Auto Sector Leads The Way In IC Security

Concerns about chip and system security are beginning to bear fruit in some markets, driven by the overlap in safety and security in automotive applications and the growing value of algorithms and complex systems in others. But how and when that security is implemented is still all over the map, and so is its effectiveness.

The reasons are as nuanced as the designs themselves, which makes it difficult to develop tools and methodologies with enough consistency to be effective across a wide variety of designs. Last-minute ECOs, a focus on maximizing performance in increasingly heterogeneous systems, and increasing connectedness to unsecured devices have created a disconnect between design teams and best practices for security. But in applications where safety or high-value assets are involved, the emphasis on security is growing, and that is expected to spread to other markets.

“If you’re on the semiconductor design side of things, you’re really focused on getting the power and area down to keep costs down,” said Warren Savage, researcher at the Applied Research Laboratory for Intelligence and Security, an affiliate of the University of Maryland. “I want to have the maximum performance to advertise to my customers. Security is really not on the table as a key design parameter that designers are facing, and as such, there’s a great lack of awareness of the threats and knowledge about how to design for security.”

Despite an emphasis on everything shifting left, security still isn’t part of that. The design tools to support this are few, partly because it’s almost impossible to do given the extreme difficulty in determining how to secure the whole design until the full design is complete.

“It’s a system-level problem,” Savage said. “There are elements of IP that are focused on this, such as Root of Trust and other things that are IP-related. But you have to look at it from the system level to understand the security footing of the device.”

One of the challenges in convincing product teams to include security in their semiconductor design specs is that it’s often considered an add-on technology. “Add-ons are frequently viewed as an additional cost, and when designing cost-sensitive products, there’s always a push to reduce expenses,” said Lee Harrison, director of automotive IC solutions at Siemens EDA. “This is easily achieved by removing additional features and technologies, including security.”

Harrison pointed to a similar evolution in other technologies, such as design for test (DFT), power management, and safety. “In the early 2000s, adding DFT to a semiconductor design sparked debates about increased costs,” he said. “These discussions have faded because DFT has shifted left, becoming an integral part of any design. As a result, DFT costs are now embedded within the actual design cost.

Despite the disconnect between what security experts are saying and what many design teams are doing, chips still have to get out the door. Design teams are under time-to-market pressure because the size of the design teams isn’t keeping pace with complexity, and the number one priority is performance. Security is part of this process, but depending upon how it’s implemented it can reduce performance. So designers are forced to make tradeoffs based upon the end application, the risk factors, and whether security needs to be hardened into a design or whether it can be updated through software patches — the least time-consuming and lowest-cost approach.

The big exception is automotive. Scott Best, senior director, silicon security products at Rambus, said the automotive industry is doing a hero’s work. “They’re driving the importance of security standards for anybody that’s going to deliver microelectronics that are going to end up in automotive subsystems. There are ISO standards for ASIL B and ASIL D. There are CSIP specifications that address things like tamper resistance. Almost every market is way behind the automobile industry, which is driving the advancement of these standards. If you’re going to build an IP block or SoC that in any way is going to ever touch an automotive design, you really have to take this stuff seriously. It is a non-starter to ignore it, and that’s great.”

Given that the entire time a vehicle is in use, passenger safety is at risk, and this means they are targets for a university lab to brag they performed a straightforward break-in to this ECU system, installed some malicious keys, and were able to get malware running in the car all the time. “The hackers could then say, ’We’re going to turn off auto drive and we’re going to crash a car,’ but one of the most important distinctions between different brands of automobiles is the brand,” Best said. “It’s remarkable compared to other industries, and safety issues for a brand can be lethal. Consequently, anything that reads on safety, which gets down to microelectronic security, is taken incredibly seriously in this industry because it does chase back to passenger safety. Yes, that’s very important, but equally important is the existence of the company, which is associated with their brand and their reputation.”

Security by end market
The overlap between safety and security is pronounced in automotive, which is why there is more attention paid to security here than in many other edge applications. “For a long time in the automotive sector, security was very much a head-in-the-sand situation, but that has waned,” said Mike Borza, a Synopsys scientist. “People understand there is no real safety without security. They understand security is a foundation on which you build a safe product. But it’s something that can be perverted to somebody else’s use, and that’s a real problem. So this is a sector where there’s been recognition and real action toward making things safer.”

Others agree. “A cyberattack on a vehicle can have safety implications, and likewise, a safety-related function that is poorly designed, or which is updated with software that does not have sufficient security, can provide an opening to hackers,” Vishal Shah, vice president and general manager of the Automotive and Display Business at Synaptics, noted. “The challenge for automakers and their suppliers is to tightly integrate the various pieces so they can be modified as necessary, but without compromising the security of the vehicle or any of its parts. In automotive, security is where you don’t want somebody who is unauthenticated driving the car. We have a high level of security for our solutions. You can’t tap into it. It’s a fully encrypted transmission. That still allows us to tap into it and change the firmware on our side, but it’s a secure channel between the SoC and our solutions. A lot of this relies on the SoC, and that is a secure zonal brain.”

Changes are expected, though. “The global regulations that are coming are driving customer awareness, which is creating a pull by customers,” said Erik Wood, senior director for cryptography and product security at Infineon. “How we demonstrate the ability for customers to comply is by getting third-party lab certification, such that we can demonstrate with a stamp by the third party in the governing body that we meet these security claims as we claim to. And then we provide application notes for each and every one of our products that say, ‘If you want to maintain the security level of this device that we have certified, here are the configurations, the policy files. Here’s where you put your keys. Here’s where you do all the magic stuff under the hood such that your device is put through the same compliance test as an end OEM product now would also meet that requirement.’ So, we get stuff pre-done for them to engender the confidence that they’re working with a trusted partner. ‘They have the third party certification from a governing body, and they just gave me an app note that shows me how to replicate that in my system design.’”

And if that isn’t enough, the increasing value of the assets will drive more security in chip and system design. “Machine learning models cost six to seven figures for Meta or Amazon or Microsoft or Google to create and put in their host of products,” Wood noted. “All of a sudden now, security is not just an infield protection of a significant valued asset, but it’s also a supply chain manufacturing topic, where the OEMs don’t want their contract manufacturers getting unencrypted access to the machine learning models so they rely on us to be able to leverage our security to support them to insert encryption and decryption keys in contract manufacturing such that they can then have the contract manufacturer program their machine learning models encrypted.”

This contrasts sharply with some of the edge devices developed for other markets, however. “There are a lot of attempts at security that are not really robust enough for the magnitude of the risk and the threat that those products face,” Borza said. “One problem is that when you have these things being taken over en masse and turned into bot nets and things like that, the people who own the equipment are not necessarily impacted. They may be impacted in such a way that their availability of service may be impacted, but in some cases, they have access to much more bandwidth than they use, so somebody’s edge device being taken over and used as a bot in an attack, while it’s still functional for the person who owns it, they don’t necessarily even notice or perceive that there’s a problem, so that’s a case where the amount of risk is much higher than the amount of effort being put into thwarting that risk. And that’s why you have a lot of devices that are very easy to take over and harvest.”

Getting compromised edge devices back once taken over by hackers in some cases is pointless, because the software itself is relatively weak, and there’s little or no underlying hardware support for it.

“In many cases automatic updates don’t happen, or they’re not configured properly,” Borza explained. “This means the only way to make those devices behave is to take them off the internet. We’ve seen where certain classes of devices have been isolated, or certain traffic from particular devices that are being harvested in particular ways is being filtered by the network operators, which is certainly undesirable, because then everybody’s paying a big price in terms of computational effort to quell that traffic. In those cases, the only thing you can do is turn those devices off and replace them with something that is actually built to be secure, and built with a more realistic view of what the threats and risks are.”

There’s also a disconnect from the consumer, who does not know what end products or levels of security to look for. That, in turn, sends a message to the developer that the security is not in demand.

“For most people the technical issues are difficult to understand, and the threat evolves all the time,” Borza said. “People who are not experts in this — or somebody who buys a router for their house, or gets one supplied by their internet service provider — is interested in knowing that they’re safe from the bad things on the internet, and most of them just assume that’s the case. It’s only if they have a problem that they start to perceive there’s an issue. But even then, many don’t know how to solve that. So it’s difficult if there isn’t a regulatory regime that includes some common sense rules, such as before you hook something up to the internet it needs to be secure. And what does that mean? There is a real race to the bottom. You can go to Best Buy or Amazon and look at the range of prices and capabilities of the equipment to connect to the internet. It’s all over the map. For something like a router or Wi-Fi access point, a lot of people look at it and say, ‘Well, this one says that it’s Wi-Fi 6, and this one says that it’s Wi-Fi 6. This one is $100 and this one’s $200. ‘I’ll buy the $100 one.'”

Closing the disconnect
On the surface it would seem the best way to eliminate the disconnect between very real security threats and the ease of building security into semiconductor devices is to have it be part of the EDA design tools. Whether this is possible remains to be seen. Can security be built in early into a design and into the tools, or is it still an iterative process that makes security difficult to implement up front?

This is what some of the security research community is focused on, but state-of-the-art today is post hoc. “The state of the security tools [today] are pretty nichey,” Savage said. “There’s not a lot of them out there. The easier tools for dealing with this are on the side-channel attacks, and there are a few companies that do these things. Ansys has some tools around that. Riscure, which was recently acquired by Keysight, was really focused on side-channel and fault-injection types of attacks. That Riscure was acquired by Keysight is a sign there’s enough market and there’s a business opportunity for some of these things, but it’s way more mature than a lot of the other areas, and a little easier to understand.”

Other security issues are harder to do which leaves room for innovation, Savage said. “There are opportunities on the EDA side for some type of EDA linting capabilities, and there are a couple startups/small companies that are spin-outs of universities that are focused on that, including Caspia Technologies and Silicon Assurance, which are spin-outs of Mark Tehranipoor‘s group at the University of Florida.”

Conclusion
Siemens’ Harrison predicts that security will play a larger role in mainstream designs in the future. “This approach is crucial for two reasons. First, by integrating security into the design from the outset, there’s no additional cost. Any security expense becomes part of the overall design cost. Second, with security engineered into every design level from the ground up, it creates what we call ‘defense in depth.’ This means the security solution is multi-layered, ensuring that if one security layer is breached, successive layers continue to protect the system.”

If security is merely an add-on, even the most secure element leaves the device more vulnerable compared to a security by design approach. “Moving forward, we aspire to see semiconductor engineers focus on vulnerabilities throughout every design level, not merely at the top level, through education and advanced technology,” he said. “EDA can significantly contribute by supplying analysis tools that identify security risks in designs and suggest fixes, analogous to how we currently address DFT, power, and safety challenges.”

Related Reading
Automotive Security Shifts To The System Level
Increasing connectivity and complexity require a more holistic approach.
Edge And IoT Security Turning A Corner
More attention, openness, and cross-market application of tools and techniques is starting to have an impact.
As EDA Processes Becomes More Secure, So Do Chips
Researchers and engineers are working on increasingly secure processes in the EDA workflow, but they add to the cost