TCG addresses the rapid pace of IoT security with new guidelines for software updates on embedded systems

Date Published: February, 10, 2020

Beaverton, OR, USA, February 10, 2020 – Cybersecurity for embedded systems and the Internet of Things (IoT) is taking a step forward, as the Trusted Computing Group (TCG) today announced its latest guidelines and best practices for software and firmware updates for embedded systems.

Firmware and software updates are of increasing importance. Attackers constantly target the firmware and software in embedded systems, such as appliances and connected door locks, searching for vulnerabilities to exploit in order to establish a permanent foothold on the device. As a result, designers of embedded systems (ordinary items with an embedded computer) must be prepared to deliver firmware and software updates that customers must promptly install to ensure that these connected devices remain secure.

With this document, TCG is sharing a set of guidelines and best practices for secure software and firmware updates. By following these guidelines, manufacturers can keep their products secure throughout the lifetime of the products, not just when they are purchased. As a result, manufacturers can avoid bad publicity, recalls and other problems caused by infected machines.

“The state-of-the-art in information security is advancing rapidly and this is even more true for embedded systems security,” said Steve Hanna, Chair of TCG’s Embedded Systems Work Group. “We must constantly raise the bar in the way that we build and maintain these systems so that the defenders can stay ahead of the attackers.”

Driven by functionality, convenience and profit for both the manufacturer and the user, network-enabled embedded systems (IoT) are found in an ever-widening number of smart applications and platforms, including automobiles, household appliances, industrial systems and medical equipment. Increasing network connectivity in such devices allows for advanced feature sets, increased awareness and response and faster patching and updating of system firmware and software. However, this network connectivity also results in new threats and potential issues that never previously existed in platforms.

The Stuxnet virus in 2010 that compromised Programmable Logic Controllers (PLCs) used in the Iranian nuclear program is a prime example of the scale of attack that can occur if embedded systems are not secure. A similar attack was also successful against the Ukrainian power grid in 2015, resulting in temporary power loss for 225,000 individuals. Both incidents illustrate the potential impact of cyber-attacks against embedded systems in critical infrastructure and both took advantage of weak software update mechanisms.

“As we put greater trust in things like autonomous cars, smart homes and healthcare sensors, we need to take steps to make sure connected devices are tightly secured to protect them from data breaches and hackers,” added Hanna. “Over the years TCG has developed a range of technologies to address the challenges faced by the industry, resulting in widely deployed, proven solutions. These open standards are the ideal option for delivering the security needs for embedded systems as we move towards a world where everything is connected.”

TCG will showcase its cybersecurity expertise and knowledge at the upcoming Embedded World event, where members will discuss IoT security topics, share current industry challenges and demonstrate the solutions being innovated to address them. During the event on February 25, TCG will also be hosting an IoT Workshop where members will highlight and explore key TCG technologies in a series of short sessions including, Enabling TPM2.0 for Industrial and Automotive Applications with an Open Source Software Stack, Protection Technologies, Increasing Resilience of Connected Systems with Secure Flash and MARS –  Trusted Computing for Low-end Devices.

Attendees of Embedded World 2020 can find Trusted Computing Group at Hall 5, Stand 5-431, February 25-27, at the Nuremburg Exhibition Centre, Germany. TCG’s IoT workshop will take place from 2.30pm-5pm on February 25 at Conference Counter NCC Ost.

About TCG

TCG is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, global industry specifications and standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms.  More information is available at the TCG website, Follow TCG on Twitter and on LinkedIn. The organization offers a number of resources for developers and designers at

Twitter: @TrustedComputin



Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more


Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More