2025 ASEE Annual Conference & Exposition

Introduction
Embedded systems are integral to modern technology, powering a wide range of devices from household appliances to critical infrastructure. Ensuring the quality, safety, security, and correct operation of embedded software is crucial. As these systems become more interconnected, the importance of securing them against cyber threats has grown exponentially. This paper details an intervention developed in the form of a module for an Embedded Systems Course, focusing on embedded security. The module aims to equip students with the knowledge and skills necessary to protect embedded systems from various cybersecurity threats, including common vulnerabilities such as buffer overflows, improper input validation, and improper authentication.

Goals and Objectives
The primary goal of this module is to provide students with a comprehensive understanding of cybersecurity principles as they apply to embedded systems. The specific objectives include:
1. Understanding Cybersecurity Fundamentals: Students will learn the basic concepts of cybersecurity, including the importance of protecting systems, networks, and programs from digital attacks. They will become familiar with key terms such as attack vectors, attack surfaces, threat actors, and vulnerabilities.
2. Identifying Cybersecurity Threats: The module will cover various types of cybersecurity threats specific to embedded systems, such as unauthorized access, data breaches, denial-of-service attacks, malware, physical attacks, and supply chain attacks. Students will also learn about common embedded software vulnerabilities like buffer overflows and improper input validation.
3. Addressing Unique Challenges: Students will explore the unique challenges of securing embedded systems, including limited resources, power consumption considerations, real-time operation requirements, limited connectivity options, legacy systems, heterogeneous ecosystems, and lack of security expertise.
4. Implementing Security Measures: The module will teach techniques for hardening embedded systems, implementing encryption for communication, and following secure coding practices. Practical exercises will involve identifying and mitigating vulnerabilities in a traffic light controller program.
5. Conducting Cybersecurity Assessments: Students will learn how to conduct vulnerability scans, identify potential security weaknesses, and implement mitigation strategies. They will also engage in code review and debugging exercises to reinforce their understanding of secure coding practices.

Research Methodology and Activities:

The module is structured into several key sections, each focusing on different aspects of embedded security. To measure the effectiveness of the module, a combination of pre- and post-learning surveys and a comprehensive test are used to assess students’ knowledge and confidence levels before and after completing the module.

1. Cybersecurity Fundamentals: This section introduces the concept of cybersecurity and its importance in the context of embedded systems. It covers the types of cybersecurity threats and the unique challenges faced in securing embedded systems.
2. System Hardening: Students will learn about system hardening techniques, including reducing the attack surface, mitigating vulnerabilities, managing configurations, and continuous monitoring. Practical exercises will involve disabling unnecessary services, applying the principle of least privilege, securing communication channels, and implementing network segmentation.
3. Encryption for Communication: This section emphasizes the importance of encrypting communication between components of an embedded system. It covers suitable encryption algorithms and protocols for resource-constrained environments and secure key management practices.
4. Secure Coding Practices: Students will be introduced to secure coding practices to prevent common vulnerabilities. Topics include input validation, bounds checking, avoiding insecure functions, minimizing code complexity, using standard libraries securely, and memory management best practices.
5. Cybersecurity Assessment: The final section focuses on conducting vulnerability scans and identifying potential security weaknesses. Students will use tools like OpenVAS, Nessus, and Qualys to perform vulnerability assessments and learn how to address identified vulnerabilities through patching, firmware updates, and additional security controls.
6. Pre- and Post-Learning Survey: To evaluate the impact of the module, students will complete a survey before and after the course. The survey includes questions on general cybersecurity knowledge, embedded system security, and specific cybersecurity concerns for embedded systems. It assesses students’ understanding of key concepts, their ability to identify and mitigate vulnerabilities, and their confidence in securing embedded systems. The survey results will be analyzed to measure improvements in knowledge and confidence, providing valuable feedback for refining the module.
7. Comprehensive Test: A detailed test is administered at the end of the module to evaluate students’ practical understanding and application of the concepts taught. The test includes sections on understanding code, debugging and testing, code auditing and analysis, principles applied, problem-solving techniques, and application of programming concepts. The test scores provide a quantitative measure of students’ proficiency in embedded system security.

Data Analysis and Conclusion Drawing:
The data collected from the pre- and post-learning surveys, along with the comprehensive test scores, will be analyzed to draw conclusions about the effectiveness of the module. The analysis will focus on:
• Knowledge Improvement: Comparing pre- and post-survey responses to measure the increase in students’ understanding of cybersecurity concepts and embedded system security.
• Confidence Levels: Assessing changes in students’ confidence in their ability to identify and fix vulnerabilities and secure embedded systems from cyberattacks.
• Test Performance: Evaluating the test scores to determine students’ practical skills and their ability to apply theoretical knowledge to real-world scenarios.
By triangulating the survey data and test scores, we can gain a comprehensive understanding of the module’s impact on students’ learning outcomes. This approach ensures that both subjective (self-reported confidence and understanding) and objective (test performance) measures are considered in evaluating the module’s effectiveness.