Networking in Security

Back to the Overview

Securing Embedded Systems in a connected World

Networking Security

Over the past decade, an increasing number of embedded devices have become network-connected — not only smartphones, but also vehicles, industrial equipment, medical devices, and even aircraft.

However, many of these systems were originally designed without networking or Security in mind. As a result, they’re now vulnerable to cyberattacks that can lead to:

  • Remote manipulation of industrial controls or nuclear systems
  • Unauthorized access to vehicles (theft, tampering, V2X spoofing)
  • Leakage of sensitive personal or medical data
  • Catastrophic failures in Safety-critical systems (e.g. Avionics)

The classic Approach: Hardened Embedded Linux

A common approach is to modernize the software stack using a hardened Linux kernel — isolating legacy safety software from new online components via process separation.


➡️ Benefits

  • Keeps legacy code untouched
  • Adds online capabilities using modern Linux networking stacks
  • Separation via IPC and supervised communication channels


➡️ Limitations

  • Linux kernel attack surface: Millions of lines of code increase vulnerability potential
  • Real-time behavior not guaranteed: Linux can't ensure worst-case execution times (WCET)
  • Safety certification infeasible: Certifying a full Linux kernel (e.g., for DO‑178C) is costly and complex
  • Security certification complexity: Common Criteria or ISO 21434 certification is difficult with large monolithic systems

Recommended Approach

RTOS-based Virtualization with PikeOS

A more robust architecture uses a microkernel RTOS with virtualization, such as PikeOS, to isolate legacy safety-critical code from online Linux-based components.


➡️ Architecture Highlights

  • Minimal certified RTOS kernel (a few thousand lines of code)
  • Strict partitioning: Safety-critical and non-critical components run in isolated partitions
  • Real-time performance retained: Legacy systems can maintain deterministic timing
  • Online Linux stack: ELinOS guest partition can handle networking, updates, UI, etc.
  • Secure Ethernet access: Virtualized and restricted through controlled drivers
  • Expandable: Room for feature growth and future applications


➡️ Certification

  • Suitable for DO‑178C, ISO 26262, and Common Criteria certifications
  • Clear separation between certified and uncertified components
  • Reduced scope for auditing and verification
Automotive

Secure & Connected Vehicle Platforms

SYSGO provides a reference architecture for the Automotive domain, focusing on:

  • Protection of internal vehicle networks and fieldbus systems
  • Secure external communication (V2X, cloud backend)
  • Safe and secure over-the-air (OTA) software updates
  • Based on PikeOS for RTOS partitioning and ELinOS for rich Linux functionality

For more information, see the SACoP Product Page

Connectivity Overview

Need more Information?

Tell us about your project and your needs.
 

Contact us