Trainings

Security Pattern has extensive experience in the security domain and has a broad technical proposal in the context of training on cybersecurity for embedded systems. Therefore, we are the right partner to support our customers with training and courses in the field of cybersecurity.

We propose various formative modules that aim to increase knowledge in the cybersecurity context. According to specific needs, they can be assembled and adapted. We can also develop further modules with ad-hoc content, following the customer's needs.

We will provide a copy of the slides used during the training to all participants.

Introduction to security and cryptography

DURATION: 4 hrs

Introduction to security and cryptography

An introduction about the basic concepts of information security is required to understand, evaluate and deal with the context of cybersecurity. In this training module, we introduce the main properties of security and present the cryptographic tools that allow the creation of schemes for information protection. Also the main authentication guidelines that the users and devices need to follow are presented.

Security protocols and security layers - TLS, Wi-Fi and Bluetooth

DURATION: 4 hrs

Security protocols and security layers - TLS, Wi-Fi and Bluetooth

Transport Layer Security (TLS) is the protocol employed on the Internet to protect communications. Wi-Fi and Bluetooth are the two most widespread technologies of wireless connectivity. These technologies provide some security schemes, but they have also been subjected to many attacks in the past. In this module, we present the goals of these protocols and the points where they have shown weaknesses.

Known vulnerabilities in IoT and motivations

DURATION: 2 hrs

Known vulnerabilities in IoT and motivations

This training module covers different IoT security vulnerabilities starting from real case attacks that occured on several IoT devices. Leveraging the OWASP Internet of Things Project as reference security framework, we present each class of IoT vulnerability and a real case attack which exploited it. Finally, we suggest several security requirements that aim to mitigate the explored security issue.

Security of embedded systems

DURATION: 4 hrs

Security of embedded systems

In this module we describe the main schemes to protect IoT devices against different types of attacks. We explain the technological solutions offered by the suppliers of SoCs in order to secure an IoT device. We provide an overview of the security primitives available in microcontrollers such as STM32 and ESP32, Bluetooth modules, microprocessors such as NXP i.MX and Microchip’s SAMA5D, Secure Elements from NXP and Microchip.

Overview on cybersecurity standards

DURATION: 4 hrs

Overview on cybersecurity standards

This module gives an overview of main initiatives in the field of IoT security. We focus on two categories: the Government-driven initiatives, such as ETSI 303 645 for the UK, and the market-driven initiatives in the medical devices, industrial and automotive fields. We discuss similarities and differences among these standards, taking ISA/IEC 62443 as a starting point for setting up a cybersecurity framework.

Security standard ISA/IEC 62443

DURATION: 8 hrs

Security standard ISA/IEC 62443

This module is based on ISA/IEC 62443 standard, and in particular on tier 62443-4, parts 4-1 and 4-2, defined for the industrial context. It is the reference cybersecurity standard in the field of industrial automation and control systems, also applied in transportation systems. We present the requirements proposed by the standard and the essential ingredients that must be considered to create a secure product.

Threat modeling

DURATION: 4 hrs

Threat modeling

An essential step to define a strategy of protection for a system, is the modeling of the system and the threats that it is subjected to. The protection strategy must be efficient and proportional to the potential damages that the system may face. We show the concepts needed to create a strategy of risk management, and discuss why this strategy has to be considered as a fundamental element of a security standard.

Development of secure code for embedded applications

DURATION: 4 hrs

Development of secure code for embedded applications

Writing secure code in C language requires the developers to set up quality control processes, which can be implemented through static analysis tools. These tools are used to check that the implementation is in line with standard rules. In this module, the SEI CERT rules and their motivations are analysed. We also propose an introduction to Rust, a memory safe language, which aims to improve the analysis of code security.

Security of IoT platforms and vertical applications

DURATION: 4 hrs

Security of IoT platforms and vertical applications

Amazon and Google provide cloud platforms to create complex IoT systems. We analyse their security features and the main differences. Apple HomeKit is an Apple vertical example, which allows the control of home automation devices from the iOS devices. Amazon Alexa is an application for the managing of the vocal assistant, integrated in the embedded systems. For its integration, Amazon sets specific security requirements.

Penetration testing

DURATION: 4 hrs

Penetration testing

Penetration testing is a manual activity performed by a security expert in order to evaluate the target security. The goal is to find previously unknown vulnerabilities, both in software and hardware. We present the main tasks covered during a penetration testing activity. Specifically, leveraging a vulnerable IoT device, we discuss the methodology and present several practical tools used for analysing an IoT device.

Side-channel and fault attacks

DURATION: 16 hrs

Side-channel and fault attacks

This module focuses on physical attacks, mounted on devices processing secret information. We present side-channel attacks, which exploit information leaked by the devices during computations (e.g. power consumptions and electromagnetic radiations), and fault attacks, which are techniques that stress the device and lead it to improper functioning. Both the attacks aim to gain sensible data or bypass countermeasures.