.
conflict with the operation of a device, for example, safety- The challenges facing ESs begin at the initial design stages
critical operation, real-time or necessity of immediate func- and continue up to the final operational phase. During these
tional reaction and synchronization. Hence, an appropriate stages, some of the most obvious challenges hinder the design
strategy for detection and response is needed to avoid possible of highly efficient countermeasures against cyberattacks,
damage but maintain the required functionality of a system, such as processing gap, battery gap, flexibility, tamper resis-
and this is often a compromise. tance, assurance gap, and cost [11], [19]. The design process
Each embedded system has its own requirements and, of an ES is influenced predominantly by cost; in terms of the
therefore, requires its own security methods. The absence of time factor, ES industries always pursue a fast development
specific manufacturing standards has exacerbated the prob- cycle for market competition. This adversely affects manu-
lem of creating a unified and comprehensive security solu- facturers in applying high standards for the development of
tion, [40] although the essence and architecture of embedded advanced security solutions. Another critical challenge facing
systems are, in general, similar. As each system is designed ESs is the consumption and measurement of energy that
for its own purpose, specific security mechanisms are supports the functions of IoT components [63]. The opti-
required to support the functional requirements of the system. mization of energy is demanded due to the constraints on
embedded system resources. The battery gap or the power
C. CHALLENGES OF IMPLEMENTING CSES consumption optimization constitutes one of the most chal-
IoT-enabled cyber-physical systems greatly increase the lenging design factors [11], [19]. Table 3 summarizes the
diversity of ES applications. Conversely, the cybersecurity research directions on the security risks domain of ES.

VOLUME 9, 2021 967

 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

TABLE 3. Summary table of the research directions on security risks aspects of the embedded systems.

IV. CYBERSECURITY OF EMBEDDED SYSTEM effective countermeasures, we need to state the security
In this section, we will address three different aspects: objectives clearly. The generic security objectives for all sys-
A. security objectives, B. security countermeasures, and tems and services are Confidentiality, Integrity, and Availabil-
C. risk management and security incident response. ity, called the CIA triangle. Confidentiality means ensuring
the information is not made available or disclosed to unau-
A. SECURITY OBJECTIVES thorized entities; integrity aims to protect the accuracy and
Cybersecurity, as defined in [66], [24], is a process to protect completeness, and the availability implies the information
an object against physical damage, unauthorized access, theft, is accessible and usable by an authorized entity when it
or loss, by maintaining high confidentiality and integrity is demanded. In addition to the security triangle, accord-
of information about the object and making information ing to [67], [68] and based on ISO/IEC 27001:2013, [69],
about that object available whenever needed. To implement embedded systems should also be designed with concerns

968 VOLUME 9, 2021

A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

of Authenticity, Accountability, Non-repudiation, Reliability, attacks, such as Advanced Persistent Threats (APTs), and
Access Control, Dependability, Safety, and Privacy. These the two main methods are cryptography and randomization.
security objectives are the cornerstone of the cybersecurity Resilience refers to the ability of the system to continue to
industry in ESs. From the aspect of attackers, the barriers perform its function despite the effects caused by the cyber-
implemented to meet the security objectives of embedded attack. Several approaches to implement this mechanism
systems are the target elements of attacks; on the other hand, can be applied, for instance, game theory, event-triggered
these security objectives are the goals to be achieved, main- control, mean subsequence reduced algorithms and trust-
tained, and guaranteed by cybersecurity practitioners. based approaches. The detection and isolation mechanism
Many studies [19], [67], [68] have referred to the security consists of five types: observer-based techniques, analyti-
triangle, and these security goals are breached by a number cal consistency, watermarking, baiting, and learning-based
of different types of attacks. For example, confidentiality anomaly detection. Ashibani and Mahmoud [72] highlighted
could be breached by side-channel attacks, authentication that security measures should take place at three levels to
attacks, password attacks, packet sniffing, and session hijack- achieve maximum protection: perception, transmission, and
ing. Integrity could be breached by packet dropping or packet application layers.
delay attacks and spoofing attacks. The availability could be Attack detection is one of the most important counterac-
breached by a buffer overflow or Denial of Service (DoS) tions because it is critical for active countermeasures as it is
attack, which target low memory capabilities and limited directly associated with security countermeasures. We must
computation resources. Most CPS devices are vulnerable to discover the existence of an attack before dealing with it.
such resource enervation attacks [24]. There are different levels of defense: the first level of defense
Industry 4.0 raises the concept of ‘‘Security by Design.’’ is to prevent the attack entirely by design, using techniques
Cybersecurity is a critical challenge for the success of indus- such as encryption and authentication [73]; the second level
try 4.0. Taking security problems and challenges into account is to detect the attack early and deal with it immediately to
in the design stage of a cyber-physical system is the most stop any damage occuring by applying a detection mechanism
efficient and effective solution. Also, it is considered the such as an Intrusion Detection System (IDS) [73]; the third
least expensive approach in the long term, compared to the level is to prevent the recurrence of the attack again by
post-processing of cyberattacks, and reduces the need for taking the required countermeasures after knowing the type
more modifications or improvements in the final product. of attack and impact of the attack. These levels of defense
Implementing the convergence between the capabilities of against cyberattacks require more efficient techniques in dif-
embedded systems and cybersecurity objectives is a dilemma: ferent research areas [74], such as vulnerability identifica-
it conflicts with the current approach, where we always tion, impact analysis, mitigation, cybersecurity metrics, data
strive to design embedded systems with low cost, small and model development, penetration testing, interoperability,
size, and low energy consumption, compatible with mobil- and digital forensics. Trawczynski et al. [75] provided an
ity and dependability concepts, embeddable in larger CPS, approach to detect a DoS-type attack based on the failure of
and with efficient and sufficient processing capacity. On the a single node communication interface. Intrusion Detection
other hand, the requirements of cybersecurity are inconsistent and Prevention Systems (IDPS) with multi-mode counterac-
with what we seek, as advanced security measures such as tions is also one of the suggested security solutions [76]. The
sophisticated encryption or intrusion detection systems (IDS) counteraction technique is to block the attacker’s IP address
require high computing capabilities which require increas- via a firewall, based on the number of packets exceeding
ing the transistor count, which in turn increases the cost, the threshold limit in one second. In the case of failure,
size, and power consumption. Even adopting smaller sili- a remote stop of the corresponding service takes place as a
con geometries (e.g., 7nm chips) that could help in terms third counteraction. In this context, it is important to note that
of size and power has a more expensive up-front cost and, the requirements of the IDS to inspect every packet requires
therefore, require higher sales volumes to be profitable and a high resource consumption that is not generally compatible
cost-effective [70]. with the capabilities of ESs.
A comprehensive survey of physics-based attack detection
B. SECURITY COUNTERMEASURES OF ESs techniques was provided by [77], where the researchers high-
Security countermeasures for embedded systems have been lighted that physical components of cyber-physical systems
extensively studied, and most security solutions can be (e.g., actuators or sensors) need to be monitored to detect the
developed in the form of tools, methods, mechanisms, attack based on any abnormality in the performance of these
or approaches. Habibzadeh et al. [30] suggested that security physical components. Also, a discrete-time energy-based
countermeasures must be done in four dimensions of phys- attack detection mechanism for a networked cyber-physical
ical security: firmware-level, device-level, circuit-level, and system was proposed by [78], where the detecting mechanism
energy-harvesting- and storage-level. Dibaji et al. [71] cate- is based on the energy balance of the system. Among the
gorized defense mechanisms against cyberattacks into three existing solutions, Poongothai and Duraiswamy [73] applied
types: prevention, resilience, and detection and isolation. a machine learning technique in an IDS to mobile ad hoc
The prevention mechanism is designed to counter disclosure networks (MANET), which are not conventionally designed

VOLUME 9, 2021 969

 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

with an IDS, as an example of embedded system applications.

Whereas encryption and authentication techniques work as
the first line of defense, the IDS can work as a second line
of defense. Also, problems such as lack of central points, co-
operation, shared radio channel, limited resource availability,
and the lack of a clear line of defense and secure communi-
cation in MANETs have been addressed in [73].
Gu et al. [79] suggested improving security by using
a co-processor with the implementation of Mixed Integer
Linear Programming (MILP) formulation. Although this
approach may contribute to enhancing security aspects,
it might conflict with the characteristics of ESs’ resources or
cost. Wang et al. [27] presented a hardware-enhanced protec-
tion method to maintain the confidentiality and integrity of
data by using an AES stream encryption engine. Also, a com-
binational logic binding technique against cloning attacks
for FPGA-based embedded systems is discussed in [80]. FIGURE 5. The 27 different angles [84].

Negi et al. [81] discussed the embedded systems in the appli-

cation field of networks, and the study conducted a test in measures could be circumvented in different platforms. This
the transfer of data based on Secure Sockets Layer (SSL) demonstrates the importance of highly robust solutions and
and Transport Layer Security (TLS). The adoption of this their availability for a long period.
protocol as a security protocol has shown promising results A non-intrusive runtime monitoring technique for ensuring
in terms of sending and receiving data securely on the level the safety and security of ESs was presented in [86]. It is
of embedded systems. based on the principle that finding and implementing solu-
A survey of EU research efforts in the security solutions tions on one aspect may depend on another aspect, because
of ESs has been done in [82], where security solutions for the monitoring of non-intrusive runtime through power con-
ESs were classified to several levels: (i) Node-based security sumption has been used to enforce safety and security in ESs.
technologies, for example a physical unclonable function This shows that some security solutions are indirect. In other
(PUF), a physically-defined ‘‘digital fingerprint’’ that serves words, enhancing specific security aspects of the system will
as a unique identity [30]; and (ii) network-based security reflect positively on other aspects.
technologies, focusing on secure routing and Intrusion Detec- A multi-metrics approach to ensure and evaluate Security,
tion System (IDS) for a distributed ES network, implemented Privacy, and Dependability (SPD) in ESs is provided in [87],
with middleware and overlay technologies. Among the stud- using a smart vehicle as a case study. Also, Mu et al. [88] pre-
ies that dealt with security solutions is also a preemptive sented a bottom-up approach for the information flow secu-
security mechanism, which is a thin-layer hypervisor-based rity of a verifiable embedded system based on Gate-Level
memory introspection engine on ESs and was proposed by Information Flow Tracking (GLIFT), at the early stages of
Lukacs et al. [83]. The concept of this mechanism is based designing ESs. The concept of this approach is based on
on hardware virtualization technology, and this mechanism applying restrictions to the information flow to allow only
works on two different levels: privilege level and isolation; legitimate data to pass through. Liu [89] proposed a security
and hardware-level virtualization. This technique has been kernel prototype system to support several security verifi-
implemented on an x86 CPU, which paved the way for testing cation strategies—for example, multiple levels of security
this mechanism on ARM Cortex A53 and A57 chips. (MLS), Role-Based Access Control (RBAC), and Distribu-
Evaluating security requirements to adopt appropriate tion Transforming Encoder (DTE) [89]. This security kernel
security countermeasures based on different axes was pre- prototype system focuses on the security kernel in an embed-
sented by Elmiligi et al. [84]. According to Elmiligi et al., ded system, and it is a very generic security prototype system.
the security requirements can be evaluated from 27 different ‘‘Security by design’’ is critically required by Industry
angles and based on three main axes. These axes are the pro- 4.0. At the design stage of ESs, it is required to integrate
grammability level axis, integration level axis, and life-cycle security mechanisms into embedded systems according to
phase axis. Figure 5 depicts these axes and their different Model-Based Development (MBD) [90]. Thayer [91] stated
angles [84]. that the adversarial testing in the early stage of designing and
It is also worth mentioning the criticality of a real-time developing the embedded system would increase the overall
embedded system (RTES). Specific security countermea- awareness of the threats posed to a system. Also, the high
sures for RTES can be implemented in two stages: energy efficiency of systems supports the implementation of
(i) identify specific attacks that could threaten the systems; advanced cryptographic techniques [38]. While a stable and
and (ii) implement security-guaranteed services, overcom- sufficient energy source is essential, thus, it is important to
ing the challenges of real-time performance and energy optimize the system for minimizing the energy consump-
consumption [26]. The study in [85] showed how security tion, so that there is enough energy for preventing attacks.
970 VOLUME 9, 2021
A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

Hasler and Shah [92] addressed the security implications for

the ultra-low energy consumption of SoC FPGA embedded
systems.
A comprehensive framework for modeling and assessment
for penetration testing of IoT systems, taking attack surface
into account, is presented by [93], using a virtual proto-
type to validate the design of an IoT system. The adopted
model uses virtual prototypes (VPs) as a concept, which is a
method or technique implemented to validate a development
design before any real implementation. The VP is used to
develop a framework that aims to support security measures
in the initial stages of designing embedded systems. Also,
the authors in [94] presented a comprehensive experimen-
tal analysis of automotive attack surfaces. The experiment
showed severe vulnerabilities that an attacker could exploit,
and the results were shared with relevant industry and govern-
ment stakeholders. Reducing the attack surface by lowering
the attacker’s access based on a permission-based security
model is presented by [95] for Android applications. The sug-
gested approach is designed for detecting permission gaps, FIGURE 6. NIST security life cycle [54].
using permission-based software.
In general, the adoption of a security solution depends (CREST) [98], ‘‘There is no common understanding of what
on several factors: the purpose for which it was designed; a cybersecurity incident is, with a wide variety of interpre-
the capabilities of ES to handle the solution; the nature of tations. With no agreed definition, many organizations adopt
the risks that may be exposed; and technical implementation different views.’’ NIST breaks incident response down into
domains. It is also important to train operators with security four broad phases: (1) Preparation; (2) Detection and Analy-
awareness and relevant knowledge. sis; (3) Containment, Eradication and Recovery; and (4) Post-
Event Activity. Phase 2 and Phase 3 are interactive with each
C. RISK MANAGEMENT AND SECURITY INCIDENT other. Dorofee et al. [99] classified incident management
RESPONSE into five major steps: prepare, protect, detect, respond, and
Risk management and incident response are important for sustain. Incident response is not exclusive to administrative
the cybersecurity of embedded systems, especially net- level. Some technical solutions can support early incident
worked devices, because security threats cannot be elimi- response, S. Sultana et al. [100] provided a security incident
nated entirely [73]. A NIST report in 2014 [54] presented response and prevention system (Kinesis) for Wireless Sensor
a Cybersecurity Risk Management Framework (CRMF) for Networks (WSNs). This system can dynamically respond to
modern vehicles, where embedded systems are important anomalous events, based on a suspect’s security status, and
components. Figure 6 depicts the security lifecycle presented does not require any central authority to trigger an action.
by NIST [54]. According to CREST [98], [101], cybersecurity incidents,
Wilbanks [96] proposed a Cyber Risk Management Frame- particularly serious cybersecurity attacks (e.g., advanced per-
work (CRMF) and Cyber Security Risk Indicator (CSRI). sistent threats (APTs)) have been causing serious damage to
CRMF applied three principles: (i) integrating security coun- organizations, governments, and international bodies. Com-
termeasures into the systems development lifecycle, (ii) mon- puter Emergency Response Team (CERT) [99], [102], and
itoring and maintaining the status of the system, and (iii) NIST [54], [55] have made significant contributions in the
interacting with the current situation by making a risk mitiga- subject of cybersecurity incident responses.
tion decision. CSRI measures the efficiency and effectiveness As long as the ESs are as essential as traditional com-
of the system by using quantitative criteria to assess the puter systems and given the widespread applications of ESs
robustness of the system, [96], [54]. in many domains and at different levels in governments,
In terms of incident response, the term ‘incident response’ organizations, and individuals, the supervising parties must
may be related to other terms, such as ‘incident han- have plans to respond to possible incidents following rec-
dling’ and ‘incident management’. NIST does not give ommended standards such as CRMF or CSRI. If all security
strict definitions of ‘‘incident handling’’ and ‘‘incident measures at all levels fail to prevent and tackle a cyber-
response’’. CERT R /CC uses ‘‘incident handling’’ to refer attack, the responsible parties must at least be able to have
to the overall process of incident detection, reporting, anal- a fast response to the incident caused by the attack, thereby
ysis, and response, while ‘‘incident response’’ refers to inci- reducing the damages and economic loss. They must learn
dent containment, recovery, and notification of others [97]. from the incident to ensure that the attack does not recur in
As stated in the Cyber Security Incident Response Guide the future again. Figure 7 summarizes the research directions
from the Council for Registered Ethical Security Testers in cybersecurity requirements for the ESs.
VOLUME 9, 2021 971
 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

FIGURE 7. Research directions in cybersecurity requirements of ESs.

V. ANALYTICAL RESULTS OF CSES Cybersecurity, Figure 10. Optimal countermeasures can then
In this section, we will present the security risk metric; we be taken in each layer, according to the perspective of eval-
will also identify the influencing factors of CSES to shape the uation. For example, tackling attacks from the asset value
MuLFESC framework, which can be used as an instrument of angle will lead to the enactment of the necessary policies in
security assessment for the ESs. layer 7 to protect the assets according to the sensitivity of
the data. Also, addressing attacks based on the attack surface
A. SECURITY RISK METRICS will help in disabling unnecessary entry points in layer 3.
Based on the analysis of the previous studies in this area, Besides, evaluating attacks from the targeted network layer
multi-security risk metrics have been created and will be perspective will help in adopting the most secure appropriate
presented in this section as part of the contribution. Cyberse- protocol, and so on. Therefore, the reflected feedback on
curity risk for a system is the probability of exposure or loss layer one fed from other layers (Figure 10) as a continuous
resulting from a cyberattack or data breach on the system. process will be enriched by considering these perspectives to
The sensitivity of data, its value, and the benefits attackers achieve best practices and implement a compatible counter-
would gain from hijacking an asset are all large motivations; measure, avoiding any conflict with requirements of the other
however, attackers’ abilities are contingent on what has been layers.
made inadvertently available to them. More entry points mean We define security risks within a metrics of different crite-
more possibilities that a system can be exploited. In other ria, based on the security triangle: Confidentiality, Integrity,
words, if the entry points in the attack surfaces are reduced and Availability (CIA) [19], [67], [68], as the backbone
and the unnecessary services are disabled, the chances that of the security risk metrics (CIA terms are explained in
a system is attacked are reduced. Many studies have con- section IV.A). They are what attackers intend to breach
sidered security risks from different perspectives, and based ultimately, regardless of the methods or attack surface.
on different criteria. According to NIST [56], [115], [116], Figure 8 depicts the adopted security risk metrics, while
security metrics are metrics based on IT security performance (X) refers to a security risk. Based on this risk metrics, a
goals and objectives designed to assist decision-making and security risk can be addressed from 7 perspectives:
improve performance and accountability by collection and (1) A security risk X should be examined against the pro-
analysis of data against potential risk to take an appropriate posed Multiple Layers Feedback Framework of Embedded
countermeasure. Within the security risks metrics model, Fig- System Cybersecurity (MuLFESC), at the same time consid-
ure 8, the cyberattacks have been addressed from seven dif- ering the twelve influencing factors, as illustrated in Figure 9.
ferent perspectives, providing the broadest coverage of attack Figure 11 in Appendix also presents these factors with more
probabilities. Thus, having a comprehensive perception of details.
attack possibilities will lead to having a comprehensive (2) Security risk can be assessed based on attack meth-
awareness that will be reflected positively in the upcoming ods. According to [64], methods of attacks can be classified
Multiple Layers Feedback Framework of Embedded System into three different typical methods: (1) physical method,

972 VOLUME 9, 2021

A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

(2) logical or software-based method, and (3) Side-Channel security problem through using redundant controller archi-
attack method. tecture to avoid unpredictable mechanical failures, but unfor-
-- A physical attack, whether non-invasive, semi-invasive, tunately this technique increases the chance of exploiting the
or invasive attack means an attacker’s ability to access attack surface and lowers the sensitivity to respond to ongoing
the cyber-physical system directly and this direct phys- attacks.
ical access is unauthorized and unauthenticated [64]. (5) The security risk due to network connectivity can
In this case, it is unpredictable to know what the attacker be assessed in terms of the four- layers TCP/IP model:
can do. Also, natural disasters fall within this type of Application layer, transport layer, network layer, and link
security threat [24], [64]. A fault attack is an example and physical layer [4]. There could be different attacks in
of a physical attack that can be generated to attack an each layer; examples of these attacks were discussed in
electronic device, and it can be executed by stressing a section III.B.
targeted device beyond its expected operational limits, (6) The security challenges in terms of the limitations of
causing errors [117]. These errors might lead to security the embedded system have been discussed by [25], includ-
failures on the system such as bypassing authentication ing processing gap, battery gap, independence, flexibility,
checks or leaking sensitive information. installation in an uncontrolled or harsh environment, remote-
-- The logical or software-based methods are often used to ness and unmanned operation, connectivity to the network,
attack networked ESs through the Internet. The attacks the function’s nature of the CPS, and cost. The cybersecurity
are carried out by exploiting vulnerabilities or exposing risk often arises from the limited resources in embedded
errors in software [24], [64], whether in the operating systems.
system (OS), applications, protocols used for data trans- (7) Taking into account the attacker’s capabilities and the
fer, or decryption of the encrypted data. value of the assets is essential for the assessment. A skilled
-- In Side-Channel Attacks (SCA), an attacker studies the attacker with significant resources poses a much higher risk
often unexpected, indirect physical effects of security than a low skilled attacker with few resources. The value
operations. In this type of attack, the attacker monitors of assets, including data, is important. The more sensitive
and analyzes system activities produced by its physical the data, the more security measures are required to ensure
components such as electromagnetic emission, power its confidentiality, integrity, and availability. While evalu-
consumption, timing, and cryptanalysis to gain access ating the efficiency and effectiveness of the applied mea-
to protected data 67]. NIST defines a sid-channel attack sures, taking attackers’ capabilities and assets’ values into
as follows ‘‘An attack enabled by leakage of information account might help improve the adoption of appropriate secu-
from a physical cryptosystem. Characteristics that could rity. The following figure depicts the suggested security risk
be exploited in a side-channel attack include timing, metrics.
power consumption, and electromagnetic and acoustic
emissions’’ [55]. There are 12 possible attacks based on
this method: (1) acoustic attack, (2) brute force attack,
(3) cache-based attack, (4) electromagnetic analysis,
(5) error message attack, (6) frequency-based attack,
(7) glitch attack, (8) power analysis, (9) timing analysis,
(10) safe error attack, (11) scan-based attack, and (12)
visible light attack [64].
(3) Security risks can be classified into four different types
based on their nature: Vulnerabilities, Exposure, Threat, and
Attacks [24] (see section III.B).
(4) Attack surface is the sum of all possible security risk
exposures. There are three types of attack surfaces [65]:
-- The hardware surface can be any possible components
in a cyber-physical system or an embedded system, such
as sensors for receiving or sending signals, USB ports or
Input/output units.
-- The software surface, including the logicality of algo-
rithms and protocols, can be in any levels of OS,
firmware, protocol handlers or applications.
-- Finally, the network-components surface.
As mentioned earlier, a smaller attack surface can help make
the system less exploitable, reducing the risk; and a greater
attack surface makes the system more vulnerable to attacks,
which increases the risk. Cheng et al. [118] verify this FIGURE 8. Security risk metrics.

VOLUME 9, 2021 973

 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

B. KEY FACTORS OF THE MuLFESC FRAMEWORK

After presenting the multi-security risk metrics, which can
predict the largest possible number of cyberattacks in terms
of methods, types, surfaces, TCP/IP layer, and limitations
of the ES’s resources, this section addresses the key factors
that affect the CSES. The determination of the influencing
factors could help identify the gaps and weaknesses in the
current countermeasures. Figure 9 represents these influenc-
ing factors that have been extracted from the existing research
trends, while Figure 10 represents the MuLFESC frame-
work layers with its involved parties and system components
affected by these factors. The MuLFESC framework has been
shaped by taking into account the following factors:

1) THE ARCHITECTURE OF ES IN CPS

Weak computing capabilities of ES could limit the ability to
implement advanced security solutions regarding the compo-
nents and architecture of ES in CPS. Failure to consider secu-
rity requirements at the design stage of ESs could increase the
complication of implementing cybersecurity objectives and
requirements in a complicated CPS [13], [8], [119], [84], [88].

2) THE CHARACTERISTICS OF ES
Features of embedded systems and their flexibility in meet-
FIGURE 9. The relationship between the twelve factors.
ing the requirements of modern technologies earned them
excellence over traditional computers. However, these char- dependability, safety, and privacy. The security requirements
acteristics pose many challenges for the cybersecurity of depend on the context of application domains. In contrast,
ESs [20], [56]. the characteristics of ESs raise the challenges in the imple-
mentation of embedded system security to achieve these
3) THE IMPLEMENTATIONS OF ES
objectives [19], [67], [68].
‘‘Embedding systems’’ is a broad concept applied to form
the computational part of a wide diversity of applications. 6) THE DIVERSITY OF SECURITY PROBLEMS IN ES
Therefore, the diversity of ESs reflects positively on its appli- Security risks of embedded systems are raised due to various
cations [120], [81], [121], and the constraints of ESs’ char- factors, such as the existence of various attack surfaces in
acteristics and the attack surfaces that can be exploited pose a CPS, the connectivity of the Internet, and human factors.
many security challenges. This requires developing market- Different application systems may have different security
appropriate security solutions whether in the field of health- problems. For example, if a CPS is characterized as an
care, communications, military, etc. autonomous system without human intervention, security
problems are more likely referred to the physical security
4) THE TECHNICAL DOMAINS OF ES of ESs. If a CPS is characterized as an IoT-enabled system
Embedded systems are the core or the basic block of advanced with the function of exchanging data or information with the
technologies, such as DCS, SCADA, IACS, ICS, Industry Internet, a remote attack could threaten the CPS through the
4.0, Industrial, IIoT, IoT, and CPS. The realization of an Internet. If a CPS is characterized as a system with a move-
embedded system with security by design could therefore able power source and low energy utilization rate, the security
support the security, stability, and reliability of advanced sys- problems may affect the sustainability of the energy source
tems [122], [123]. However, security requirements and solu- and the capacity of providing sufficient energy to meet the
tions need to be considered in the context of different tech- requirements of advanced applications. Embedded systems
nical domains. The study and test of the embedded system are lightweight and compact. The characteristics of ESs have
should be done under the context of its real-world applica- given the limitations in the implementation of cybersecurity
tions; thus, the goals of the applications as well as the perfor- of ESs, which may require increasing the capability of the
mance in efficiency, reliability, and stability can be reached. CPU to perform more complex operations, thus enabling
ESs to apply complex encryption, other strong security algo-
5) THE SECURITY OBJECTIVES OF ES
rithms, and so on [2], [37], [38], [37].
Embedded systems have the same objectives of cyber-
security as traditional computer systems, which include: 7) CONNECTIVITY AND TCP/IP MODEL
confidentiality, integrity, availability, authenticity, account- The connection of ESs to the Internet enables them to pro-
ability, non-repudiation, reliability, access control, vide services and features that were not available without
974 VOLUME 9, 2021
A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

the connection. However, embedded systems could become These solutions should be implemented, crossing all levels of
vulnerable to a large number of cyber-attacks remotely [4]. the ES, as shown in Figure 10. In the nine levels of protection,
For example, wireless connectivity can lead to the leakage of the first level is to implement ‘‘security by design,’’ and the
sensitive data [124]. design should consider all cyber threats from level 2 to level 9.
In section C, we will explain all these levels in more detail.
8) ATTACK SURFACE AND CHANNELS
11) THE SECURITY SOLUTIONS OF ES
The main factors that could cause cyber threats or prob-
lems are: the attack surfaces which provide attackers with To ensure security solutions are effective and comprehensive,
the entry points; network connection, which provides a way they must be compatible with the nature of the system charac-
to remotely approach the system; and actors/operators, who teristics and must be adaptive at all levels. In general, security
provide opportunities to attackers for social engineering. The solutions can be developed in the form of tools, methods,
security problems and the characteristics of the embedded mechanisms or approaches. The best solution is to implement
system make the implementation of a secure embedded sys- ‘‘Security by Design’’, regarding the security crossing all
tem challengeable. Attacks are always carried out through levels.
one of the components of the targeted embedded system, such 12) ACTORS OR PLAYERS
as Wi-Fi, Bluetooth, sensors or USB, as an attack surface. Manufacturers, suppliers, developers, installers, operators,
An attack could have different attack channels [64], [65]. and legislators play an important role to secure embedded sys-
Attacks on embedded systems can be carried out in different tems. User behavior and the awareness of social-engineering-
forms and on different attack surfaces and channels. Security based attacks are also important [127], [129]–[133], [134].
vulnerabilities exist at different levels, and security threats As shown in Figures 9 and 11, the 12 aspects are strictly
come from the exploitation of existing vulnerabilities in a related to each other, and to design a protected CPS in an
system. interconnected domain; it is important to secure ESs, as they
are connected to each other and may be linked to the Internet.
9) IMPACT OF CYBER ATTACKS
Once an embedded system is attacked, the impact of the C. MULTIPLE LAYERS FEEDBACK FRAMEWORK OF
cyber-attack could affect the whole targeted system and EMBEDDED SYSTEM CYBERSECURITY (MULFESC)
the systems connected to the targeted system. Therefore, Taking the determined twelve factors into account in con-
the requirements and solutions of cybersecurity should be junction with the MuLFESC layers (Figure 10) will lead to
considered from the design, implementation to responses, building a robust and secure embedded system to the highest
thus, to prevent and mitigate the damage and economic loss standards. The nine layers of exposed risks that need to be
due to cyber-attacks. Figures 9 and 11 illustrate the relation- protected are depicted in Figure 10.
ship between the twelve factors with some examples. The MuLFESC framework consists of nine layers. These
Cyberattacks usually aim to damage or breach a security layers represent the involved entities and components in the
objective, such as confidentiality, integrity, and availability CSES abstractly, and based on the nine layers, we can identify
of assets or a combination of these security objectives. For the vulnerabilities and cyber threats in each layer, which can
example, when an attacker intends to monitor the traffic of be the inputs for improving the design of the system. The
data, violating the confidentiality of the data, the attacker first layer is the initial design stage, and this layer is critical:
also needs to breach the authentication of the connection; it must be improved iteratively based on the feedback from
when an attacker gets unauthorized access to the storage of the other eight layers to implement the ‘‘Security by Design’’
data and tampers with the stored data, this is violating the concept. The second layer (CPS) is the most abstract concept
integrity and confidentiality of the data, and the impact of this of the applications of ESs in different aspects of life. The
attack might be on system resources in the form of increasing third, fourth and fifth layers are the core of the MuLFESC
energy consumption or draining processor capabilities [86], framework and are the components targeted by the attacker.
[125]. A cyber-attack could produce severe consequences, Therefore, better-adapted standards in the other layers will be
e.g., the damage of all systems connected to the targeted reflected positively on these three layers. The communication
system. Hence, it is important to consider the impacts and layer with its protocols are the window to the outside world
responses to potential cyber incidents, caused by attacks on of CPS, and the gateway for remote exploitation. Layers
these levels [92], [26], [85], [126], [123]. 7 and 8 represent the required role of legislators, operators,
users, manufacturers, developers, installers, suppliers, and
10) THE SECURITY CHALLENGES OF ES service providers to set the appropriate policies that guarantee
The compromise between maintaining the characteristics of privacy, proper use, and right of access to the parties con-
embedded systems and meeting cybersecurity requirements cerned in a manner that guarantees them the highest safety
are the challenges of secure ESs [12], [72], [127], [128]. standards. Finally, the impact of the adopted security coun-
Therefore, there is an urgent need to find comprehensive and termeasures taken in all layers will be monitored in the oper-
advanced security solutions while not draining the resources ational stage, which is considered as a real test layer of the
of the embedded system or conflicting with its properties. strength and durability of security measures, and the feedback

VOLUME 9, 2021 975

 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

and to design ESs with capabilities compatible with the most

secure protocols. Layer 7 is to ensure the designed embedded
systems are compliant to the legislation and regulations, such
as the General Data Protection Regulation (GDPR) or the
California Consumer Privacy Act (CCPA), thus ensuring the
privacy and protection of users’ data. Layer 8 is to regard
the role of actors and players, including users, operators,
manufacturers and legislators, etc.; therefore, their roles must
be defined clearly to prevent cyber-attacks. Layer 9, the oper-
ational phase, should set up necessary risk management and
assessment. The feedback from Layer 2 to Layer 9 can be
used to improve the security design of ESs, and based on the
feedback from the operational phase, the developers of CSES
can refine the design of the system, thus eliminating cyber
risks.
MuLFESC provides a guidance for ‘‘Security by Design,’’
which is required by industry 4.0. The design stage is essen-
tial for the implementation of CSES. The engineering cycle
of CSES, such as implementation, test, and verification, are
strictly required for the final security of a system, and the
security of algorithms and protocols is especially critical.
Optimal security solutions are the comprehensive solutions
that cover all aspects at various levels. This is what was
reached and extracted based on the analysis of previous
studies and the extracted influencing factors. Based on that,
the security framework shown in Figure 10 has been sug-
gested as a comprehensive reference for comprehensive secu-
rity assessment and solutions.
From the security risk perspective, these nine layers are
exposed to many risks. The following table summarizes some
security risks against each layer of the MuLFESC framework.

FIGURE 10. The MuLFESC framework. VI. CONCLUSION

In this paper, we conducted an analytical study in the field
must be positively reflected onto the first layer from which we of cybersecurity for embedded systems in order to iden-
set out to improve the security countermeasures. tify the deficiencies or gaps that need further research to
From the protection perspective, security countermeasures improve the cybersecurity of ESs. The lack of compatible
should be integrated at the design stage (Layer 1) and take security solutions in line with the capabilities of embedded
the properties at different layers of embedded systems into systems has provided the opportunities for attackers to find
account. The ability to adopt more efficient generic security exploitable vulnerabilities and carry out various attacks. This
solutions means the ability to design more robust systems is because the security of embedded systems is limited by
despite the different technical domains. Layer 2 is to secure their resource constraints, rather than the absence of advanced
the physical components of CPS that interact with the outside security solutions. Unfortunately, most of the advanced secu-
world, such as sensors and actuators; Layer 3 is to secure the rity solutions require a lot of computational resources and
attack surfaces, such as I / O modules, access points such as high-power consumption, so there is an urgent need to find
Wi-Fi, Bluetooth, and USB; Layer 4 is to secure the compu- effective and efficient solutions that do not drain the resources
tation components that might be compromised as a result of of the system.
the attack such as CPU, memory, and power source; Layer 5 is Based on the architecture of ESs and the studies carried out
to secure the software layer, including the operating systems, in this field, we have identified the most critical factors that
firmware and applications that should be able to deal with var- play an essential role in the cybersecurity industry for embed-
ious attacks and handle advanced security solutions; Layer 6 ded systems. These factors draw the overall landscape of the
is to secure the Internet connection layer (TCP/IP model) cybersecurity industry for CSES, and they affect each other
by securing routes and adopting security protocols to ensure directly or indirectly. Also, we have reviewed the research
a secure transfer of data between a sender and a receiver. on security risks and assessment methodologies regarding all
Therefore, it is necessary to provide the most secure commu- aspects of cybersecurity of ESs and proposed a new assess-
nication protocols to reduce the capabilities of the attacker ment perspective within a metrics of risk assessment linked

976 VOLUME 9, 2021

A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

FIGURE 11. Overall landscape of Cyber Security of Embedded Systems (CSES).

VOLUME 9, 2021 977

 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

TABLE 4. Security risks against MuLFESC layers. REFERENCES

[1] H. He, C. Maple, T. Watson, A. Tiwari, J. Mehnen, Y. Jin, and B. Gabrys,

‘‘The security challenges in the IoT enabled cyber-physical systems
and opportunities for evolutionary computing & other computational
intelligence,’’ in Proc. IEEE Congr. Evol. Comput. (CEC), Jul. 2016,
pp. 1015–1021, doi: 10.1109/CEC.2016.7743900.
[2] E. Levy, ‘‘Crossover: Online pests plaguing the off line world,’’ IEEE
Secur. Privacy, vol. 1, no. 6, pp. 71–73, Nov. 2003, doi: 10.1109/
MSECP.2003.1253573.
[3] M. Patrick. How MCUs Actually Fight Security Attacks on
Embedded Systems, New Electronics, the site for electronic
design engineers. Accessed: Nov.2, 2019. [Online]. Available:
http://www.newelectronics.co.uk/electronics-technology/how-mcus-
actually-fight-security-attacks-on-embedded-systems/176924/
[4] S. Ali, T. Al Balushi, Z. Nadir, and O. K. Hussain, ‘‘ICS/SCADA
system security for CPS,’’ in Cyber Security for Cyber Physical Sys-
tems (Studies in Computational Intelligence), vol. 768. Muscat, Oman:
Springer-Verlag, 2018, pp. 89–113. [Online]. Available: https://squ.
pure.elsevier.com/en/publications/icsscada-system-security-for-cps, doi:
10.1007/978-3-319-75880-0_5.
[5] R. M. Lee, M. J. Assante, and T. Conway, ‘‘German steel mill
cyber attack,’’ ICS Defense Use Case (DUC), SANS Ind. Con-
trol Syst. (ICS), Swansea, U.K., Tech. Rep., Dec. 2014. [Online].
Available: https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-
Steelworks_Facility.pdf
[6] F. V. and T. Givargis, Embedded System Design: A Unified Hard-
ware/Software Introduction. Hoboken, NJ, USA: Wiley, 2002.
[7] D. Papp, Z. Ma, and L. Buttyan, ‘‘Embedded systems security: Threats,
vulnerabilities, and attack taxonomy,’’ in Proc. 13th Annu. Conf. Pri-
vacy, Secur. Trust (PST), Jul. 2015, pp. 145–152, doi: 10.1109/PST.
2015.7232966.
[8] P. V. Pham Van and N. N. Binh, ‘‘Embedded system architecture
design and optimization at the model level,’’ Int. J. Comput. Commun.
Eng., vol. 1, no. 5, pp. 345–349, Nov. 2012, doi: 10.7763/ijcce.2012.
v1.87.
[9] A. A. Suzen, B. Duman, and B. Sen, ‘‘Benchmark analysis of jetson
TX2, jetson nano and raspberry PI using deep-CNN,’’ in Proc. Int. Congr.
Hum.-Comput. Interact., Optim. Robotic Appl. (HORA), Jun. 2020,
pp. 1–5, doi: 10.1109/HORA49412.2020.9152915.
[10] Cyber-Physical Systems (CPS) Nsf08611. Accessed: Sep. 4, 2019.
[Online]. Available: https://www.nsf.gov/pubs/2008/nsf08611/nsf08611.
htm
[11] P. Marwedel and P. Marwedel, ‘‘Embedded system hardware,’’ in Proc.
Embedded Syst. Design, 2011, pp. 119–175.
[12] E. A. Lee, ‘‘Cyber physical systems: Design challenges,’’ in Proc. 11th
IEEE Int. Symp. Object Component-Oriented Real-Time Distrib. Comput.
(ISORC), May 2008, pp. 363–369, doi: 10.1109/ISORC.2008.25.
[13] S. Hameed, F. I. Khan, and B. Hameed, ‘‘Understanding security
requirements and challenges in Internet of Things (IoT): A review,’’
to MuLFESC. The determined influencing factors have been J. Comput. Netw. Commun., vol. 2019, pp. 1–14, Jan. 2019, doi:
employed to shape the Multiple Layers Feedback Framework 10.1155/2019/9629381.
of Embedded System Cybersecurity (MuLFESC) in line with [14] Cyber-Physical Systems|Digital Single Market. Accessed: Aug. 26, 2019.
[Online]. Available: https://ec.europa.eu/digital-single-market/en/cyber-
the security risk metrics model. physical-systems
The proposed MuLFESC Framework could contribute to [15] H. Boyes, B. Hallaq, J. Cunningham, and T. Watson, ‘‘The industrial
the implementation of comprehensive and effective ‘‘Security Internet of Thing (IIoT): An analysis framework,’’ Comput. Ind., vol. 101,
pp. 1–12, Oct. 2018, doi: 10.1016/j.compind.2018.04.015.
by Design’’ solutions by providing feedback to the design [16] S. I. Tay, T. C. Lee, N. Z. A. Hamid, and A. N. A. Ahmad, ‘‘An overview
stage of CSES. of industry 4.0: Definition, components, and government initiatives,’’
Overall, taking the identified key factors, the proposed J. Adv. Res. Dyn. Control Syst., vol. 10, no. 14, pp. 1379–1387,
2018.
MuLFESC, the risk assessment metrics, and all involved
[17] S. Ntalampiras, ‘‘Automatic identification of integrity attacks in cyber-
parties of CSES into account will facilitate the mission physical systems,’’ Expert Syst. Appl., vol. 58, pp. 164–173, Oct. 2016,
for security practitioners to carry out a comprehensive doi: 10.1016/j.eswa.2016.04.006.
assessment. Thus, more efficient application-specific secu- [18] A. Pasquini, Computer Safety, Reliability and Security, vol. 1698.
Berlin, Germany: Springer, 1999. [Online]. Available: https://link.
rity solutions can be designed, thereby improving CPS springer.com/book/10.1007%2F3-540-48249-0, doi: 10.1007/978-3-
cybersecurity. 319-24249-1.
[19] S. Ravi, P. Kocher, R. Lee, G. McGraw, and A. Raghunathan, ‘‘Secu-
rity as a new dimension in embedded system design,’’ in Proc.
APPENDIX 41st Annu. Conf. Desigh Autom., 2004, p. 753, doi: 10.1145/996566.
See Figure 11. 996771.

978 VOLUME 9, 2021

A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

[20] V. H. MESHRAM and A. B. SASANKAR, ‘‘Security in embedded [42] E. Bertino, L. D. Martino, F. Paci, and A. C. Squicciarini, ‘‘Web services
systems: Vulnerabilities, pigeonholing of attacks and countermeasures,’’ threats, vulnerabilities, and countermeasures,’’ in Security for Web Ser-
in Proc. IOSR J. Comput. Eng., 2016, pp. 11–15. vices Service-Oriented Architectures. Berlin, Germany: Springer, 2009,
[21] C. Bodei, S. Chessa, and L. Galletta, ‘‘Measuring security in IoT commu- pp. 25–44.
nications,’’ Theor. Comput. Sci., vol. 764, pp. 100–124, Apr. 2019, doi: [43] H. G. Brauch, ‘‘Concepts of security threats, challenges, vulnerabili-
10.1016/j.tcs.2018.12.002. ties and risks,’’ in Coping With Global Environmental Change, Dis-
[22] S. Parameswaran and T. Wolf, ‘‘Embedded systems security—An asters and Security. Berlin, Germany: Springer, vol. 11. pp. 61–106.
overview,’’ Design Autom. Embedded Syst., vol. 12, no. 3, pp. 173–183, [Online]. Available: https://link.springer.com/chapter/10.1007%2F978-
Sep. 2008, doi: 10.1007/s10617-008-9027-x. 3-642-17776-7_2, doi: 10.1007/978-3-642-17776-7_2.
[23] D. D. Hwang, P. Schaumont, K. Tiri, and I. Verbauwhede, ‘‘Securing [44] K. Dahbur, B. Mohammad, and A. B. Tarakji, ‘‘A survey of risks, threats
embedded systems,’’ IEEE Secur. Privacy Mag., vol. 4, no. 2, pp. 40–49, and vulnerabilities in cloud computing,’’ in Proc. Int. Conf. Intell. Seman-
Mar. 2006. tic Web-Services Appl., 2011, pp. 1–6, doi: 10.1145/1980822.1980834.
[24] M. Abomhara and G. M. Káien, ‘‘Cyber security and the Internet [45] A. Yan. Introduction to Information Sys—R. Kelly Rainer (1).
of Things: Vulnerabilities, threats, intruders and attacks,’’ J. Cyber Accessed: Aug. 25, 2019. [Online]. Available: https://www.
Secur. Mobility, vol. 4, no. 1, pp. 65–88, 2015, doi: 10.13052/jcsm2245- academia.edu/28734440/Introduction_to_Information_Sys_-_R._Kelly_
1439.414. Rainer_1_
[25] P. Marwedel, Embedded System Design. Cham, Switzerland: Springer, [46] F. Li, A. Lai, and D. Ddl, ‘‘Evidence of advanced persistent threat:
2018. A case study of malware for political espionage,’’ in Proc. 6th Int. Conf.
[26] H. Chai, G. Zhang, J. Zhou, J. Sun, L. Huang, and T. Wang, ‘‘A short Malicious Unwanted Softw., Oct. 2011, pp. 102–109, doi: 10.1109/MAL-
review of security-aware techniques in real-time embedded systems,’’ WARE.2011.6112333.
J. Circuits, Syst. Comput., vol. 28, no. 2, Feb. 2019, Art. no. 1930002, [47] S. Ansari, S. G. Rajeev, and H. S. Chandrashekar, ‘‘Packet sniffing:
doi: 10.1142/S0218126619300022. A brief introduction,’’ IEEE Potentials, vol. 21, no. 5, pp. 17–19,
[27] W. Wang, X. Zhang, Q. Hao, Z. Zhang, B. Xu, H. Dong, T. Xia, and Dec. 2002, doi: 10.1109/MP.2002.1166620.
X. Wang, ‘‘Hardware-enhanced protection for the runtime data security [48] M. de Vivo, E. Carrasco, G. Isern, and G. O. de Vivo, ‘‘A review of port
in embedded systems,’’ Electronics, vol. 8, no. 1, p. 52, Jan. 2019, doi: scanning techniques,’’ ACM SIGCOMM Comput. Commun. Rev., vol. 29,
10.3390/electronics8010052. no. 2, pp. 41–48, Apr. 1999, doi: 10.1145/505733.505737.
[28] S. Ali, Cyber Security for Cyber Physical Systems, vol. 768. Springer, [49] V. M. Igure, S. A. Laughter, and R. D. Williams, ‘‘Security issues
2018, pp. 11–33, doi: 10.1007/978-3-319-75880-0_2. in SCADA networks,’’ Comput. Secur., vol. 25, no. 7, pp. 498–506,
[29] G. Loukas, E. Karapistoli, E. Panaousis, P. Sarigiannidis, A. Bezemskij, Oct. 2006, doi: 10.1016/j.cose.2006.03.001.
and T. Vuong, ‘‘A taxonomy and survey of cyber-physical intrusion [50] A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, ‘‘SCADA
detection approaches for vehicles,’’ Ad Hoc Netw., vol. 84, security in the light of cyber-warfare,’’ Comput. Secur., vol. 31, no. 4,
pp. 124–147, Mar. 2019. [Online]. Available: https://www.science pp. 418–436, Jun. 2012, doi: 10.1016/j.cose.2012.02.009.
direct.com/science/article/pii/S1570870518307091?via%3Dihub, doi: [51] C. Wilson. (2008). Botnets, Cybercrime, and Cyberterrorism: Vulnerabil-
10.1016/j.adhoc.2018.10.002. ities and Policy Issues for Congress. Accessed: Aug. 26, 2019. [Online].
Available: https://apps.dtic.mil/docs/citations/ADA477642
[30] H. Habibzadeh, B. H. Nussbaum, F. Anjomshoa, B. Kantarci, and
[52] I. Naumann and G. Hogben, ‘‘Privacy features of European eID card
T. Soyata, ‘‘A survey on cybersecurity, data privacy, and policy issues in
specifications,’’ Netw. Secur., vol. 2008, no. 8, pp. 9–13, Aug. 2008, doi:
cyber-physical system deployments in smart cities,’’ Sustain. Cities Soc.,
10.1016/S1353-4858(08)70097-7.
vol. 50, Oct. 2019, Art. no. 101660, doi: 10.1016/j.scs.2019.101660.
[53] T. Fitz, M. Theiler, and K. Smarsly, ‘‘A metamodel for cyber-physical
[31] P. I. Radoglou Grammatikis, P. G. Sarigiannidis, and I. D. Moscholios,
systems,’’ Adv. Eng. Informat., vol. 41, Aug. 2019, Art. no. 100930, doi:
‘‘Securing the Internet of Things: Challenges, threats and solu-
10.1016/j.aei.2019.100930.
tions,’’ Internet Things, vol. 5, pp. 41–70, Mar. 2019, doi: 10.1016/j.
[54] NIST. (2014). National Institute of Standards and Technology (NIST)
iot.2018.11.003.
Cybersecurity Risk Management Framework Applied to Modern Vehi-
[32] A. Riahi Sfar, E. Natalizio, Y. Challal, and Z. Chtourou, ‘‘A roadmap
cles. [Online]. Available: https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/
for security challenges in the Internet of Things,’’ Digit. Commun. Netw.,
812073_natlinstitstandardstechcyber.pdf.
vol. 4, no. 2, pp. 118–137, Apr. 2018, doi: 10.1016/j.dcan.2017.04.003.
[55] NIST. Accessed: Oct. 16, 2019. [Online]. Available: https://www.
[33] A. Humayed, J. Lin, F. Li, and B. Luo, ‘‘Cyber-physical sys- nist.gov/
tems Security—A survey,’’ IEEE Internet Things J., vol. 4, no. 6,
[56] D. S. Pallett, ‘‘National institute of standards and technology
pp. 1802–1831, Dec. 2017, doi: 10.1109/JIOT.2017.2703172.
(NIST),’’ in Proc. workshop Speech Natural Lang., 1989, p. 191,
[34] X. Liu, M. Zhao, S. Li, F. Zhang, and W. Trappe, ‘‘A security framework doi: 10.3115/100964.1138540.
for the Internet of Things in the future Internet architecture,’’ Future [57] I. P. Draft. (2017). NIST Guide to Supervisory and Data Acquisition-
Internet, vol. 9, no. 3, p. 27, Jun. 2017, doi: 10.3390/fi9030027. SCADA and Industrial Control Systems Security. [Online]. Available:
[35] P. Koopman, ‘‘Embedded system security,’’ Computer, vol. 37, no. 7, http://www.cyber.st.dhs.gov/docs/NIST
pp. 95–97, Jul. 2004. [58] E. Chew, ‘‘Performance measurement guide for information security,’’
[36] C. O’Flynn and Z. Chen, ‘‘ChipWhisperer: An open-source platform for Nat. Inst. Standards Technol. (NIST), Gaithersburg, MD, USA, NIST
hardware embedded security research,’’ in Proc. Int. Workshop Construc- Special Publication 800-55 Revision 1, Jul. 2008. [Online]. Available:
tive Side-Channel Anal. Secure Desigh, 2014, pp. 243–260. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
[37] M. Yampolskiy, P. Horvath, X. D. Koutsoukos, Y. Xue, and 55r1.pdf
J. Sztipanovits, ‘‘Taxonomy for description of cross-domain attacks [59] NIST Special Publication 800-181: National Initiative for Cybersecurity
on CPS,’’ in Proc. 2nd ACM Int. Conf. High confidence Netw. Syst., Education (NICE) Cybersecurity Workforce Framework, NIST, Gaithers-
2013, pp. 135–142, doi: 10.1145/2461446.2461465. burg, MD, USA, vol. 144, 2017, doi: 10.6028/NIST.SP.800-181.
[38] L. Khelladi, Y. Challal, A. Bouabdallah, and N. Badache, ‘‘On security [60] M. G. Williams, ‘‘A risk assessment on raspberry PI using NIST stan-
issues in embedded systems: Challenges and solutions,’’ Int. J. Inf. Com- dards,’’ Int. J. Comput. Sci. Netw. Secur., vol. 15, no. 6, pp. 22–30,
put. Secur., vol. 2, no. 2, p. 140, 2008, doi: 10.1504/IJICS.2008.018515. 2015.
[39] G. Bansod, N. Raval, and N. Pisharoty, ‘‘Implementation of a new [61] B. Potteiger, W. Emfinger, H. Neema, X. Koutosukos, C. Tang,
lightweight encryption design for embedded security,’’ IEEE Trans. and K. Stouffer, ‘‘Evaluating the effects of cyber-attacks on cyber
Inf. Forensics Security, vol. 10, no. 1, pp. 142–151, Jan. 2015, doi: physical systems using a hardware-in-the-loop simulation testbed,’’
10.1109/TIFS.2014.2365734. in Proc. Resilience Week (RWS), Sep. 2017, pp. 177–183, doi:
[40] Y. Liu, Y. Peng, B. Wang, S. Yao, and Z. Liu, ‘‘Review on cyber-physical 10.1109/RWEEK.2017.8088669.
systems,’’ IEEE/CAA J. Automatica Sinica, vol. 4, no. 1, pp. 27–40, [62] W. Pieters, ‘‘Defining ‘the weakest link’: Comparative security in com-
Jan. 2017, doi: 10.1109/JAS.2017.7510349. plex systems of systems,’’ in Proc. IEEE 5th Int. Conf. Cloud Com-
[41] J. M. Kizza, ‘‘Computer and Network Forensics,’’ in A Guide to Computer put. Technol. Sci., Dec. 2013, pp. 39–44, doi: 10.1109/CloudCom.2013.
Network Security, London, U.K.: Springer, 2009, pp. 299–328. 101.

VOLUME 9, 2021 979

 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

[63] K. Georgiou, S. Xavier-de-Souza, and K. Eder, ‘‘The IoT energy chal- [83] S. Lukacs, A. V. Lutas, D. H. Lutas, and G. Sebestyen, ‘‘Hardware
lenge: A software perspective,’’ IEEE Embedded Syst. Lett., vol. 10, no. 3, virtualization based security solution for embedded systems,’’ in Proc.
pp. 53–56, Sep. 2018, doi: 10.1109/LES.2017.2741419. IEEE Int. Conf. Autom., Qual. Test., Robot., May 2014, pp. 1–6, doi:
[64] J. A. Ambrose, R. G. Ragel, D. Jayasinghe, T. Li, and S. Parameswaran, 10.1109/AQTR.2014.6857879.
‘‘Side channel attacks in embedded systems: A tale of hostilities and [84] H. Elmiligi, F. Gebali, and M. W. El-Kharashi, ‘‘Multi-dimensional anal-
deterrence,’’ in Proc. 16th Int. Symp. Qual. Electron. Desigh, Mar. 2015, ysis of embedded systems security,’’ Microprocessors Microsyst., vol. 41,
pp. 452–459, doi: 10.1109/ISQED.2015.7085468. pp. 29–36, Mar. 2016, doi: 10.1016/j.micpro.2015.12.005.
[65] S. Bhunia and M. Tehranipoor, Eds., ‘‘Chapter 1—Introduction to [85] H. Read, I. Sutherland, K. Xynos, and F. Roarson, ‘‘Locking out the
hardware security,’’ in Hardware Security. Cambridge, MA, USA: investigator: The need to circumvent security in embedded systems,’’ Inf.
Morgan Kaufmann, 2019, pp. 1–20. [Online]. Available: https://www. Secur. J., Global Perspective, vol. 24, nos. 1–3, pp. 39–47, Jul. 2015, doi:
sciencedirect.com/science/article/pii/B978012812477200006X, doi: 10. 10.1080/19393555.2014.998847.
1016/B978-0-12-812477-2.00006-X. [86] C. Moreno and S. Fischmeister, ‘‘Non-intrusive runtime monitoring
[66] J. M. Kizza, ‘‘Understanding computer network security,’’ in Guide through power consumption to enforce safety and security properties
to Computer Network Security (Computer Communications and Net- in embedded systems,’’ Formal Methods Syst. Design, vol. 53, no. 1,
works). London, U.K.: Springer, 2013. [Online]. Available: https://link. pp. 113–137, Aug. 2018, doi: 10.1007/s10703-017-0298-3.
springer.com/book/10.1007%2F978-1-4471-4543-1, doi: 10.1007/978- [87] I. Garitano, S. Fayyad, and J. Noll, ‘‘Multi-metrics approach for security,
1-4471-4543-1_2. privacy and dependability in embedded systems,’’ Wireless Pers. Com-
[67] R. Alguliyev, Y. Imamverdiyev, and L. Sukhostat, ‘‘Cyber-physical sys-
mun., vol. 81, no. 4, pp. 1359–1376, Apr. 2015, doi: 10.1007/s11277-015-
tems and their security issues,’’ Comput. Ind., vol. 100, pp. 212–223,
2478-z.
Sep. 2018, doi: 10.1016/j.compind.2018.04.017.
[68] D. N. Serpanos and A. G. Voyiatzis, ‘‘Security challenges in embedded [88] D. Mu, B. Ma, B. Mao, and W. Hu, ‘‘A bottom-up approach to verifiable
systems,’’ ACM Trans. Embedded Comput. Syst., vol. 12, no. 1s, pp. 1–10, embedded system information flow security,’’ IET Inf. Secur., vol. 8, no. 1,
Mar. 2013, doi: 10.1145/2435227.2435262. pp. 12–17, Jan. 2014, doi: 10.1049/iet-ifs.2012.0342.
[69] ISO. (2013). ISO/IEC 27001:2013. Accessed: Nov. 9, 2019. [Online]. [89] L. Shian, ‘‘Design and development of a security kernel in an embedded
Available: https://www.iso.org/standard/54534.html system,’’ Int. J. Control Autom., vol. 7, no. 11, pp. 49–58, Nov. 2014, doi:
[70] I. Hsu, C.-Y. Chen, S. Lin, T.-J. Yu, N. Cho, and M.-C. Hsieh, ‘‘7nm 10.14257/ijca.2014.7.11.06.
chip-package interaction study on a fine pitch flip chip package with [90] M. Vasilevskaya, L. A. Gunawan, S. Nadjm-Tehrani, and P. Herrmann,
laser assisted bonding and mass reflow technology,’’ in Proc. IEEE 69th ‘‘Integrating security mechanisms into embedded systems by
Electron. Compon. Technol. Conf. (ECTC), May 2019, pp. 289–293, doi: domain-specific modelling,’’ Secur. Commun. Netw., vol. 7, no. 12,
10.1109/ECTC.2019.00050. pp. 2815–2832, Dec. 2014, doi: 10.1002/sec.819.
[71] S. M. Dibaji, M. Pirani, D. B. Flamholz, A. M. Annaswamy, [91] E. Thayer, ‘‘Adversarial Testing to Increase the Overall Security of
K. H. Johansson, and A. Chakrabortty, ‘‘A systems and control per- Embedded Systems: A Review of the Process,’’ IEEE Control Syst.,
spective of CPS security,’’ Annu. Rev. Control, vol. 47, pp. 394–411, vol. 37, no. 2, pp. 104–108, Apr. 2017, doi: 10.1109/MCS.2016.
Dec. 2019, doi: 10.1016/j.arcontrol.2019.04.011. 2643258.
[72] Y. Ashibani and Q. H. Mahmoud, ‘‘Cyber physical systems security: [92] J. Hasler and S. Shah, ‘‘Security implications for ultra-low power con-
Analysis, challenges and solutions,’’ Comput. Secur., vol. 68, pp. 81–97, figurable SoC FPAA embedded systems,’’ J. Low Power Electron. Appl.,
Jul. 2017, doi: 10.1016/j.cose.2017.04.005. vol. 8, no. 2, p. 17, Jun. 2018, doi: 10.3390/jlpea8020017.
[73] T. Poongothai and K. Duraiswamy, ‘‘Intrusion detection in mobile AdHoc [93] Y. Mahmoodi, S. Reiter, A. Viehl, O. Bringmann, and W. Rosenstiel,
networks using machine learning approach,’’ in Proc. Int. Conf. Inf. Com- ‘‘Attack surface modeling and assessment for penetration testing of IoT
mun. Embedded Syst. (ICICES), Feb. 2014, pp. 1–5, doi: 10.1109/ICI- system designs,’’ in Proc. 21st Euromicro Conf. Digit. Syst. Desigh DSD,
CES.2014.7033949. vol. 2018, 2018, pp. 177–181, doi: 10.1109/DSD.2018.00043.
[74] A. Hahn, A. Ashok, S. Sridhar, and M. Govindarasu, ‘‘Cyber-physical
[94] S. Checkoway, ‘‘Automotive attack surfaces,’’ in Proc. USENIX Secur.,
security testbeds: Architecture, application, and evaluation for smart
2011, pp. 1–5, doi: 10.1109/TITS.2014.2342271.
grid,’’ IEEE Trans. Smart Grid, vol. 4, no. 2, pp. 847–855, Jun. 2013,
doi: 10.1109/TSG.2012.2226919. [95] A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus, ‘‘Automatically
[75] D. Trawczynski, J. Zalewski, and J. Sosnowski, ‘‘Design of reactive securing permission-based software by reducing the attack surface: An
security mechanisms in time-triggered embedded systems,’’ SAE Int. application to android,’’ in Proc. 27th IEEE/ACM Int. Conf. Autom. Softw.
J. Passenger Cars—Electron. Electr. Syst., vol. 7, no. 2, pp. 527–535, Eng., 2012, pp. 274–277, doi: 10.1145/2351676.2351722.
Apr. 2014, doi: 10.4271/2014-01-0341. [96] L. Wilbanks, ‘‘Whats your IT risk approach?’’ IT Prof., vol. 20, no. 4,
[76] R. M. Yousufi, P. Lalwani, and M. B. Potdar, ‘‘A network-based intru- pp. 13–17, Jul. 2018, doi: 10.1109/MITP.2018.043141663.
sion detection and prevention system with multi-mode counteractions,’’ [97] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, ‘‘Computer security
in Proc. Int. Conf. Innov. Inf., Embedded Commun. Syst. (ICIIECS), incident handling guide?: Recommendations of the National Institute of
Mar. 2017, pp. 1–6, doi: 10.1109/ICIIECS.2017.8276023. Standards and Technology,’’ Nat. Inst. Standards Technol., Gaithersburg,
[77] J. Giraldo, D. Urbina, A. Cardenas, J. Valente, M. Faisal, J. Ruths, MD, USA, NIST Special Publication 800-61 Revision 2, 2012, doi:
N. O. Tippenhauer, H. Sandberg, and R. Candell, ‘‘A survey of physics- 10.6028/NIST.SP.800-61r2.
based attack detection in cyber-physical systems,’’ ACM Comput. Surv., [98] J. Creasy. (2013). Cyber Security Incident Response Guide. [Online].
vol. 51, no. 4, pp. 1–36, Sep. 2018, doi: 10.1145/3203245. Available: http://www.crest-approved.org/wp-content/uploads/CSIR-
[78] E. Eyisi and X. Koutsoukos, ‘‘Energy-based attack detection in networked Procurement-Guide.pdf
control systems,’’ in Proc. 3rd Int. Conf. High Confidence Netw. Syst., [99] A. Dorofee. (2018). Incident Management Capability Assess-
2014, pp. 115–124, doi: 10.1145/2566468.2566472. ment. [Online]. Available: https://resources.sei.cmu.edu/asset
[79] Z. Gu, G. Han, H. Zeng, and Q. Zhao, ‘‘Security-aware mapping and _files/TechnicalReport/2018_005_001_538866.pdf
scheduling with hardware co-processors for FlexRay-based distributed [100] S. Sultana, D. Midi, and E. Bertino, ‘‘Kinesis: A security incident
embedded systems,’’ IEEE Trans. Parallel Distrib. Syst., vol. 27, no. 10, response and prevention system for wireless sensor networks,’’ in Proc.
pp. 3044–3057, Oct. 2016, doi: 10.1109/TPDS.2016.2520949. 12th ACM Conf. Embedded Netw. Sensor Syst., 2014, pp. 148–162, doi:
[80] J.-L. Zhang, W.-Z. Wang, X.-W. Wang, and Z.-H. Xia, ‘‘Enhancing 10.1145/2668332.2668351.
security of FPGA-based embedded systems with combinational logic
[101] Crest. Accessed: Oct. 16, 2019. [Online]. Available: https://www.crest-
binding,’’ J. Comput. Sci. Technol., vol. 32, no. 2, pp. 329–339, Mar. 2017,
approved.org/index.html
doi: 10.1007/s11390-017-1700-8.
[81] V. Negi, H. Verma, I. Singh, A. Vikram, K. Malik, A. Singh, [102] CERT Division. Accessed: Oct. 16, 2019).[Online]. Available:
and G. Verma, ‘‘Network security in embedded system using TLS,’’ https://www.sei.cmu.edu/about/divisions/cert/
Int. J. Secur. Appl., vol. 10, no. 2, pp. 375–384, Feb. 2016, doi: [103] S. Ravi, A. Raghunathan, and S. Chakradhar, ‘‘Tamper resistance mech-
10.14257/ijsia.2016.10.2.33. anisms for secure embedded systems,’’ in Proc. 17th Int. Conf. VLSI
[82] C. Manifavas, K. Fysarakis, A. Papanikolaou, and I. Papaefstathiou, Desigh Proc., 2004, pp. 605–611, doi: 10.1109/icvd.2004.1260985.
‘‘Embedded systems security: A survey of EU research efforts,’’ [104] P. Gupta, S. Ravi, A. Raghunathan, and N. K. Jha, ‘‘Efficient fingerprint-
Secur. Commun. Netw., vol. 8, no. 11, pp. 2016–2036, Jul. 2015, doi: based user authentication for embedded systems,’’ in Proc. 42nd Desigh
10.1002/sec.1151. Autom. Conf., 2005, pp. 244–247.

980 VOLUME 9, 2021

A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

[105] M. Sveda and V. Oplustil, ‘‘Experience with integration and certifica- [126] A. P. Fournaris and N. Sklavos, ‘‘Secure embedded system hard-
tion of COTS based embedded system into advanced avionics system,’’ ware design—A flexible security and trust enhanced approach,’’
in Proc. Int. Symp. Ind. Embedded Syst., Jul. 2007, pp. 282–287, doi: Comput. Electr. Eng., vol. 40, no. 1, pp. 121–133, Jan. 2014, doi:
10.1109/SIES.2007.4297346. 10.1016/j.compeleceng.2013.11.011.
[106] A. Ukil, J. Sen, and S. Koilakonda, ‘‘Embedded security for Internet [127] W. A. Arbaugh and L. van Doorn, ‘‘Embedded security: Challenges
of Things,’’ in Proc. 2nd Nat. Conf. Emerg. Trends Appl. Comput. Sci., and concerns,’’ Computer, vol. 34, no. 10, pp. 40–41, Oct. 2001, doi:
Mar. 2011, pp. 50–55, doi: 10.1109/NCETACS.2011.5751382. 10.1109/MC.2001.955096.
[107] A. M. Wyglinski, X. Huang, T. Padir, L. Lai, T. R. Eisenbarth, and [128] S. Han, M. Xie, H.-H. Chen, and Y. Ling, ‘‘Intrusion detection in cyber-
K. Venkatasubramanian, ‘‘Security of autonomous systems employ- physical systems: Techniques and challenges,’’ IEEE Syst. J., vol. 8, no. 4,
ing embedded computing and sensors,’’ IEEE Micro, vol. 33, no. 1, pp. 1052–1062, Dec. 2014, doi: 10.1109/jsyst.2013.2257594.
pp. 80–86, Jan. 2013, doi: 10.1109/MM.2013.18. [129] T. Sakuneka, A. Marnewick, and J.-H. Pretorius, ‘‘Industry 4.0 competen-
[108] M. Al-Haidary and Q. Nasir, ‘‘Physically unclonable functions (PUFs): cies for a control systems engineer,’’ in Proc. IEEE Technol. Eng. Manag.
A systematic literature review,’’ in Proc. Adv. Sci. Eng. Technol. Int. Conf. Conf., Dec. 2019, pp. 1–6, doi: 10.1109/temscon.2019.8813717.
(ASET), Mar. 2019, pp. 1–6, doi: 10.1109/ICASET.2019.8714431. [130] C. Baron and B. Daniel-Allegro, ‘‘About adopting a systemic approach
[109] N. Alimohammadi and S. B. Shokouhi, ‘‘Secure hardware key based to design connected embedded systems: A MOOC promoting sys-
on physically unclonable functions and artificial neural network,’’ in tems thinking and systems engineering,’’ Syst. Eng., vol. 15, pp. 1–20,
Proc. 8th Int. Symp. Telecommun. (IST), Sep. 2016, pp. 756–760, doi: Sep. 2019, doi: 10.1002/sys.21513.
10.1109/ISTEL.2016.7881924. [131] G. Mohay, ‘‘Technical challenges and directions for digital forensics,’’
[110] S. Nimgaonkar, M. Gomathisankaran, and S. P. Mohanty, ‘‘TSV: A novel in Proc. 1st Int. Work. Syst. Approaches to Digit. Forensic Eng., 2005,
energy efficient memory integrity verification scheme for embedded pp. 155–161, 2005, doi: 10.1109/SADFE.2005.24.
systems,’’ J. Syst. Archit., vol. 59, no. 7, pp. 400–411, Aug. 2013, doi: [132] W. Hasselbring and R. Reussner, ‘‘Toward trustworthy software
10.1016/j.sysarc.2013.04.008. systems,’’ Computer, vol. 39, no. 4, pp. 91–92, Apr. 2006, doi:
[111] A. Venäkauskas, N. Jusas, E. Kazanaviàius, and V. Štuikys, ‘‘An energy 10.1109/MC.2006.142.
efficient protocol for the Internet of Things,’’ J. Electr. Eng., vol. 66, no. 1, [133] T. M. Van Engers and E. Glassée, ‘‘Facilitating the legislation process
pp. 47–52, Jan. 2015, doi: 10.1515/jee-2015-0007. using a shared conceptual model,’’ IEEE Intell. Syst. Their Appl., vol. 16,
[112] D. Xu, ‘‘Virtualization and security,’’ in Proc. 4th ACM Conf. no. 1, pp. 50–55, 2001, doi: 10.1109/5254.912385.
Data Appl. Secur. Privacy (CODASPY), Mar. 2014, pp. 73–74. [134] G. Hatzivasilis, I. Papaefstathiou, and C. Manifavas, ‘‘Software security,
[Online]. Available: https://dl.acm.org/doi/10.1145/2557547.2557590, privacy, and dependability: Metrics and measurement,’’ IEEE Softw.,
doi: 10.1145/2557547.2557590. vol. 33, no. 4, pp. 46–54, Jul. 2016, doi: 10.1109/MS.2016.61.
[113] D. Jha and B. Shahi, ‘‘A proposed methodology for end to end encryp-
tion for communicating embedded systems,’’ in Proc. Int. Conf. Innov.
Inf., Embedded Commun. Syst. (ICIIECS), Mar. 2017, pp. 1–3, doi:
10.1109/ICIIECS.2017.8275910.
[114] R. Chatterjee, R. Chakraborty, and J. K. Mandal, ‘‘Design of crypto-
graphic model for End-to-End encryption in FPGA based systems,’’
in Proc. 3rd Int. Conf. Comput. Methodologies Commun. (ICCMC),
Mar. 2019, pp. 459–465, doi: 10.1109/ICCMC.2019.8819761.
[115] Y. Cheng, J. Deng, J. Li, S. A. Deloach, A. Singhal, and X. Ou, ‘‘Metrics
of security,’’ Adv. Inf. Secur., vol. 62, pp. 263–295, Dec. 2014, doi:
10.1007/978-3-319-11391-3_13.
[116] (2019). Educause. Accessed: Nov. 9, 2019. [Online]. Available:
https://library.educause.edu/topics/cybersecurity/security-metrics
[117] S. Biswas and R. Chellappa, Encyclopedia of Cryptography and Security,
vol. 20, no. 6. Boston, MA, USA: Springer, 2011.
[118] R. Ma, P. Cheng, Z. Zhang, W. Liu, Q. Wang, and Q. Wei, ‘‘Stealthy attack
against redundant controller architecture of industrial cyber-physical sys-
tem,’’ IEEE Internet Things J., vol. 6, no. 6, pp. 9783–9793, Dec. 2019,
doi: 10.1109/jiot.2019.2931349.
[119] A. Elahi, Computer Systems. Cham, Switzerland: Springer, 2018.
[Online]. Available: https://link.springer.com/book/10.1007%2F978-3-
319-66775-1, doi: 10.1007/978-3-319-66775-1.
[120] S. Sudhakar, E. P. Kumar, and S. Thiyagarajan, ‘‘Border security and
multi access robot using embedded system,’’ Indian J. Sci. Technol.,
vol. 9, no. 16, May 2016, doi: 10.17485/ijst/2016/v9i16/92205.
[121] C. Britto. (2014). International Journal of Innovative Technology
and Research. Accessed: Sep. 8, 2019. [Online]. Available:
https://plu.mx/plum/a/?elsevier_id=2-s2.0-85061817104&theme=plum-
scopus-theme
[122] K. Kimani, V. Oduol, and K. Langat, ‘‘Cyber security challenges for IoT-
based smart grid networks,’’ Int. J. Crit. Infrastruct. Protection, vol. 25,
pp. 36–49, Jun. 2019, doi: 10.1016/j.ijcip.2019.01.001.
[123] M. Waidner and M. Kasper, ‘‘Security in industrie 4.0—Challenges ABDULMOHSAN ALOSEEL received the B.S.
and solutions for the fourth industrial revolution,’’ in Proc. Design, degree in management information systems (MIS)
Autom. Test Eur. Conf. Exhib. (DATE), 2016, pp. 1303–1308, doi:
from King Faisal University, in 2006, and the M.S.
10.3850/9783981537079_1005.
degree in computer and network security from
[124] G. Camurati, S. Poeplau, M. Muench, T. Hayes, and A. Francillon,
‘‘Screaming channels,’’ in Proc. ACM SIGSAC Conf. Comput. Commun. Middlesex University London, London, in 2015.
Secur., Oct. 2018, pp. 163–177, doi: 10.1145/3243734.3243802. He is currently pursuing the Ph.D. degree in cyber-
[125] A. Stáhring, G. Ehmen, and S. Fröschle, ‘‘Analyzing the impact security of embedded systems with the School of
of injected sensor data on an advanced driver assistance sys- Aerospace, Transport and Manufacturing (SATM),
tem using the OP2TIMUS prototyping platform,’’ in Proc. Design, Cranfield University. He has been working as an
Autom. Test Eur. Conf. Exhib. (DATE), 2016, pp. 523–526, doi: IT Officer with the Royal Saudi Air Force (RSAF)
10.3850/9783981537079_0361. since 2007.

VOLUME 9, 2021 981

 A. Aloseel et al.: Analytical Review of Cybersecurity for Embedded Systems

HONGMEI HE (Senior Member, IEEE) received CARL SHAW received the Ph.D. degree in
the B.Eng. degree in electronics and computer physics from Queen’s University Belfast, in 1997.
engineering from Anhui Polytechnic University, He then worked in U.K. defense before leaving
Wuhu, China, in 1997, and the M.Sc. degree in for the private sector, where he worked in the
multimedia and internet computing and the Ph.D. semiconductor industry for STMicroelectronics.
degree in computer science from Loughborough Throughout this period, he worked on the elec-
University, Loughborough, U.K., in 2003 and tronic design, system architecture, and software of
2006, respectively. She is currently a Lecturer of embedded systems. For the last 16 years, he has
AI and cybersecurity with Cranfield University, been active in software and hardware security and
Cranfield, U.K. Previously, she was a Research is currently the Co-Founder of Cerberus Security
Fellow with the University of Kent from January 2012 to October 2013, Laboratories Ltd., a U.K. security consultancy, where he advises global
the PDRA, University of Ulster, from April 2011 to December 2011, and multinationals on electronic product cybersecurity and works closely with
the University of Bristol, from January 2007 to March 2011. Before coming academic institutions researching secure hardware and embedded systems.
to the U.K., she was a Senior Embedded System Engineer with Motorola
Design House, Shenzhen, China. Her expertise in AI has been explored MUHAMMAD ALI KHAN received the Ph.D.
in a wide arrange of applications, such as cognitive robotics, cognitive degree in condition monitoring from The Uni-
cybersecurity, data/sensor fusion, cloud resource allocation, flood prediction, versity of Manchester, in 2008. He is currently
computational finance, and graph drawings. Her current research interests a Senior Lecturer in Fatigue and Damage Toler-
include AI and cybersecurity, covering AI for cognitive cybersecurity, safety ance. He has over 18 years’ experience in failure
and security of autonomous systems, and cognitive cybersecurity. She is an analysis, diagnostics tools, and condition monitor-
active member of IEEE’s computational intelligence, RAS, cybersecurity, ing. He has worked on key defense projects spon-
and women-in-engineering societies. She is the secretary of IEEE UK & sored by the U.S. Marines, General Dynamics, The
Ireland’s RAS Chapter and a member of the Adaptive and Dynamic Pro- British Army, and QinetiQ, U.K. He is also the
gramming and Reinforcement Technic Committee (ADPRLTC) of IEEE’s Director of maintenance engineering and the Asset
computational intelligence society. She is also a working group member of Management course with Cranfield University. He has authored a book on
IEEE Technical Ethics P7000 standard. She has been an Editorial Board machine health diagnostics and published more than 60 research articles
member of Advances in Computing since 2011 and an Associate Editor of in reputed international journals and conferences. He is also a Chartered
Frontiers in Blockchain since 2018. Engineer and a member of the IMechE and BINDT technical committees
on condition monitoring.

982 VOLUME 9, 2021