Networked embedded systems continue to pervade modern everyday activities at an accelerating pace. These systems find application in numerous critical infrastructures, including medical devices, autonomous vehicles, transportation systems, etc. The convergence of low-cost embedded hardware and ubiquitous network access has enabled increasingly pervasive environments, which are expected to seamlessly integrate with our social and commercial activities. Interconnecting multiple devices and enabling remote access comes with numerous security risks. Malicious software is growing at an alarming rate of approximately 100,000 new malware exploits per day. Historically, embedded systems were immune to malware, because they lacked network connectivity and were secured by their physical locations, but physical security cannot protect embedded systems that can be remotely accessed and controlled. Thus, a key component of embedded systems security is detection and identification of malware. In this talk, we present an overview of nonintrusive runtime anomaly detection (RAD) for detecting malware in embedded systems. The RAD approach uses formal time-centric system models that robustly capture the correct system execution behavior, and thereby enable efficient runtime detection of unauthorized system actions. The time-centric system models offer a unique opportunity to strengthen embedded system security by detecting subtle changes in the timing behavior of the system execution. We demonstrate that using such timing analysis, we can improve runtime malware detection capabilities.