CRIMSON
7
EMBEDDED INDUSTRIAL
HEI
HARDWARE

What is HEI, IoT, device security?

We deliver Technical security testing, engineering, architecture and process validation for the entire value chain of embedded and industrial systems, from field devices to backend systems. We help you with implementing hardware security measures for IoT devices and embedded system, from hardware design to firmware secure software development lifecycle. HEI is about security the underlying, hi-tech fundamental underlying bricks of our technological stacks and societies.

Hardware Embedded Security

IoT and Embedded systems at large are “smart” objects, in short computers disguised as another object.
Nowadays, cars, TVs, fridges, microwaves, watches, phones… almost anything can be a computer (or is a computer already). Whether you call it IoT device or embedded systems, the price is the same: with this “smartness” comes security implications and risks that must be managed in a way that protects both the consumer and the companies implicated in the process (manufacturers, importers, distributors, etc…). We can help you protect your physical devices in a way that is aligned with your threat landscape, your regulatory constraints and your production processes.

Our Experience

Our hardware hackers have tested and broken into hundreds of systems, from smart city lights to children’s toys, from internet set-top boxes to cars and train ticket systems, from lifting chips to masquerading as a device to APIs, our experts are seasoned hackers with experience in the manufacturing processes, attacking tamper resistant devices, secure elements, secure boot processes and operating within constraints that can help you locate, mitigate and maintain the security level of your IoT and embedded solutions or get an independent opinion on the security level of theIoT and embedded systems you use.

Methodology

1.    Testing scenarios are created in collaboration with our clients and tailored for each system’s nature, architecture and threat profile. By leveraging an industry recognized threat modelling methodology (S.T.R.I.D.E), we build relevant and realistic testing scenarios that ascertain our client’s systems capability to weather out real world attacks. Typically:

  • Device authentication to the backend
  • Backend authentication to the device
  • Device update processes
  • Hardware security best practices for supply chain management
  • Security of secrets and data atrest (in Trusted Platform Modules (TPMs), Secure Elements (SEs), Hardwaresecurity modules (HSM), filesystem encryption)
  • Security of secrets and data at rest (in Trusted Platform Modules (TPMs), Secure Elements (SEs), Hardware security modules (HSM), filesystem encryption)
  • Fault Injection, secrets and data in-flight
  • Security of JTAG, SWD, 1-wiredebug
  • Hardware based cryptography and authentication
  • Abuse of backend business processes overtrusting devices (& vice versa)

2.    Device communication (backend, sensors, phone, etc.) relationship analysis.
3.    Scenario execution
4.    Report workshop & advise onmitigation

After executing our tests or assessments, wecreate a report for our clients that contain guidance on how to best addressthe issues and enhance the security of their internal processes.

Hardware Assessment Scenario

Device as an attack vector

Assessing the resilience of the backend services managing, being consumed by or consuming the data produced by the device.

Hardware Assessment

Assessing the device execution and storage processes security of: its own secrets, its own execution state and integrity, it’s backend access secrets, the user’s secrets, networks and environments

Firmware Assessment

Assessing the device execution and communication processes, backend access to secrets and communication, networks, the firmware   update process, etc.

External components assessment

Assessing the security and management state of components (hardware/software) that are provided by external parties (processing units, sensors, BSP, toolchains, etc)

Consulting Track

As a company with embedded systems needs(Industrial IoT , Building management, distributed sensors, occupancy), how do you maintain a managed risk and security stance when onboarding such systems? How do you even integrate security requirements in your RFP/Q? How do you integrate them safely in your network?Is your network segmentation correctly implemented? Our experts can help and guide you with all these questions.

Industrial track (OT)

What IS industrial control systems security? THE ULTIMATE GUIDE

Industrial Control Systems (ICS) security isthe practice of safeguarding the critical infrastructure that powers industries like manufacturing, energy, water treatment, and transportation. These systemsare the backbone of modern industrial operations, controlling everything from assembly lines to power grids. But as technology advances, so do the risks.That’s where ICS security comes in—it’s all about protecting these systems fromcyber threats that could disrupt operations, cause safety hazards, or lead to costly downtime. Industrial systems in 2025 goes far beyond a few isolatedPLCs. From sensors to historians, from Purdue 0 to the connections to thecorporate environment, and to the cloud, IIoT and 5G/connected shop floor,the industrial environments are in constant evolution.

WHY OT MATTERS

In today’s digital age, industrial systems are more connected than ever. While this connectivity boosts efficiency, it also opens the door to cyberattacks. Many ICS environments were built years ago, long before cybersecurity became a top concern. This makes them prime targets for hackers looking to exploit outdated software, weak passwords, or unpatched vulnerabilities.  

VALUE

Industrial Control Systems security isn’t just about protecting technology—it’s about safeguarding your business, your employees, and your community. By taking a proactive approach to ICS cybersecurity, you can minimize risks, ensure operational continuity, and build a resilient infrastructure that’s ready for the future.   Whether you’re in energy, manufacturing, or any other industry that relies on automation, investing in ICS security is a smart move. After all, when it comes to cybersecurity, it’s better to be safe than sorry.

Jean-Georges Valle
Head of HEI Services and Research

Approach TO OT INDUSTRIAL SECURITY

Our security experts have reviewed, tested and compromised a large variety industrial systems (from PLCs to network equipments, from custom RF to HART, from fiber to WiFi, from national smart meters to entire plants), architectures and security plans in most of the industrial vertical (Oil&Gas, Utilities, Chemistry, Manufacturing, etc.).

It usually starts by understanding the industrial process and its business constraints by interviewing teams and examining the available documentation, to better understand the client’s need and assess, in collaboration with the client, what services should be enhanced and how.Based on the threats relevant to the client’s vertical, and the regulations relavant to it’s business, industry and side, we assess it’s processes and historical events to pinpoint areas of improvement. Once these areas have been defined, were view the existing processes and propose, in collaboration with the engineering and field teams, enhancements plans to align the exisiting processes and to the threat landscape.

FAQ

For HEI services

Why IoT security Matters?

keyboard_arrow_down

In today’s digital age, industrial systems are more connected than ever. While this connectivity boosts efficiency, it also opens the door to cyberattacks. Many ICS environments were built years ago, long before cybersecurity became a top concern. This makes them prime targets for hackers looking to exploit outdated software, weak passwords, or unpatched vulnerabilities.   A breach in an ICS environment can have serious consequences:  

- Operational Disruptions: Cyberattacks can shut down production lines, delay deliveries, and disrupt supply chains.  
- Safety Risks: Compromised systems can lead to equipment malfunctions, putting workers and communities at risk.  
- Financial Losses: Downtime, repairs, and regulatory fines can cost companies millions.  
- Environmental Damage: In industries like oil and gas, a cyberattack could result in spills or other environmental disasters. That’s why ICS security isn’t just an IT issue—it’s a critical business priority.

How to do ICS security?

keyboard_arrow_down

Protecting industrial control systems requires a multi-layered approach. Here are some of the key elements of a strong ICS security strategy:   
1. Risk Assessment: Identify vulnerabilities in your systems, networks, and processes.  
2. Network Segmentation: Isolate critical systems from less secure networks to limit the spread of attacks.  
3. Access Control: Restrict access to ICS environments to authorized personnel only.  
4. Threat Monitoring: Use advanced tools to detect and respond to suspicious activity in real time.  
5. Regular Updates: Keep software, firmware, and hardware up to date to patch known vulnerabilities.  
6. Employee Training: Educate staff on cybersecurity best practices to reduce human error.  

How to strengthen your ICS security?

keyboard_arrow_down

If you’re responsible for industrial control systems, here are a few steps to boost your cybersecurity posture:  
- Conduct Regular Audits: Assess your systems for weaknesses and address them proactively.  
- Implement Advanced Tools: Use firewalls, intrusion detection systems, and encryption to protect your networks.  
- Partner with Experts: Work with cybersecurity professionals who specializes in industrial systems.  
- Stay Informed: Keep up with the latest threats and trends in ICS security to stay one step ahead of attackers.   

Industrial Control Systems security isn’t just about protecting technology—it’s about safeguarding your business, your employees, and your community. By taking a proactive approach to ICS cybersecurity, you can minimize risks, ensure operational continuity, and build a resilient infrastructure that’s ready for the future.   Whether you’re in energy, manufacturing, or any other industry that relies on automation, investing in ICS security is a smart move. After all, when it comes to cybersecurity, it’s better to be safe than sorry.  

Are there regulations and compliance for IOT?

keyboard_arrow_down

The CRA is the first European regulation (Dec. 2024) that aims to protect European consumers and the European cyberspace by raising the security level of goods and services offered on the European market. The CyberResilience Act requires software and hardware/firmware to follow a secure design model and the companies involved in their selling and delivery to maintain them, keep them updated and maintain a vulnerability management process. This means that companies involved in manufacturing the products, hardware and software, need to adhere (and be able to prove they followed) a rational security analysis process, manage the software components they use (directly or indirectly), write up user-friendly secure setup documentation and keep of of this up to date and available.

Read more on how blog article

Which regulatory frameworks apply to ICS?

keyboard_arrow_down

Industrial environments and conseguentely the control systems are often subject to many regulations, often at global level or at country local level. In general, ISO is used as good reference to compliance framework for security of ICS product, the former ISO99 evolved in the IEC62443 is adopted in the ICS context.

Interested? Get in touch*

* We will get back to you for additional conversations, to provide a tailored approach fitting your specific need
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form