Experts at the Table, part 2: The value of certifications; how a growing list of IP suppliers can impact security; will devices ultimately be secure enough and when will that happen?
Semiconductor Engineering sat down to discuss whether the Internet of Things will be secure enough, or whether it will create new security issues, with Sami Nassar, general manager of NXP Semiconductor; Oleg Logvinov, director for special assignments at STMicroelectronics; and Lawrence Loh, application engineering group director at Cadence. What follow are excerpt of that conversation, which was held in front of a live audience at the IEEE Standards Association IoT Workshop.
SE: You’re only as good as your partners, and with complex designs everyone has lots of partners—some known and some not. When you have updates to fix problems they may not be reflected across designs or ecosystems. How big a problem is that in the IoT world?
Nassar: That’s a very big part of the IoT. There are ecosystem players that put their name up front, and there are lots of companies that will gravitate toward that. But between major ecosystem players and certification buddies, you have to make sure all the components are certified at a system level or validated. That’s key to security. If you play independently from the chip and the cloud we will have a problem.
Logvinov: I agree, but this problem gets more complicated as we bring players from a variety of verticals to embrace the same platform or multitude of platforms. We need to figure out ways of providing them with certification, but we also have to start thinking about whether there is something we can do with data exposure to create a framework for additional security. A framework for data abstraction models can help us manage the risk of exposure for certain data. And that’s bi-directional. It’s data we expose to someone else, and someone who tries to take over and control our device.
Loh: For data certification and other certification, that’s a necessary but not sufficient condition. Because you’re certified doesn’t mean you’re not vulnerable. Certification is a way to set a minimum bar. For some applications it’s more important than others. So if you have a banking application, they’re going to do a lot more than just certification to make sure the user feels comfortable and the data is secure. One tricky thing about security is that the hackers openly share how vulnerable something is so people can do one better, but the people who deal with those hackers don’t want to expose what they’ve found. It’s one against many. We need committees to improve the certifications, the requirements, and to communicate what are the latest vulnerabilities and how to overcome them. That’s one of the most important ways to get a handle on this and not leave it in the hands of the weakest link.
SE: There’s a supply chain side to this, as well. If someone produces a chip with a back door or a link to something else, or there’s extra circuitry built into a chip after manufacturing, how do we safeguard against that?
Nassar: That goes back to trust and certification. In business you always have trust and security.
SE: But isn’t that contrary to the basic tenets of security? You can’t trust anyone.
Nassar: Yes, and you trust fewer entities. You need to look at it from every layer. At the IC level, there are rules and process to make sure you don’t get Trojan horses or something that shouldn’t be part of that chip. There’s a lot of certification today that can flush it out. But that’s not enough. Once you get out of the chip to provision it with some data and keys and identity, there are processes today to do that. Even that’s not enough. Once you link that, there are layers of software that run on the device. And then you have to look at the whole device and see how it interacts with the whole network. A smart grid is one of these IoT applications. We’re seeing events where you pick and end point, and from that end point you attack the network. Every entity connected into this grid needs to be authenticated, not only for access but for integrity to make sure it hasn’t been tampered with. Depending on the application, you need to go higher or lower on those stacks.
Logvinov: As we talk about how to keep it secure, we need to start thinking about device lifecycle management. That includes not only being able to authenticate a device once, but to manage throughout the lifecycle of a device to see if any change occurs to the authentication, certification, and to keep track of what’s happening. But how do you really ensure in the supply chain that nothing happened. It’s possible if you apply enough resources to it. As an example, no one knew what the iPhone 6 would look like until it was announced.
Loh: There are two categories for supply-chain back doors. One involves bending the rules of the system requirement, which is how data comes in and out of a device. If they’re violating that, hopefully the certification will find those and have clear requirements about what to do. On the other side, you may design something and you want a direct link from your processor to your graphics processors. You’re not supposed to, but you assume that outside no one will notice. If there is a link there, it’s supposed to be part of the discipline for the supplier to make sure rules are obeyed. They should have visibility into the system architecture and know what it’s supposed to be. Both sides are responsible. But it makes it harder for people to find a vulnerability when the designers are secretive, and it gets worse when they don’t share how to keep it secure. Sometimes we miss clever ways to exploit a vulnerability because people don’t like to talk about it.
Nassar: Securing the supply chain goes beyond the Internet of Things. But how would you know the daughterboard being built at Company X is authentic and no substitutions happened? And how can you protect your own IP when you create an accessory of any part? It’s possible to build chips that determine authenticity of any component or board that ships out of the manufacturing facility that could be injected into the development process. If my system looks for authenticity before it boots up or accesses other services, you can control that with a chip. And you can make sure that if you contract for 100,000 chips to be made, there are not more than 100,000 of them made. You can control how many parts are replicated. If someone is replicating outside of that, they will not have access to that system. This is how you build an anti-cloning mechanism. This protects your revenue and adds to the quality of your total system because you don’t have rogue elements in it.
SE: While we all want security, it still costs money and requires extra effort and retooling of the supply chain. How do we twist it in that direction?
Nassar: If you look at smart grids across the globe, you see very different behavior and security levels being implemented in different countries. In China, it’s mandated and everything is at the highest security. In Europe, it’s recommended and governments are pushing for regulation and a minimum level of security. The answer is more driven by industry with guidance from government, which says it’s good to have this and that. Ultimately everyone will get to the end point where the system is secure at the highest level, but the adoption rate is different depending upon the environment you’re in and the ecosystem around you. This is due to the fact that the companies moving into this connected world are not necessarily aware of the dangers of it. The meter companies are advanced in their domains, but they don’t have the experience of being connected to an IP network. They cannot imagine the sophistication of hackers who can break into their software stack and take over a meter and change the software. Those are new threats vertical markets need to get educated on that are dangerous.
Logvinov: The question is whether it’s possible to make everything secure. The answer is potentially, but it would be a very high cost. We’ll see the ecosystem settling on what is secure enough, and deal with the issues of compromised security on a case-by-case basis.
Nassar: The companies that are more conscious of that will be more successful.
Logvinov: I disagree. We’ll see the same kind of ‘S’ curve as we’ve seen in other industries. We’ll see a flood of products that are lacking security, which may be more successful than products with security built in, because they are less expensive. The market will settle itself back to what is secure enough and good enough and provides an adequate level of protection.
Loh: There will always be a gap. If there’s no gap, it means there are no security issues. But the gap will widen and narrow like a pendulum, depending on which one is catching on. If we go two years without a security problem people will forget about security and choose the best price. Then a crisis hits and people go the other way. I don’t think it will be one direction where it keeps widening. It’s the same for functionality and power, too.
Part one of this roundtable discussion can be found here.