The WBK "Security in Embedded Systems" program is aimed at individuals who:

• Develop hardware and firmware for networked embedded systems.
• Specify and position Internet of Things (IoT) devices in the market.
• Ensure application support for communication devices.
• Lead development projects for or with Embedded Systems.
• Wish to apply their IT security expertise to embedded systems and IoT.

Participants will gain both theoretical foundations and practical skills in the following areas:

• Current and upcoming regulations and requirements, especially the EU Cyber Resilience Act (CRA).
• Security by Design and the Secure Development Lifecycle.
• Threat analysis to define security requirements.
• Security concepts and cryptographic methods.
• Application of NIST functions for embedded systems: Identify, Protect, Detect, Respond, Recover.
• Secure elements: tamper-resistant storage and cryptographic acceleration.
• Modern microcontroller architectures, through the example of ARM TrustZone.
• Secure processing environments (SPE) through the example of Trusted Firmware-M (TF-M).
• Secure boot and secure firmware updates.
• Hacking of embedded systems: What can be done today?

The WBK "Security in Embedded Systems" program is modular and uses the EU Cyber Resilience Act as a framework to explore the various phases of the product lifecycle. It combines theory and practice to convey key aspects of cybersecurity for embedded systems. The course is divided into the following units:

1. Introduction

Topics

• Context of embedded systems and IoT.
• What does "security" mean?
• Impacts of cyber security on embedded systems.

2. Legal Foundations

Topics

• What regulations exist today?
• What regulations will take effect in the future?
• EU CRA context and its integration into general product guidelines.

3. Device Requirements Under CRA

Topics

• Impacts on the development process.
• Impacts on product lifecycle phases, including operations and after-sales.
• Impacts on documentation and traceability.
• Handling software components, Software Bill of Materials (SBOM), and vulnerability management.

4. Standardization

Topics

• Overview of standards: Activities by ETSI, CENELEC, ISO, IEEE in cybersecurity for embedded systems.
• NIST Five Functions (Identify, Detect, Protect, Respond, Recover - IDPRR).

5. Analysis (STRIDE)

Topics

• STRIDE analysis to determine threats for IoT devices.
• Attack vectors.
• Classification of risks and impacts (practical example).

6. Security Concepts and Cryptographic Methods

Topics

• Terminology and introduction to encryption, authentication, and authorization.
• Symmetric methods, Public Key Infrastructure (PKI), and security protocols with a focus on embedded systems.
• Approaches for implementing CIA (Confidentiality, Integrity, Availability) in embedded systems.

7. Implementing Security in Products (Hardware)

Topics

• Secure elements with hardware support for security functions and secure storage (practical example).
• Secure MCUs with e.g. TrustZone.

8. Implementing Security in Products (Software)

Topics

• Secure boot.
• Secure firmware upgrades (practical example).
• Secure processing environments (SPE) and Trusted Firmware-M.

9. Practical Attacks

Topics

• What is possible today? Approaches to hacking software and hardware (practical example).

The course includes several activities such as lectures, practice-oriented exercises, case studies, group work, self-study (preparation and follow-up), and e-learning elements. Practical programming exercises on embedded boards deepen the participants' understanding of secure embedded hardware and software. These exercises demonstrate how concepts are implemented and highlight potential challenges.

Classes are held part-time, once a week, every Thursday afternoon from 1 PM to 7 PM (6 lessons) over eight weeks. 

The WBK "Security in Embedded Systems" program follows the school vacation schedule of the city of Winterthur.

Course Dates (2025):  March 13, 20, 27, April 3, 10, May 8, 15, 22
Course Dates (2026):  March 12, 19, 26, April 9, 16, May 7, 21, 28

Admission to the WBK Security in Embedded Systems generally requires a university degree (university of applied sciences, HTL, HWV, Uni, ETH). However, practitioners with comparable professional competence can also be admitted if the ability to participate results from other evidence. Basic knowledge of programming, preferably in C or C++ and an affinity for the development methodology for embedded systems should be present.

We do not keep waiting lists and do not offer place reservations.

If a place becomes available on the previous course, we will consider the order in which registrations are received.