The Hidden Costs Of Security

CEOs look at price tag and slow adoption. Impact on power and performance could be significant.

popularity

There is no argument these days among chipmakers that security needs to be implemented at every level. So why isn’t it happening?

The answer is more complex than companies pinching pennies, although that is certainly a factor for some chips. The reality, though, is security carries a price for every facet of semiconductor design—power, performance and area. And the impact reaches much further if security is to be effective. It boosts the price of IP, the cost and time it takes to integrate that IP, and it greatly extends the time it takes to verify a complex design.

That’s just the obvious part, too. Done right, it also requires better supply chain tracking, better control of IP throughout the process, additional pre- and post-manufacturing steps, and full system testing and analysis.

Four industry CEOs addressed the security issue at last week’s ESD Alliance:

Simon Segars, CEO of ARM: “We are not making enough progress fast enough. Unfortunately, people are building things which are very unsafe and dangerous. We’re going to see more incidents of large-scale hacks over the next couple of years while the supply chain catches up with what you need to build into the hardware for the software to be built on top to enable data to be secured at source and then processed safely.”

Wally Rhines, CEO of Mentor, a Siemens Company: “There are all sorts of technologies available to us for designing chips that are more secure. The problem is the people who design those chips, and use them and sell them, don’t want to pay a lot for that added capability. My forecast is that sooner or later we’re going to have an embedded Trojan in a chip, or something like that, that causes someone to lose a lot of money or causes physical harm. Then the purchasers of semiconductors are going to come to their suppliers and say, ‘Would you mind adding this sentence to the purchase agreement that says there are no embedded Trojans or other things within the chips you’re selling us.’ They’ll ask the lawyers if that’s okay, and the lawyers will say, ‘Absolutely not.’ And then we’re going to get into a mode of what is best in class and what are people willing to pay for. And it will become a big part of what you do to design an integrated circuit, just like power analysis is today.”

Aart de Geus, co-CEO of Synopsys: “It’s a very complex problem. While some of the smartest people in this industry design these chips, some of the smartest people in the world have a mission to do the opposite. So we’re not dealing with the average high-school hacker here. We’re dealing with people that in our industry would have been fellows in companies. In that sense, there’s a very deep rooted set of issues that are not well understood by most of the world. Now, there are different issues on the hardware and software sides. But the biggest vulnerability points are sitting at these intersections because those are the least understood and they are new…Part of this will be multifold. We systematically start building [security features], and while we may not be able to prove that something is secure, we will at least live up to certain regulations. Regulation is a partial answer. Ultimately, security needs to be ‘secure by construction.'”

Lip-Bu Tan, CEO of Cadence: “Security is a real issue. On my board, we have a regular update on cybersecurity. And this isn’t just small companies. It’s big companies, too. The frequency is tremendous. We need to make sure that we are secure. Then we need to work with our key customers. It’s different for each vertical. There is hardware and there is software. But the question is also how much we’re willing to pay for that extra security. That still has to be tested. We’re all working on it.”

So far, there is no standard labeling on devices that determine whether one device is more secure than another, or one IP block is more secure than another. And there is no indication of how security will impact the cost of a device over time or the performance of the device compared to one that is less secure. Does it use more power? Does it slow performance for certain tasks? Can those tasks be isolated, either with virtualization or air-gapping?

Two separate efforts are underway that could nudge this along. One involves Underwriters Laboratory, a safety consulting and certification company, which is beginning to add testable cybersecurity criteria for connected devices. Industry sources say this program is being expanded, but whether UL-approved labels are actually added onto devices isn’t clear. A second effort is underway within the IEEE’s International Roadmap for Devices and Systems, the successor to the International Technology Roadmap for Semiconductors, which provided guidelines for semiconductor scaling from 1998 until last spring. IEEE ultimately could provide recommendations for how the industry moves forward on security.

But as any security expert will tell you, this is a hydra-headed problem. Having rock solid technology is only part of the equation. The rest is up to the user. Many users don’t know the difference between a secure routing scheme and one that isn’t secure. They rely on single-factor identification such as simple passwords because they’re easier to remember. And they rarely encrypt their personal data, which can slow things to a crawl on some devices.

All of this security takes longer to boot up, impacts overall performance, and ultimately uses more energy on every level to secure a device. And the payback isn’t always visible. It’s like insurance. If something doesn’t happen, was it worth the effort. We’ll never know. And then, what exactly did you pay for and why? And why is your computer suddenly running more slowly? Was it the security measures that caused the slowdown, or was it hacked?

Related Stories
Security: Losses Outpace Gains
Complexity, new and highly connected technology, and more valuable data are making it harder to keep out hackers.
IoT Security Risks Grow
Experts at the table, part 3: Why existing standards are insufficient; different strategies for securing connected devices; the widening impact of cost control.
Uncovering Unintended Behavior
First of two parts. Does your design contain a Trojan? Most people would never know, and do not have the ability to find the answer.