Is Security All Talk?

The semiconductor industry has finally started discussing security. Now it needs to actually do something.

popularity

Security is the No. 1 recurring theme at conferences these days. And given the explosion in the number of conferences this year—up to a half dozen some weeks just in Silicon Valley—that’s a lot of attention being showered on security.

At nearly all of these talks, there is at least a mention about recent breaches, pervasive and persistent risks, and the growing threat level. The topic of security is front and center in discussions about autonomous vehicles, and it has made its way into panels and presentations about medical and industrial IoT.

After sitting through literally hundreds of these presentations, there are some observations to be made:

1. Everyone recognizes there is a growing problem.
2. Everyone has developed at least some plan for what they’re going to do.
3. Those plans are being succinctly drawn out in some very sophisticated PowerPoint slides and graphics.

But when it comes to actually implementing security, things get a bit murky. Implementation costs money, and no one wants to pick up the tab–not consumers, not investors/stockholders, and not the systems vendors or carriers. Perhaps even worse, some device makers insist that their products don’t have to be secure, an argument that seemed to slip beneath the radar until last month, when the Dyn distributed denial of service attack showed that armies of these insignificant things could be strung together as a botnet and take down some large businesses that take security very seriously.

Dig deeper and you find there are at least a couple levels of security, as well. There is security for banking and credit card transactions, which is based on the Transport Layer Security. TLS is considered state of the art, which is great when it comes to a liability defense. But most security experts view it as just one piece of what’s needed, and given the growing number of very public breaches in the news over the past few years, they seem to have a point. And as technology becomes more integrated into safety-critical markets such as healthcare and automotive, that level of security isn’t going to be sufficient.

The second level of security requires a complete end-to-end understanding of how systems can be breached, starting from the initial architecture of the chip, the software and the networking infrastructure, and following that through the entire supply chain. You can do everything right on the design side, and still have a counterfeit part inserted down the line. Or you can design everything right in silicon, only to find the software is full of holes or, in the case of an autonomous vehicle, that the over-the-air update has been compromised because the authentication keys were hacked.

And that’s just the beginning. Security is a constantly evolving challenge, and it has to be dealt with quickly using the same kind of rapid-response protocols that operating systems companies have been deploying for nearly two decades. If there is a breach, you issue a patch quickly, and maybe another patch following that to close up any remaining problems. In the automotive, healthcare, industrial or medical markets, there isn’t any kind of consistent rapid response infrastructure.

Moreover, there are so many pieces being developed by companies across a global supply chain—more than 100 separate IP blocks just in some SoCs—that it’s inconceivable they will ever use equivalent security protocols without the threat of exclusion. It’s hard enough to get some of the smaller IP companies to characterize their IP for various use cases. That now has to be done for security, as well, based upon system-level standards that so far don’t exist, and when they finally are implemented will be in a constant state of evolution.

Talking about security is a first step. The conversations are beginning, and some companies actually have been working on this problem for at least the past half-decade. But unless some standards are introduced, and some choices are made to exclude those who don’t comply, then the risk increases that none of this will work. This is, after all, a chain of trust. And if you can’t trust one link in that chain with the same level of confidence as the next, then all of the detailed presentations about security don’t matter.