GRIMM’s Embedded Systems team firmly believes that citizen safety and cybersecurity are intrinsically linked when it comes to embedded systems and that vulnerabilities are most prevalent at the intersection of where hardware, software, and firmware come together. To account for this, the team performs end-to-end vulnerability assessments of “systems-within-systems,” which includes critical infrastructure and Industrial Control Systems (ICS), the Internet of Things (IoT) including medical IT devices, and transportation systems including automotive and aviation.

The methodology closely follows GRIMM’s threat hunting apporach where:

Engineers begin by developing threat models, where GRIMM provides a systematic way of identifying flaws that will have the biggest impact on the system security as well as its operational safety.Next, the team exposes and exploits vulnerabilities to identify systemic weaknesses, including malicious patching of firmware, full compromise of the system, and remote access from outside the system.  Afterwards, GRIMM provides a detailed vulnerability report that is risk-ranked from most to least severe, including technical recommendations and training for technical personnel to minimize safety and security risks to the system or systems-within-systems.