As embedded systems become more connected, securing them has become critical. From industrial control systems to consumer IoT, Andrew Doukhvalov of Kaspersky speaks with EFY’s Nidhi Agarwal about their approach to cybersecurity, including AI, open-source collaboration, and design strategies.
Q. Why is the lack of built-in security a big problem for embedded systems?
Embedded systems represent a computing part that is built into devices used for a number of very particular purposes in order to control their functioning. They can be found in elevators, air conditioning systems, TVs, and especially cars, which can have 40 to 50 of them.
We rely on these systems every day, but most do not have built-in security. Unlike regular computers, you cannot install antivirus or other protection software. This becomes a serious issue in industries where embedded systems control critical machines like water pumps, power grids, and factory equipment.
Since traditional security methods do not work, we need new ways to protect them. This lack of security is one of the biggest risks facing embedded systems today.
Q. How is your approach to cybersecurity different from others?
Our main idea is to build strong security for Internet of Things (IoT) systems during the design and development process. You see, security should be built into embedded systems from the start, not added later. To help with this, we offer a new operating system that gives a strong and stable base for secure solutions.
Q. How do you help protect industrial systems that use embedded or IoT devices?
We use several methods to protect information technology (IT) systems, especially industrial ones. One key service is the industrial control systems computer emergency response team (ICSCERT), which, as you can understand from the name, helps check the stability of industrial systems and find weak spots in equipment that uses embedded systems.
Our native extended detection and response (XDR) platform, Kaspersky Industrial Cyber Security, allows us to protect operational technology (OT) and critical infrastructure equipment and industrial networks from cyber-initiated threats by providing centralised asset management, risk assessment, and auditing capabilities.
We also use artificial intelligence (AI), like machine learning for anomaly detection (MLAD), to find unusual behaviour in the system. Overall, our products help improve and secure embedded systems during upgrades, making them more resistant to attacks.
Q. How are you using AI and machine learning to help with cybersecurity?
The key advantage of the approach based on the usage of an AI is that AI-based mechanisms can make deductions about previously unknown artefacts and events, for instance, detecting unusual patterns—called anomalies—in network traffic.
It compares these patterns to what it considers normal behaviour, both generally and for the particular system. When it finds something unusual enough, it alerts the people running the system about the suspected problem, so they can investigate it and, if needed, take necessary containment action.
This is especially useful in industrial networks where the processes are highly standardised and tightly controlled.
Q. How does a microkernel help improve security?
Microkernels separate important components from less important ones to meet security goals. This is the principle behind KasperskyOS, our secure-by-design microkernel operating system. Its architecture enables developers to build trusted systems where each component operates with minimal, clearly defined privileges — a foundational element of our Cyber Immune approach.
We divide the system into parts that focus on security or other needs, like functionality and business goals. The microkernel creates a ‘trusted execution area’ for critical parts, isolating them from security threats. This approach lets us focus on securing key components while other parts handle their own functions, resulting in a trusted system at a lower cost.
Q. What is the key security difference between embedded OS and general-purpose OS?
A general-purpose operating system is made to run any software on computers, whether in corporate or consumer environments. The computer hardware is designed with the idea that it can support extra security measures.
So, the security focus shifts to additional software like antivirus, network threat protection and similar tools. In contrast, IoT systems are built around a particular purpose, with simplicity of operation and resource efficiency in mind.
With them you either use some indirect measures like security gateways, or, which is much better, should design them as being secure on their own, and not explicitly relying on external countermeasures. The key difference is that IoT systems are built to be secure from the start.
Q. How do you help developers implement secure updates?
We provide a framework for managing updates and other trust scenarios. We also offer templates that help developers implement update verification, cryptographic validation, and integrity checks based on our Cyber Immune architecture. These templates address use cases like boot, logins, and remote updates, making it easier for developers to follow security practices without having to build everything from scratch. This approach reduces vulnerabilities, shortens development time, and ensures that updates are deployed.
Q. How do you balance security with performance and power in embedded designs?
In IoT designs, there is always a trade-off when adding different features, but we see security as just as important as any other part of the system — like functionality or business needs.
People rarely ask about balancing power and business features, but often question the balance between security and performance. If we treat security as equally important, we do not need to ask that — we simply design the system to meet all needs at once: functionality, business goals, and security.
Q. Which industries benefit most from embedded security?
Industries with high-security demands, such as transportation, industrial control systems, building automation, and the IoT, are particularly well-suited to benefit from embedded security solutions. These sectors rely on systems that handle sensitive data and control critical processes, making them prime targets for cyberattacks.
By integrating security directly into the architecture through Cyber Immunity, we ensure that even if an attack occurs, the impact is contained and critical functions remain protected. This approach is especially valuable for industrial gateways, IoT devices, and control systems where reliability and resilience are paramount.
Q. How are security needs different for consumer IoT and critical systems like energy or telecom?
The security approach is the same across all systems. However, the level of security required and the focus areas differ significantly. In critical infrastructure such as nuclear power or telecom, the emphasis is on preventing disruptions and ensuring system availability, where even minor breaches can have severe consequences.
In contrast, consumer IoT typically prioritises data confidentiality and user privacy, with a more flexible risk tolerance. While the architectural approach remains the same, the intensity and rigour of security implementation vary, aligning with the specific risk profile and operational impact of each sector.
Q. What role does open source play in embedded security, and how does it fit with Kaspersky’s approach to embedded systems?
Open source is a great way to involve the community and improve solutions in IoT systems. For us, it is not just outreach — we actively share our code step by step, starting with some components and adding more over time. As security experts, we know ‘security by obscurity’ is the wrong approach, so we have already opened parts of our code and invited the open source community to build with us.
We also offer a free KasperskyOS Community Edition, which developers, students, and others can use to learn from our methods and create non-commercial projects using our technology. This approach allows us to engage with the broader developer community while demonstrating our commitment to transparency and collaborative improvement in embedded security.
Q. What are your key security solutions for embedded systems?
For those more powerful systems I mentioned before, Kaspersky’s Embedded Systems Security (KESS) platform is designed to protect such specialised devices like ATMs, POS terminals, and medical equipment from targeted cyberattacks.
It employs a multi-layered security approach with features such as application control, device control, real-time file protection, exploit prevention, and firewall management, while offering an opt-in approach to enabling security layers to protect resource-constrained devices effectively.
Designed to provide maximised protection for devices of every power level, KESS supports both legacy and modern operating systems and offers centralised management through the Kaspersky Security Centre.
It also aids in regulatory compliance, providing extra security controls specifically recommended in many data security legislations and audit capabilities to maintain a necessary level of accountability.
Q. How do you address the security risks of open source?
Creating secure systems requires skilled experts, whether in open source or corporate environments. What matters is their experience. We support and train the developer community, sharing our deep security knowledge. Kaspersky has been providing security solutions for over a century, and we now bring that expertise to both students and the open source community.
