Four levels to assess current capabilities and take steps towards end-to-end hardware security verification.
With systems only growing more sophisticated, the potential for new semiconductor vulnerabilities continues to rise. Consumers and hardware partners are counting on organizations meeting their due diligence obligations to ensure security sensitive design assets are secure when products are shipped. This is an iterative process, so a security maturity model is a critical element in getting it right.
Businesses have historically centered their focus and their investment on securing the software used in their devices — not on the underlying hardware. But failing to build a comprehensive approach that addresses the hardware vulnerabilities early on means there’s no in-process mitigation of hardware security weaknesses. This shortfall can leave organizations susceptible to costly hardware security surprises after production or even in the later stages of system integration and development.
Fig. 1: Identifying security issues early reduces cost and risk.
However, building a mature and comprehensive hardware security program embedded in the process takes time and is a process that goes beyond a single product design lifecycle. It’s a journey.
Knowing where to start and what goals to set can also be challenging. To make it easier, the Cycuity team has identified and defined four levels you can use to assess your current capabilities and take gradual steps towards an end-to-end hardware security verification program.
The first level starts with creating security requirements and implementing specific features to address them. Then, organizations should ensure they correctly integrate, configure, and verify those security features, including third-party and internal security IP.
Level 01 – Checklist:
Ultimately at this stage, security feature requirements should be clearly defined, allowing stakeholders to align on the protection needs of the end product and then functionally verify their implementation.
During the next phase, it’s time to begin proactively performing the basic development and validation of security verification requirements. Organizations will also further the maturity of their security documentation at this level by documenting threat models and security verification requirements.
Level 02 – Checklist:
Enumerating all of the security verification requirements of this level will allow organizations to proactively identify security vulnerabilities earlier in the design process before they can become serious ‘security surprises’ that lead to costly respins and missed deadlines.
SoC integration and configuration can introduce security weakness during the design lifecycle. At this point, it’s essential to begin becoming more systematic during hardware security verification. Ensuring there are no unmitigated security weaknesses during security feature implementation reduces risk. Still, security weaknesses do manifest in interactions among components, so verification efforts need to scale the entire system and be periodically performed.
Level 03 – Checklist:
A fully integrated security verification program will help during tape-out, too. It allows teams and organizations to confidently demonstrate that they’ve made an effort to detect and remediate the broadest set of potential hardware weaknesses before signing off and that all hardware security requirements have been met.
The last key area, and one more challenging to address, is introducing a metric-driven approach that transforms the program into one that ensures and demonstrates holistic governance end-to-end.
Level 03 – Checklist:
Introducing metrics is highly effective for measuring the status of a security program and tracking progress towards a well-defined tape out. However, the benefits of this process extend beyond one team or organization. With external stakeholders, such as partners or certification services concerned more than ever about device security, this approach provides a foundation to demonstrate that an organization is developing semiconductor chips with a framework and processes that solidly verify their security.
Cycuity has solutions and best-practice services to help customers during any stage of their hardware security maturity journey, helping them:
By sufficiently maturing a hardware security maturity program, organizations can discover and mitigate issues pre silicon and demonstrate their commitment to developing trustworthy electronic products for external partners and consumers.
Learn more about advancing the maturity of your hardware security program.
Leave a Reply