Experts at the table, part 3: Why existing standards are insufficient; different strategies for securing connected devices; the widening impact of cost control.
Semiconductor Engineering sat down to discuss security issues with Asaf Shen, vice president of marketing for security IP in ARM’s Systems & Software Group; Timothy Dry, principal staff marketing manager for the Industrial IoT segment at GlobalFoundries; Chowdary Yanamadala, senior vice president of business development at ChaoLogix; and Eric Sivertson, CEO of Quantum Trace. What follows are excerpts of this discussion. To view part one, click here. Part two is here.
SE: With increased connectivity, we open up doors into the network, the chip and the software. Where is the best place to seal the borders?
Yanamadala: Several years ago, securing the network was good enough. Now each part of the chain has to be secured in a chain of trust. The network, the software and the hardware all have to be secure. The hackers always will look for the weakest link in the chain, so if the hardware is not secure, that’s where the problem will be. It doesn’t matter how many bits AES (Advanced Encryption Standard) uses. AES is mathematically strong. But when the keys are being transported, then the cryptography is strong but the implementation is not.
SE: We have up to 100 IP blocks in some chips, processors from a variety of vendors, multiple levels of connectivity over wired and wireless connections. Can you really seal that up?
Yanamadala: We need to differentiate between trusted resources and non-trusted resources. So architecture definitely plays a role. Then you need good cryptography. That means not just good math, but also good implementation. The root of trust is required at the hardware level. And then off-chip security is required, as well. ARM TrustZone is one good example.
Shen: That’s at all layers—the network layer, the communications layer, the software vulnerabilities, and then the hardware itself. We refer to that as platform security mechanisms. There is a whole list of mechanisms, starting with isolation of execution, so that even if things go bad in one execution environment, the crown jewels are not exposed. There are all kinds of mechanisms required to ensure the confidentiality, integrity and authenticity of assets, whether it’s code or data belonging to different stakeholders. The key point here is future-proofing. You cannot have robust future-proofing without a root of trust. Baking that into the design early on, along with the ability to update and fix things, is the key. At the end of the day, some vulnerability will be identified somewhere.
Sivertson: You can’t seal these borders. They’re going to morph. There are new technologies coming into the forefront. There is a company in San Diego called Ingenu, which makes a really interesting connectivity solution. You won’t have all the IoT devices in the world running on Verizon. Bringing these devices together is the big paradigm change. It’s two machines talking to each other through some channel tied back to the Internet protocols. You can’t seal that, and you don’t want to seal that. You need to be able to use multiple channels to get information through, so that when a denial of service affects one area, you can use other channels to get the information.
Yanamadala: One of the main issues is whether there is enough motivation to fix these issues. It comes down to who will pay to fix these issues.
SE: Let’s talk about the money aspects. Given enough time and resources, anything can be hacked. How do we define a good-enough level of risk? And what’s an acceptable balance of cost versus risk?
Yanamadala: There is certainly need for an orderly progression of security features, starting from a root of trust. But the device owner doesn’t really care if a network gets attacked, as long as it still works. It’s not like a phone where you have Apple, Google and Microsoft working on these problems, testing them and applying patches after release. With IoT devices, margins are much lower. They don’t have the teams or the expertise to allow these kinds of fixes. Neither the users nor the manufacturers are interested. So it may require another entity to step in and force everyone to raise the bar.
Dry: That’s what happened with smart meters. The original versions of smart meters had no security or very little security. A lot of that was based on software. There was a secure element device available, which was a SIM card, but the smart meter manufacturers would not entertain the idea of spending a dollar extra on a $50 BOM. When the fear of all these hacks came, the chip guys were forced to lower their margins and the meter manufacturers were forced to lower theirs. It’s like insurance. At some point it’s either mandated where you have to have it, or it’s there de facto.
Yanamadala: A one-dollar increase is not the problem. It’s the relative cost that’s the challenge. But to secure a chip is much easier than trying to secure it afterwards at the system level. With Mirai, it probably would have cost a few pennies to secure the board-level design. Now the manufacturer has the direct cost of recalling devices and the cost to the brand. Some of the leaders in the industry have been thinking in these terms. In the long term, they recognize they can save a lot more money because it’s much cheaper to secure devices at the silicon level than having to bolt on security, which also doesn’t work as well.
SE: When you buy a toaster you don’t expect it to take down Amazon. That’s a problem that needs to be addressed. But it’s even more disconcerting in the industrial and automotive markets, where chips may be in use for more than a decade. How do you deal with that?
Siverton: Crystal-ball reading is hard. Moore’s Law is starting to be proven wrong. You have to have a solid identity. As long as you have a solid identity for something, you can build a lot on top of it. But the next thing you need to be able to do is have a very programmable structure at multiple levels. Whenever you’re designing equipment you want to build in the most flexibility for what that device can do. With the Mirai attack, the problem was that the password was locked at the default state. You couldn’t change it. When you don’t allow flexibility in the foundation design, that’s when you run into the biggest problems. Lots of flexibility makes more attack surface, but you need that flexibility to allow it to change over time.
Shen: If you look at how NASA designs their systems, there are no unknowns. In our case, there are known unknowns, and it’s a good idea to have your own password. You need security policies and procedures that can address these known unknown problems. So with Mirai, there were known unknowns, but we knew the space through which an attack might come. These classes of problems are easy to deal with conceptually. For unknown unknowns, there’s not much we can do other than plug all of the holes that we think exist.
Dry: Even though the process is getting smaller and smaller, the die size will stay the same because you need more memory and over-the air updates. More and more of the chip is devoted to dealing with software. That’s what happened with smart meters, which are a gateway between the outdoors and the indoors. The promise was that utilities would be able to control electricity consumption. They rolled out a protocol, then they changed the protocol and the new protocol didn’t fit in the chips. So they had to roll out a gateway box that fit in between.
SE: What does that imply for future design?
Dry: The goal of future-proofing designs should be 10-plus years. That’s the best way to prepare for unknowns. Electric meters used to be 15-plus years. The first wave of smart meters was designed to last 10 years—some say 7—due to connectivity changes with ZigBee Smart Energy 2.0 and security.
Data Leakage And The IIoT
Connecting industrial equipment to the Internet offers big improvements in uptime and efficiency, but it adds security issues.
IoT Security Risks Grow
Experts at the table, part 2: Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.
IoT Security Risks Grow
Experts at the table, part 1: Side-channel attacks, botnets, ransomware all loom as attacks become more sophisticated on connected devices.
Making Secure Chips For IoT Devices
Technology is improving, but so is awareness about the need for security.