Can Low-Power Devices Be Secure?

Demand for low-power, high-performance devices also calls for security measures.

popularity

Successfully designing a low-power, high-performance chip design is an accomplishment, but effectively implementing cybersecurity in such devices makes it much more difficult.

Safety, particularly functional safety for automotive and military/aerospace applications, also can be a prime concern in creating low-power, high-performance integrated circuits and systems. When combined with security, it significantly complicates the checklist at the outset of a design project.

But those factors are becoming mandatory for a number of IC and system-level designs. In fact, they are becoming prerequisites for some designs to even be considered by system vendors, greatly adding to the complexity of chips and the amount of work required to design and verify them. Nowhere is this more vital than with embedded vision, which is becoming a key part of driver-assisted vehicles.

“Interpreting great images is vital,” said Jem Davies, ARM fellow and vice president of technology. With its intellectual property, ARM hopes to foster “energy-efficient computer vision,” he added.

In an interview with Brian Fuller, ARM’s editor-in-chief, Davies said, “There’s quite a strong connection between vision and security and it runs both ways. What I mean by that is I can use vision to authenticate who I am.”

ARM had a passel of new IP, products, and services to demonstrate at its annual technology conference in Santa Clara, Calif., many with the purpose of promoting security for Internet of Things devices, while maintaining the low-power specifications for which ARM is famous.

Chris Turner, ARM’s director of advanced technology marketing, said in an ARM TechCon presentation about safety and security in automotive electronics and other applications, “Of course, it’s very important that safe systems are secured because if somebody hacks the system, then the software that controls the steering or braking will be disabled or whatever. We suddenly have a whole new world of saying, ‘If you have a safe system, it also needs to be a secure system.’ People like the Society of Automotive Engineers and the 26262 guys are now starting to consider similar standards for automotive security. In the car, everything is connected – CAN bus, Ethernet, MOST, LIN — all these buses are there. They’re all connecting everything. Once you’ve found an attack surface in the car, you’re in, whether over wireless.”

The attack surface increases with connected cars. “It’s really important that cars, overall, the system-wide approach is taken for their security, and that people think about security from the overall vehicle electronics system, and not just their individual chip or ECU,” said Turner. “So, that’s presenting a whole new challenge to the automotive industry, which is used to getting bits from all sorts of people in the supply chain and just putting them together without having to think necessarily about system-wide security.”

He noted that both internal and external connections need to be secured.

Microcontroller suppliers were on a panel at ARM TechCon, addressing the topic of IoT and security, moderated by Nandan Nayampally, vice president of marketing for ARM’s CPU Group.

“For IoT right now, we’re moving to a place where we’re going to get globally connected,” said Doug Gardner, chief technologist for the Security Technology Group of Analog Devices. “We’re moving from a space where we’re IT-centric to basically content-centric, so you kind of define perimeter as you try to protect things. If you really believe in the vision of IoT, you’re going to move to ‘connectivity-centric’, which means you have no more perimeter. It’s all open. You have machine-to-machine, you have interactions. You have no choice but to put security at your endpoint. You need that security to be based in a hardware root of trust.”

Gardner noted, “You really have to start moving to a multilayer security approach. It starts, of course, with the root of trust built in the hardware.”

That includes everything from home appliances to commercial and industrial applications. “One of the biggest hurdles we have is just getting people, even though there’s been so many hacks going on, to realize they really need security,” said Tim Wilson, senior staff architect for the MCU32 business at Microchip Technology. “Unfortunately, they need it in their refrigerator, because it’s tied to the Internet, and they need it to all these millions of devices shoving data to the cloud because that’s the biggest holdback on IoT. People aren’t secure with the data they’re sending and can’t trust that it will remain anonymous. We really kind of scared the sheriff. If you really want us to scale across the trillions that people, the visionaries, are seeing, security has to be in hardware and it has to be in everything.”

Added Oivind Loe, senior manager of strategic marketing for MCUs at Silicon Labs: “I still remember the time where Apple computers were thought to be impossible to infect with viruses. They are very, very good products, but one of the reasons was that the installed base was so small. And as that installed base increased, it becomes a much more attractive target for people. And we’ll see the same thing with IoT as the number of devices out there grows. The attack surface is going to become much, much larger, and a more attractive target. We definitely need a good level of security. We need our customers’ confidence in these products that they will not let people just walk right into their houses, because these devices let them. So, yes, security is important here.”

Loe noted that security has been available to developers for a long time. “A lot of these different things have been accessible. But when you’re trying to get a product out, and your product marketing guy is pushing you to get it out even faster, and you need to stay at the same cost, it can be really hard to prioritize. You need to become experts in security. It’s hard to make a product secure. This is one of our jobs here, making it easier to implement security, and also reducing the cost, when it comes to the actual product cost, and the time-to-market.”

In another panel session, Joe Circello, core and platform chief architect in the Security & Connectivity Business Unit of NXP Semiconductors, Microcontrollers Business Line, observed, “Things that formerly were offline have now become online.”

Added Brian Davis, vice president of the IoT Business Unit at Renesas Electronics: “Customers and companies that want to enter the IoT, they need to fully build in the incremental complexity cost into their business analysis, their business proposal, and it needs to include security.”

That message was heard repeatedly at TechCon, as well as a number of other conferences over the past few months, espoused by a growing number of companies. “IoT devices are always connected to the Internet,” said Jason Lin, president of MCU applications at Nuvoton. “Security is a must and a need for an IoT device.”

Behrooz Abdi, president and CEO of InvenSense, the microelectromechanical systems (MEMS) sensor platform company, said last month at the fifth annual InvenSense Developers Conference, that we are in an era of ambient computing, meaning agents, devices, intelligence, and sensors combining for the Internet of Things.

“We see everything as connected sensors,” Abdi said. “Sensors need to enter a new era – smaller, lighter, more integrated. You have to solve the power problem at the system level.”

InvenSense now has more than 40,000 developers working with its products, software, services, and intellectual property.

Performance, power, safety, security – these all have to be checked off at the outset.

Related Stories
Side-Channel Attacks Make Devices Vulnerable
The number and type of attack vectors are increasing as more of the world becomes connected and vulnerable to hackers.
Securing The IoT
Internet outages highlighted the dangers of unsecured IoT devices and the need for a comprehensive set of standards.
What’s Next For IoT Security?
The recent cyberattacks highlighted the security lacking in many IoT devices. Solutions are on the way.
Healthcare IoT: Promise And Peril
Regulation, legal liability and added design costs make this a difficult market to tap.