Embedded Systems and IoT Security: Securing the Devices Nobody Thinks About

Hook / Why This Matters

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Your network has more embedded devices than computers. Printers, HVAC controllers, badge readers, medical devices, and industrial sensors all run software, connect to your network, and almost never get patched. Every one of them is an attack surface the CISSP exam expects you to understand.

Core Concept Explained Simply

Embedded systems are purpose-built computing devices designed for a specific function. Unlike general-purpose computers, they typically have constrained resources (limited CPU, memory, and storage), run specialized firmware or real-time operating systems, and operate for years or decades without updates. IoT (Internet of Things) devices are networked embedded systems, and their connectivity dramatically expands the attack surface.

Why Embedded and IoT Devices Are Hard to Secure

Several characteristics make these devices uniquely challenging:

• Constrained resources: Limited processing power and memory make it difficult or impossible to run traditional security agents, antivirus, or encryption.
• Long lifecycles: Industrial control systems and medical devices may operate for 15 to 20 years, far outlasting the security support period for their software.
• No patching mechanism: Many devices have no built-in capability for secure remote updates. Updating firmware may require physical access or specialized tools.
• Default credentials: Many devices ship with well-known default usernames and passwords that are never changed.
• Lack of encryption: Many IoT protocols transmit data in plaintext because encryption requires processing power the device does not have.

SCADA and ICS

SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems) manage critical infrastructure: power grids, water treatment, manufacturing lines, and oil pipelines. These are operational technology (OT) environments, and their security priorities differ fundamentally from traditional IT:

• IT priority order: Confidentiality, Integrity, Availability (CIA)
• OT priority order: Availability, Integrity, Confidentiality (AIC, sometimes called Safety first)

In OT, a system going offline can cause physical harm, environmental damage, or loss of life. Patching an ICS system requires extensive testing because an unexpected reboot or configuration change could shut down a power plant or contaminate a water supply.

The Purdue Model

The Purdue model defines network segmentation layers for ICS environments:

• Level 0: Physical processes (sensors, actuators)
• Level 1: Basic control (PLCs, RTUs)
• Level 2: Area supervisory control (HMI, engineering workstations)
• Level 3: Site operations (historian, domain controllers)
• Level 3.5 (DMZ): Buffer between OT and IT networks
• Level 4-5: Enterprise IT network and internet

Traffic should flow through defined pathways with strict controls at each boundary. Direct connections from Level 0/1 devices to the enterprise network or internet should never exist.

Real-Time Operating Systems (RTOS)

Many embedded devices run real-time operating systems that prioritize deterministic timing over features. RTOS security is limited by design because the focus is on predictable execution, not security controls. This means security must be provided externally through network controls and monitoring.

Cyber-Physical Systems

When digital systems control physical processes, security failures have physical consequences. A compromised insulin pump, a tampered traffic light controller, or a manipulated power grid relay can cause injury or death. This raises the stakes beyond data protection to safety.

CISSP Lens

The exam tests your understanding of why embedded and IoT devices require different security approaches than traditional IT systems. Know that OT environments prioritize availability (and often safety) over confidentiality. Know that compensating controls are necessary when devices cannot be directly patched or hardened. Know the Purdue model as the standard segmentation framework for ICS.

A common exam pattern describes an unmanageable device and asks for the best security approach. The answer almost always involves network segmentation and monitoring rather than trying to secure the device itself.

Real-World Scenario

A hospital's network-connected infusion pumps were discovered running firmware with known vulnerabilities that allowed remote code execution. The manufacturer had no patch available and estimated a fix would take 12 to 18 months. The pumps could not be taken offline because patients depended on them.

The hospital's security team implemented compensating controls:

• Placed all infusion pumps on a dedicated VLAN with no direct internet access
• Restricted communication so pumps could only reach the medication management server and nothing else
• Deployed network monitoring to detect anomalous traffic from pump IP addresses
• Coordinated with the manufacturer for firmware update scheduling as soon as a patch became available
• Documented the accepted risk and compensating controls for regulatory compliance

This approach contained the risk without disrupting patient care, which is the core challenge of OT and medical device security.

Common Mistakes and Misconceptions

• Connecting IoT devices to the same network as critical business systems. Every IoT device should be on a segmented network with restricted communication paths.
• Assuming embedded devices are too simple to be targeted. The Mirai botnet compromised hundreds of thousands of IoT devices using default credentials. Simplicity does not mean safety.
• Applying IT security practices directly to OT without considering safety. Rebooting an IT server for a patch is routine. Rebooting an ICS controller managing a chemical process could cause an explosion.
• Ignoring default credentials on "minor" devices. Printers, cameras, and HVAC controllers with default passwords are common entry points for attackers.
• Treating ICS patching like IT patching. OT patches require vendor validation, safety testing, and planned maintenance windows. Applying patches without testing can cause more harm than the vulnerability.

Actionable Checklist

• Inventory all embedded and IoT devices on your network
• Segment IoT and OT devices onto isolated VLANs with restricted communication paths
• Change default credentials on every network-connected device
• Monitor IoT device traffic for anomalous behavior
• Establish firmware update procedures with vendor coordination
• For devices that cannot be patched, document compensating controls and the accepted risk
• Review the Purdue model and verify your ICS segmentation aligns with it

Key Takeaways

• Embedded devices have the longest lifecycles and the fewest security controls
• Network segmentation is the primary compensating control for unmanageable devices
• OT environments prioritize availability and safety over confidentiality
• Default credentials on IoT devices remain one of the easiest attack vectors
• Compensating controls are necessary when direct remediation is impossible

Exam-Style Reflection Question

A manufacturing facility cannot patch a vulnerability in its SCADA system because the vendor requires six months of testing before approving updates. What is the best approach?

Answer: Implement compensating controls while waiting for the approved patch. This includes network segmentation to isolate the SCADA system, enhanced monitoring for exploit attempts, restricting remote access, and ensuring only authorized personnel can interact with the system. In OT, availability and safety take priority, so patching without vendor validation could be more dangerous than the vulnerability itself.