How To Scale IoT For “Time To Money,” Security

As IoT becomes more successful, hacking it will become increasingly attractive.

popularity

When it comes to design, IoT can be boiled down to “time to money.” It’s more complex than that, of course, but the unique, dynamic nature of the segment is changing the way we design systems and how we think about security.

“IoT is not a device. It’s delivering service across the cloud to connected devices,” said Nandan Nayampally, vice president of marketing with ARM. “In the IoT world, it’s not about delivering the killer SoC; silicon is a vehicle that delivers your killer solution.”

Nayampally made the comments during a busy week at the 2016 Design Automation Conference, where IoT was again a hot topic and security was on everyone’s minds.

Nayampally said, referencing the time-to-money challenge, that enabling that initial design is key, of course, but after that it becomes a very competitive race to volume.

“You can design for one vertical, but that vertical may not be enough to sustain you,” Nayampally said on a Chip Estimate panel. “You may need to scale this design for something that scales horizontally as well. The one thing we can do is lower the barrier to allow for rapid innovative design.”

For Frank Schirrmeister, senior group director, product management and marketing, with Cadence Design Systems, speeding verification and validation are keys toward nurturing a profitable IoT sector. “It’s tough to design monetization up front,” Schirrmeister said. Schirrmeister said wearables profitability can be elusive, given the uncertain volumes and competition. But there is profitability to found around the device.

“For the startup, the question becomes how will I monetize? Is it the app? Is it the chip?” he said.

The scaling challenge
Today, most startups are small-scale affairs, some with crowd funding, some with funding from their own pockets. And it’s an era in which interesting designs get started on platforms like Raspberry Pi and Arduino. Just a few short years ago, startups needed big ASIC teams paying hefty NRE to get a design to market.

This transformation is extraordinary, but for most it’s only a start, and can be insufficient to get them to the next level of scale.

“Lowering the hurdle to design cost and verification/implementation cost is huge,” Schirrmeister said.

Outside of the maker/Raspberry Pi/Arduino movement, there are additional endeavors to ease IoT design and cost. At DAC, ARM expanded its DesignStart program to offer simplified and expedited access to EDA tooling and design environments from Cadence and Mentor Graphics. A new ARM Approved Design Partner program, also announced at DAC, provides DesignStart users with a global list of audited design houses for expert support during development.

Security and its complexities
But there’s an additional wrinkle in our collective drive toward a robust IoT market: security. The challenge is becoming unnervingly clear.

ARM Director of Systems and Software Jim Wallace says, “As IoT products become successful, they will become increasingly attractive for attackers and so appropriate security must be baked into every system and at every level.”

How this is executed is non-trivial of course. More traditional system design tended to have boundaries inside which robust security would reside: hardware and software. But with IoT there are a seemingly infinite number of applications, hardware and software variations, wireless protocols and so forth that expand the potential attack surface. We’re required to discover and plug all the potential holes, while hackers need to exploit only one to be successful.

“Any system can be cracked if the attacker has infinite time and money,” said Rhonda Dirvin, director of IoT Verticals for ARM. “The effort is generally proportional to the value of the assets.”(Dirvin keynoted Embedded TechCon, which was co-located with DAC this year).

She added that security is “a balance between the cost and effort that you, the system designers, are prepared to invest to protect your assets and what an attacker is willing to invest in an attack,” Dirvin said.

Wallace notes, “For IoT to succeed, we need to consider security as a system problem.”

He distills the challenge to a series of key questions:

  • How are the high value keys provisioned and protected?
  • How is critical software authenticated and isolated?
  • How is the device managed over its life cycle?
  • Which security communications protocol is being used to protect data in-flight?

“We also need to think about what is an appropriate level of protection given the value of the assets and the use of the device,” he said. “Given that many IoT devices will be designed by non-security experts we also need to ensure the solutions to these problems are easy to implement and scalable across different use cases.”