How Much Security Is Enough?

Experts at the table, part 3: What needs to be secured most, what’s going to induce vendors to add security, and why consumers aren’t raising more of a fuss.


Semiconductor Engineering sat down to discuss the current state of security and what must be done in the future, with Denis Noël, head of cyber security solutions at NXP; Serge Leef, vice president of new ventures at Mentor Graphics; Andreas Kuehlman, senior vice president and general manager of the software integrity group at Synopsys; Simon Blake-Wilson, vice president of products and marketing at Rambus‘ Cryptography Research Division; Lawrence Loh, group director at Cadence; and Bernard Murphy, CTO of Atrenta. What follows are excerpts of that conversation. To view part one, click here. To view part two, click here.

SE: Are people willing to pay for added security on things like smart cards?

Noël: The market for this is finally increasing. There is now tamper-resistance on the smart card to improve security. The security in cards is already pretty strong, and the development of tamper resistance is pretty advanced. So yes, the industry is ready to put money on the table and add sufficient counter-measures to limit probes. It’s easier with this group, though. It’s a group of banks, and it’s easier to make decisions because they can control the product cycles.

Leef: So this is a case where the security people can unite?

Noël: Exactly. And when you discuss security with banks, they know what it’s about. If you discuss security with any embedded security developer, that’s another story.

Blake-Wilson: You need standards in place.

Kuehlman: But if you look at why it’s going to change, it’s not going to be standards. People need to be economically forced at add security. That’s the only way it’s going to happen. The only way that happens is when the liability laws change. If they have to pay if your privacy is violated, they will take notice. With the automotive industry the laws are being set up in such a way that if you cause a death, then it can force a recall. Security standards are always bad.

Blake-Wilson: I agree there has to be some kind of fundamental economic driver. In payments, the clear economic driver forced everyone to come together on standards, which then became useful. Otherwise it would have been a free-for-all. Whether that driver is economic, regulatory or legal, it’s crucial.

Noël: In the payment industry, there is a matrix of security. They have defined security numbers.

Kuehlman: The only wrong answer is that you don’t have a strategy. They know it doesn’t do anything.

Noël: They don’t want to spend money, but they know they have to do something.

Leef: Banking people are more mature in this area.

Blake-Wilson: If you look at the automotive space, everyone tries to deploy a piecemeal proprietary solution. To be successful you need to take a standard and provide meaningful security.

Loh: Functional safety makes a difference. Your point about financial motivation is true, but that needs to be combined with regulation. If you look at car insurance, it’s not mandatory. If you don’t crash, nothing happens. But it’s required. You have two ways to make people buy it. One is to increase the liability. If you make a mistake, you’re in deep trouble, so more people buy it. But that has to be combined with some regulation. And maybe, if you comply, your liability is less. We need to come up with better regulations that make sense.

Leef: Someone was asking about business models and how you sell security. Are you selling antibiotics, aspirin or insurance? There are different price points for those three things. If you’re selling antiobiotics, people don’t care how much it costs.

Kuehlman: IT departments spend their money on real-time monitoring security. They don’t spend their money on nice coding where the applications are well written.

Leef: We deal with a lot with national security players, and they are under the impression that they are constantly under attack. They never share the information with us.

Murphy: What they care about are hardware Trojans and all kinds of things that are very far off the radar in the commercial world.

Leef: Hardware Trojans are a good example. They tell us we should be working on this because it’s a huge issue. But then I talk to mil/aero customers and they say they’ve never seen one. So the government may be seeing a lot of stuff they’re not going to show us, and I don’t know how to monetize helping them.

SE: What happens now that you start interconnecting everything? You may have a design that’s secure, but you’re connecting to something that isn’t secure.

Leef: It’s a piecemeal solution. You have to take a step back and think about where is the perimeter of your system. In IoT, your perimeter is long and skinny, with an app on one end, a gateway edge node on the other—that’s a lot of attack surface.

Murphy: That’s why this whole concept of software updates is a problem. It sounds great to do software updates for a car until you consider security.

Kuehlman: The network can give you access to interactions that they were not designed for. People design for functionality. They don’t design for corner cases that nobody thought through. You’re selling the functionality. You’re not selling non-functionality.

Loh: We do need to step back and look at the infrastructure. But after that we need to zoom into the individual pieces and see how they contribute to the overall device and find a solution for each piece. If you want to look weaknesses in security for an overall device, that’s too broad. You’ll never find them all. But if you look at the individual pieces and figure out how each of them is vulnerable, then you can solve the problems.

Leef: This is where the opportunity for standards may exist. If you accept that the IoT topology looks like an edge node, gateway, central node, app—if you accept this is more or less the information flow, then you can start thinking about regular interface points between those pieces. Then you can say the only way a cyber-physical system comes in contact with the Internet is through this interface, you have narrowed the attack channel. Then startups can form and we can build walls around this because we know what to defend.

Murphy: One of the key points is that the walls don’t just fit in a device. They have to fit around a whole bunch of stuff.

Loh: Ideally, you want everyone to do everything they can to make a device a secure. But the reality is they will have this much money to spend. The challenge is how you can encrypt everything beyond the solution they sell. It’s scary how easy it is to hack something once you know the design. Hardware really is only a problem if software can take advantage of it. But if a hacker wants to hack a sophisticated software encryption engine, it’s a lot harder than if that is in JTAG. Everybody has to do their part and do the best they can, and the people who analyze the system need to do that as clearly as they can. Hopefully what you come up with is better than nothing. But it takes a whole ecosystem.

Kuehlman: An engineer is looking at the formal verification of the interfaces. But if you look at the software world, they know what good programming is. Languages are well understood. So what do we do? We go from Java, which is bad, to Javascript, which is worse. Anyone with a computer science would say, ‘Why would you possibly do this?’ But this is the way the world is moving. It’s moving in the opposite direction. So unless there is a huge economic lever, better security isn’t going to happen.

SE: The smartphone is a key device in all of this, but if you think about a smartphone the major concerns are battery, price and performance. Security can impact all three, right?

Murphy: Yes, and that’s why you don’t have antivirus software running on your smartphone. It would burn a whole lot of juice.

Blake-Wilson: If you look at a phone, you can say they’ve done a pretty decent job in terms of security. It’s not always as clear-cut as you have to compromise on battery life.

Leef: There are some approaches that are not that expensive. There are some things you can do at boot time. There are some things you can do during the idling of the OS.

Murphy: But when you’re buying a phone, are you buying it because the battery lasts three days and it has a lot of features on it?

Blake-Wilson: Security is certainly not the main consideration for any user.

Leef: But do users actually believe the Internet or any cell phone they use are secure?

Kuehlman: Secure is an amorphous term. If you’re paying $1,000 or $500 for a device, that makes sense to people. Security is abstract.

Leef: The other side of this, though, is that of the trillions of conversations going on in 1 square mile, what are the odds that your conversation is the one that someone will listen to? For the average consumer, the odds that someone cares about what you’re saying are minimal.

SE: Until they plug a phone into a computer, right?

Leef: There is no privacy, no security. Whatever you type onto any application on your phone or a computer, envision yourself explaining this to a prospective employer. If you cannot adequately explain it, don’t say it.

Murphy: Look at USB sticks. We all know those are absolutely the best way to get horrible things even into the center of the Pentagon.

Noël: That’s the tradeoff—convenience and security. The consumer is concerned about it and cares about it, but they expect it to be solved.

Loh: The consumer doesn’t care because they don’t understand what it means. If you’re spending more money to make it secure, is it more secure than others? What’s the difference? Will it guarantee this can never get hacked? It’s an important feature.

Kuehlman: But then they’re using it for mail.

Leef: In some neighborhoods you can’t sell locks. But if you go to other areas, you can sell space-age locks and iron bars. It’s the immediacy of the threat that will drive demand.

Loh: There are two extremes. On one hand there are people who say, ‘Nothing is going to happen to me.’ On the other hand there are people who are so paranoid that they will take measures to make sure nothing ever happens. But it’s really hard to make these two extremes interact.
With a lock it’s clear what you’re buying. But there is nothing to show that if you use this algorithm you’re going to get 70% fewer attacks.

Murphy: You’re competing with crisis overload on everything from Ebola to political problems. This is just one more crisis. The fear dissipates because you’re onto the next horrible thing that could happen to you.

SE: So whose responsibility is this? Is it the company selling the device, the company selling the service, the application, the connectivity—or the consumer?

Murphy: The solution provider that provides an end-to-end solution.

SE: Is that Verizon or AT&T?

Leef: No, it’s the guy who sells you the intelligent lawn sprinkler. They have the sensors, the aggregator gateway, the connection to the cloud. He’s not selling you IoT. He’s selling you intelligent sprinklers. The fact that it involves four different diversely placed entities is an implementation detail. His responsibility is to make it secure.

Kuehlman: But if you buy a router, you’re hooking into an Internet connection from someone else.

Noël: If it involves safety, government needs to be involved.

Leef: The consumer will perceive the seller of the solution is responsible. But you’re right, there are third-party stages involved that are not in total control.

Loh: Responsibility in this case means liability.

Blake-Wilson: There is no one answer to this. I’m hesitant to say it’s the consumer’s problem. It starts with the service provider, who will pass it on to their suppliers, and so on down to the chipmaker. For the professional user, it’s a little different. Most organizations have an IT department that would be expected to take on that responsibility.

Loh: One thing that’s needed here is to educate the consumer. Then they can place a higher bar on the end solution provider and it will go up the chain. At the other end, some level of enforcement is needed. It needs to come from both sides.