How Much Security Is Enough?

Experts at the table, part 2: Safety and security may be relative terms in connected cars; what you get for an extra penny; why smart meters don’t use encryption.

popularity

Semiconductor Engineering sat down to discuss the current state of security and what must be done in the future, with Denis Noël, head of cyber security solutions at NXP; Serge Leef, vice president of new ventures at Mentor Graphics; Andreas Kuehlman, senior vice president and general manager of the software integrity group at Synopsys; Simon Blake-Wilson, vice president of products and marketing at Rambus‘ Cryptography Research Division; Lawrence Loh, group director at Cadence; and Bernard Murphy, CTO of Atrenta. What follows are excerpts of that conversation. To view part one, click here.

SE: Automobiles already are part of the Internet of Things. How secure are they?

Leef: Recently I was moderator on a panel involving automotive security. They all said, ‘Please don’t bring that up. We have no answers.’ I began asking around in our company and asked one of our chief scientists how easy it is to break into a vehicle. He said it’s trivial. The best way to get in is through infotainment, because that’s the thing that’s most connected. But once you’re in there, the only thing that’s keeping you from accessing every part of the car is an understanding of how CAN, Flexray and Ethernet automotive networks work is understanding access to messaging tables. All the OEM companies have them, and they’re actually fairly available. If you’re willing to read through 3,000 pages of an automotive manual, you can take over the vehicle—every function that’s by wire. Where do you draw a perimeter around this system? Once you break into the infotainment, you’re in the henhouse.

Murphy: This all comes back to what motivates us, the consumer. We’ve already seen breaches in Target, in Citi, and in a bunch of other places, and somehow none of us have retained that danger. The security drivers are still going to come from the suppliers in the industry. With banking, we don’t see any need to worry about security, but the banks and the credit cards are worried. You get things like ApplePay, which is a little bit more of an end-to-end solution. Unless it has an impact on something like that, I don’t see it happening.

Noël: About 10% of the IoT value will be generated by the things themselves, and 90% will be from connecting them together. The key point for the industry is how you protect this value. There is a value. It’s financial. So for the providers exploiting this, what is key is the integrity of the data you collect from this. The connection to the cloud by itself is a service you need to protect. There is a high interest, and there will be a high interest in the future, for the IT players to protect their business.

Murphy: That’s true of certain verticals. I’m not sure it’s true across all of the IoT.

Noël: The IoT is pretty broad.

Kuehlman: I don’t think anyone gets it. Until someone gets sued and there is a huge recall, and all the liability laws get changed, nothing will happen. The software industry is the only one that does not have any liability. This will change the moment human life is at stake. Banks don’t care.

Noël: It’s risk management.

Kuehlman: Yes, it’s the cost of doing business.

SE: So where is the demand coming from for security hardware and software?

Blake-Wilson: We’re seeing this is a number of areas, and some of them are counterintuitive. One area we’re seeing them obviously is payments, and that’s an area where everyone can get their heads around the potential for massive losses. What’s being deployed in terms of security is arguably on the decline. People are launching solutions with software-based approaches. With mobile payments, the thinking is that you can decrease the security because the connectivity can buy you a lot. On the other hand, we also provide solutions into the ink cartridge counterfeiting market, and that’s an area where the security requirements continue to increase. That’s the one where we see the most sophisticated attacks. There are quite large companies that clone ink cartridges. We found that the cloner added their own solutions because they were worried about their competitors cloning them. It’s quite subtle where you see the security needs increasing and decreasing. But as to who’s qualified to do these risk assessments, the answer is no one. It’s a hard problem.

Noël: From a consumer standpoint, you know about your own information getting exposed without you approving it.

Murphy: But isn’t it back to what is really a concern?

Blake-Wilson: Consumers lose interest in almost any piece of news. It doesn’t mean that people don’t worry about their power supply being intermittent.

Leef: But there is still motivation. I managed the automotive business at Mentor for quite a while. OEMs have attempted to extract unlimited liability terms from us on many deals so that if our software kills somebody, they would like to put us out of business. We could never accept those terms, but the feeling that we got is that a lot of people who are selling stuff to OEMs are accepting unlimited liability or very high liability exposure, so there already is motivation to care.

Kuehlman: If human life is at stake, yes.

Leef: But even if you have a recall of 5 million cars, that adds up.

Murphy: Recalls are very expensive now. It’s $10 million-plus per recall.

Loh: But when do people care? There are more hacks than people know about. Two things make people care. One is safety, especially with automotive. I used to work on safety devices for cars. The second is a large, targeted security attack. But a lot of people are not qualified to make an assessment on security because they don’t have the right feedback. You can have a roomful of people presenting on security and everything they say looks good, but you don’t really know because the feedback of not there. How much information can we improve upon?

Leef: I don’t fully agree that it will take a targeted security breach to make people care. People already care because they’re subject to ISO 26262 and they care about it if they kill one person because it’s a huge brand damage.

Kuehlman: ISO 26262 is very weak.

Leef: You need to have a story. Whether it’s valid is questionable. But there is sufficient legal and financial motivation for you to do something.

Loh: That goes back to sophistication. ISO 26262 doesn’t do that much. We get very little feedback on it.

Leef: It’s been described as attempt to solve security through bureaucratic methods. But having said that, the OEMs are required to care. That means the tier-one suppliers are forced to care.

Kuehlman: But you still can take a car and hack it. Any kid can do this. The car companies are taking ISO 26262 and focusing on quality and criticality rather than looking at security and making it unhackable. This tells me the automotive industry is really not up to security.

Leef: The desire to comply with 26262 is rooted in European regulations. I was told by the OEMs they need to know our strategy on 26262 before they would read any proposal. The only wrong answer to this question is that you don’t have one. You need to clearly articulate a strategy, and hopefully in a language they can read.

Blake-Wilson: They do have a strategy, but it takes a huge amount of time to evolve. You can’t just flick a switch and say you care about security.

Kuehlman: One of the large automotive OEMs as of three years ago was saying that they were going to put a standard stack into connected cars. So everything we learned about hacking we can now use to hack a car. That was state of the art or the state of knowledge they had for how to build a connected car. It’s frightening.

Leef: The crux of all of this is to make sure that when you have two or more [electronic control units], through some inadvertent collaboration, they don’t cause a safety critical issue. This is dealing with design errors. It is not a defense against a focused attack vector. It isn’t like some smart person is trying to figure out how to cause the [antilock braking system] and the dashboard controller to collaboratively under certain conditions deploy a virus into the transmission. That’s not what we’re talking about. This is about design errors. These people are not even close to understanding what is the attack surface.

Kuehlman: And that’s the mindset that’s missing—that a malicious attack can exploit a loophole in the system. They just think about this in a quality or a statistical sense, meaning if you have redundancy you’re fine.

SE: So the problem is bad and everyone is in denial. What do we do about it?

Murphy: There isn’t a global solution. If you look at the power supply, the grid and what can be hacked there, smart meters have encryption technology but it isn’t enabled. They don’t want to train the guys who install the meters to do that because it would cost more. So you get all this security but it’s turned off.

Leef: The attackers follow the shortest path to money. It’s demonstrated by the two sectors that have the most side channel attacks and where the greatest market potential is, and that’s smart cars and cable TV. Those are the easiest things to attack, and the economic gain is obvious. You have to follow the hackers’ thinking, which is how to get to the money quickest with the least amount of effort. The real question is what’s next.

Murphy: IoT edge nodes are going to be very poorly defended.

Leef: But they’re pretty heterogeneous, so are you going to hack intelligent toasters or more interesting devices.

Blake-Wilson: One thing we need to focus on is ease of use of the solution. So Trust-Zone isn’t a big success because it requires a lot of work from the application developer, and not enough companies make the effort. If you make something that is trivial to integrate with, it will make a huge difference. It’s a good tradeoff of achievable targets, trying to address ease of use for the designers, for the managers of the devices.

Murphy: Yes, you can raise the bar, but not too high.

Blake-Wilson: And we also need to give them a step approach. They can approve security as a series of gradual steps rather than taking a big bite.

Leef: That comes back to the idea behind this discussion, which is how much security do you really need. We work on the hardware security to help people do secure system. So we encounter people whose part costs 25 cents, and the maximum they can afford to make it secure is 26 cents. They can accept one more penny, which means the economic versus security equation is already set. There are so many things they can do, and it doesn’t buy them much. But when you go to talk to military, and their part costs $8,000, they’re more than willing to throw everything that exists.