Courses

Security Pattern has a deep experience in security and has a broad technical proposal in the context of training on cyber security for embedded systems. Then, it is the right partner to support customers in this activity

Training proposal

We propose various formative modules that aim to increase knowledge in the cyber security context. According to specific needs, they can be assembled and adapted. The aim of this document is to present the portfolio of formative modules that are available, and for each one the current duration. We can also develop further modules with ad-hoc content, following the customer's needs.

We will provide a copy of the slides used during the training to all participants. The slides will be in PDF format, and the training contents will remain an intellectual property of Security Pattern. All of the training material is in English. The training can be attended by at most 10 participants.

Introduction to security and cryptography

DURATION: 4 hrs

Introduction to security and cryptography

An introduction about the basic concepts of information security is required to understand, evaluate and deal with the context of cybersecurity. In this training module, we introduce the main properties of security and present the cryptographic tools that allow the creation of schemes for information protection. Also the main authentication guidelines that the users and devices need to follow are presented.

Security protocols and security layers - TLS, Wi-Fi and Bluetooth

DURATION: 4 hrs

Security protocols and security layers - TLS, Wi-Fi and Bluetooth

Transport Layer Security (TLS) is the protocol employed on the Internet to protect communications. Wi-Fi and Bluetooth are the two most widespread technologies of wireless connectivity. These technologies provide some security schemes, but they have also been subjected to many attacks in the past. In this module, we present the goals of these protocols and the points where they have shown weaknesses.

Known vulnerabilities in IoT and motivations

DURATION: 2 hrs

Known vulnerabilities in IoT and motivations

This training module covers different IoT security vulnerabilities starting from real case attacks that occured on several IoT devices. Leveraging the OWASP Internet of Things Project as reference security framework, we present each class of IoT vulnerability and a real case attack which exploited it. Finally, we suggest several security requirements that aim to mitigate the explored security issue.

Security of embedded systems

DURATION: 4 hrs

Security of embedded systems

In this module we describe the main schemes to protect IoT devices against different types of attacks. We explain the technological solutions offered by the suppliers of SoCs in order to secure an IoT device. We provide an overview of the security primitives available in microcontrollers such as STM32 and ESP32, Bluetooth modules, microprocessors such as NXP i.MX and Microchip’s SAMA5D, Secure Elements from NXP and Microchip.

Overview on IoT security standards

DURATION: 4 hrs

Overview on IoT security standards

This module gives an overview of main initiatives in the field of IoT security. For instance, standard 62443-4 (parts 4-1 and 4-2) is presented as a starting point for setting up a cyber security framework. Subsequently, we discuss similarities and differences between the standard ISA/IEC 62443 and other two security standards, specifically designed for network-connectable products: UL 2900 and ETSI 303 645.

Security standard ISA/IEC 62443

DURATION: 8 hrs

Security standard ISA/IEC 62443

This module is based on ISA/IEC 62443 standard, and in particular on tier 62443-4, parts 4-1 and 4-2, defined for the industrial context. It is the reference cybersecurity standard in the field of industrial automation and control systems, also applied in transportation systems. We present the requirements proposed by the standard and the essential ingredients that must be considered to create a secure product.

Threat modeling

DURATION: 4 hrs

Threat modeling

An essential step to define a strategy of protection for a system, is the modeling of the system and the threats that it is subjected to. The protection strategy must be efficient and proportional to the potential damages that the system may face. We show the concepts needed to create a strategy of risk management, and discuss why this strategy has to be considered as a fundamental element of a security standard.

Development of secure code for embedded applications

DURATION: 4 hrs

Development of secure code for embedded applications

Writing secure code in C language requires the developers to set up quality control processes, which can be implemented through static analysis tools. These tools are used to check that the implementation is in line with standard rules. In this module, the SEI CERT rules and their motivations are analysed. We also propose an introduction to Rust, a memory safe language, which aims to improve the analysis of code security.

Security of IoT platforms and vertical applications

DURATION: 4 hrs

Security of IoT platforms and vertical applications

Amazon and Google provide cloud platforms to create complex IoT systems. We analyse their security features and the main differences. Apple HomeKit is an Apple vertical example, which allows the control of home automation devices from the iOS devices. Amazon Alexa is an application for the managing of the vocal assistant, integrated in the embedded systems. For its integration, Amazon sets specific security requirements.

Penetration testing

DURATION: 4 hrs

Penetration testing

Penetration testing is a manual activity performed by a security expert in order to evaluate the target security. The goal is to find previously unknown vulnerabilities, both in software and hardware. We present the main tasks covered during a penetration testing activity. Specifically, leveraging a vulnerable IoT device, we discuss the methodology and present several practical tools used for analysing an IoT device.