In safety critical industries, systems vendors are demanding security. In others, it’s still a risk-benefit equation.
Ask any two executives in the semiconductor industry about security threats and there is a good chance you will get two totally different answers. The disturbing part is they both may be right.
In markets where there is no physical danger to people, security always has been viewed a risk versus profit equation. At conferences over the past year, numerous executives have touted the Transport Layer Security (TLS) as a sufficient safeguard, for example, despite the fact that it has done little to stem the rising number of breaches in markets where it was deployed.
Where lives are at stake, such as the automotive, medical and aerospace markets, attitudes about security are different. From initial architecture through manufacturing and into post-silicon testing, supply chain tracking, and over-the-air updates, security is being taken very seriously.
Adhering to industry best practices always has been a good legal defense. But with breaches involving connected, driver-assisted vehicles, there is no legal precedent. And with an estimated 60 million new cars sold each year, all of them using varying levels of connectivity using technology that is still evolving, risk is significantly higher. Also at issue is damage to a corporation’s image, such as the controversial hack of a Jeep. In light of that, chipmakers and IP vendors say Tier-one and Tier-two automotive suppliers are very focused on improving security and reliability of software and hardware components, as well as internally and externally developed IP blocks that contain both.
“There are hundreds of electronic control units spread through the car, 100 million or more lines of software code, security issues, infotainment, driver assist,” said Wally Rhines, chairman and CEO of Mentor Graphics. “This is a lot of change at once. But one of the things that becomes obvious to all of the car manufacturers is that, for security reasons, they have to isolate safety subsystems effectively. Some would say you can’t even allow electrical connections. That changes the architecture of the car. And with the embedded software, no matter how good you are, you’re not going to write 100 million lines of code without bugs and doors for hackers. So you have to be able to update quickly and easily. Tesla has set a model for the industry being able to do that.”
The danger is that for every company that is doing it right, they ultimately may be connected over the Internet to others that are not doing enough.
“The challenge with security is that it is not just a part in a solution,” said Mike Eftimakis, IoT product manager at ARM. “You need to build in trust at every step. And with a divide-and-conquer approach to design, it’s necessary to include lifecycle security. You cannot avoid attacks, and the risk of intruders is increasing. So you need to add control into a device to check what is happening, and you need to be able to program it and restart it from a good base. We call this a chain of trust, and it cannot be impacted by tampering. This is the element used to refresh or reprogram a device. You also need to be able to disconnect a device is that control cannot be recovered.”
Eftimakis said that TLS is simply one protocol in a security stack, which by itself is insufficient. “TLS deals with the communication between devices, but there are other types of security that need to be considered. Complex systems are running many different types of software that are not controlled. The complexity of a device may not be high or the software may be a small part of the whole solution. But what’s clear is that security is not an option for any device. Everyone will require security. It is not a differentiator anymore.”
In the past, hardware was assumed to be far less vulnerable to hacking than software. While there was always a risk in certain markets, that risk was generally well understood. “I remember a large company that had acquired a small pacemaker company,” said Aart de Geus, chairman and co-CEO of Synopsys. “They divested it because the large company could not take the insurance risk of the pacemaker killing someone.”
Perceptions are changing, though, because a hardware breach in a connected world can be much more valuable and far-reaching. For hackers, keys that are used to secure a device are a potential bonanza.
“If the keys leak, security is compromised,” said Asaf Ashkenazi, senior director of product management in Rambus’ Security Division. “If you can crack into a key, you can replace the software and remotely control a device.”
He noted there are three main times when the keys can be compromised—when they are provisioned, when they are used, and when they are stored.
“Sometimes people forget about how a key gets into a device. The provisioning part can be complicated to do securely. There are a lot of devices manufactured in environments that are not secured. It also can be extremely expensive. And sometimes it doesn’t work well. So you may try to hide a key, but once someone gets a hold of that then all the keys are compromised.”
Storing the keys adds its own set of issues. Typically they are stored in memory, which is subject to side-channel attacks or direct attacks in which the package is physically ground down and probes inserted. “No one solution protects against everything,” said Ashkenazi.
Memory IP vendors are well aware of this. Lee Sun, an field applications engineer at Kilopass, said that metal fuses in one-time programmable memory can begin to grow back over time as debris using debris created during programming. “Antifuse OTP is more secure than eFuse,” he said. “With eFuse, it is easy to view the contents of the memory since the fuse is large and visible via electron microscopy. With antifuse, the programming is done underneath the gate and the breakdown is so small it is virtually impossible to obtain the contents of the memory using invasive means.”
Understanding where the doors are may be the simpler problem, though. “It’s not easy to introduce signals and look for patterns, so that’s a deterrent” said Drew Wingard, CTO of Sonics. “A lot of the work in this area came out of secure media content and it’s pretty well understood. What we’re worried about now is a defect on a chip inadvertently exposing something. What are all the possible failure modes?”
Wingard said another problem is that while external transactions are restricted, internal transactions typically are not. “We need to build systems that are secure at each level,” he said. “One way to do that is to architect systems that are, by default, ‘access denied.’ You grant access only where needed. Everything is considered confidential.”
Marvell CTO Zining Wu agrees, noting the problem in many cases is approaching security differently within a design. “Security is one of the most important elements in design, but this is a process change for many people. The technology is already there. You have to make sure a key is secure and in a secure position and that no software or hardware touches it.”
Wu noted that a “chain of trust” handshake needs to be implemented, but he said much of this already has been created on the computer side. The challenge now is getting people to use it correctly.
Adopting this kind of restrictive design is new to most industries outside of defense. But as more markets transect each other with the Internet of Things, the risk equation can change very quickly.
“Even if we have a methodology that truly should capture all security issues, after a product is shipped a new hack may be discovered,” said Synopsys’ de Geus. “We have a capability today that allows us to help our customers find the fingerprint of open source software in binary code. There is a registry of open source software with the vulnerabilities, which is updated all the time. If you are diligent and ship your product and then a new one is discovered, we can inform you. Do you want to know? Do you want your customer know? These are moving targets. That will bring about a set of interesting challenges of how we deal with it.”
On top of that, much of this technology is new. While that works well enough in consumer devices such as smart phones, it’s a different matter in industrial or safety-critical markets. No matter how diligently companies define use cases, there are always corner cases that no one expected.
“It’s a learning experience,” said Lip-Bu Tan, president and CEO of Cadence. “We’re learning with our tier one customers. There are a lot of new problems they’ve never had to deal with before. There is more processing and machine learning and intelligence.”
Technology companies are still trying to comprehend the impact of pervasive and continuous connectivity on increasingly complex technology. Standards are insufficient, not everyone is playing in the same sandbox with equal regard to security, and there are rising concerns that a failure by one company can inadvertently affect another in far more profound ways than in the past.
While it has always been true that a company is always as good as its partners, it also may be true that a company is only as good as other companies to which its products are connected—perhaps not even in the same market or region of the world. The effects, as you might expect, are not always predictable.
Grappling With Auto Security
The search is on for a way to balance connectivity, performance and security.
IC Industry Waking Up To Security
More companies recognize cybersecurity needs to be built-in from the beginning.
Securing Chips During Manufacturing
Can directed electron writing change the security equation?