Edge And IoT Security Turning A Corner

Security is beginning to improve for a wide range of IoT and edge devices due to better tools, the implementation of new standards and methodologies, and an increasing level of collaboration and communication across different market segments that in the past had little or no interaction.

Until recently, many vendors in cost-sensitive markets offered the bare minimum of security. To make matters worse, they often cloaked in secrecy whatever security they did have. When vulnerabilities were discovered, they rarely shared information with others, which proved to be both shortsighted and highly ineffective. Fully securing a device or system requires careful planning, a challenge made even more difficult as new features are added to devices late in the design cycle. In contrast, hackers only need to find one vulnerability and figure out a way to exploit it, which they can then sell to other hackers.

That puts tech companies at a significant disadvantage. The best way to minimize vulnerabilities is to share information about them — what the latest attacks are specifically targeting — and to incorporate that knowledge into security training so design teams can bake security features and security resiliency into current and future generations of products. The good news is this process is well underway.

These efforts still won’t eliminate cyberattacks, because with enough effort and resources any electronic device or system can be hacked. With estimates ranging from 16 billion to 18 billion connected devices today, and much more on the way, it may not seem like much progress is being made. Cyberattacks become easier when devices are connected to the internet, often providing an entry point for attacks on other devices connected to the same network. Moreover, security methodologies and expertise continue to improve linearly, while the number of possible attack vectors and potential interactions is increasing exponentially.

But what changes the equation rather dramatically is a growing recognition that attack vectors often are the same in different markets, and learnings in one market can be applied to another. For example, Infineon has been developing security chips for credit cards years. What’s changed is that it has started to leverage some of that same technology for automotive controller chips.

“We have a lot of consumer security that we’re now taking and putting it into automotive chips, because there are a lot of areas where they’re more advanced,” said Bill Stewart, vice president of Automotive Americas marketing at Infineon. “That may involve very sensitive systems on the consumer side, but the threat and risk to all of them is the same.”

Other vendors are taking similar paths, and the collective results are positive. “You need to look at the gap between what adversaries are capable of, and what degree of protection that’s in microelectronics of interest — the type of microelectronics where there’s some sort of confidential or private information that’s valuable,” said Scott Best, senior director for silicon IP product management at Rambus. “The distance between those two lines on a graph is constant. The adversaries have gotten better, but so have mainstream chips. The average amount of countermeasures going into chips of interest is good. It was much worse 10 years ago, and 10 years from now it will be much better. They can’t attack in the same way they’ve attacked before.”

New protocols such as Matter for IoT devices, ISO 21434 in automotive, ISO 27001 for information security management systems, as well as certifications under Arm’s PSA, also are starting to bridge security across different markets. This is especially true with IoT and edge devices, where the weakest link on a network is usually the obvious point of entry. To this end, the Biden Administration finalized a voluntary U.S. Cyber Trust Mark labeling program for connected wireless devices, which is basically the security equivalent of the energy efficiency ENERGY STAR program. In addition, new techniques and resources are being added to a growing supply of proven security measures, such as more sophisticated password management, roots of trust, and physically unclonable functions (PUFs).

Further, in many devices, there are now options for multi-step authentication instead of just one or two. “Fingerprint sensors are biometrics, and they are the very first important information security-wise, but we’ve moved way beyond that,” said Satish Ganesan, senior vice president and general manager for Synaptics’ Intelligent Sensing Division. “One of the things we’ve been doing is to create a DMZ (demilitarized zone) with security functions there so it doesn’t touch the operating system, where it can be hacked. There’s no direct exposure, and no direct link to hack that. In our embedded process space, we now have trust zones that we have to implement for that particular data. On top of that, we add security to what you’re sending. How are you making sure that there is no man-in-the-middle attack or something else like that? You’re going to see more and more improvements coming through in that area. Security is an integral part of what we do, and it has to be there.”

Users are becoming more savvy about how to safeguard information, as well, centralizing computing on home and corporate networks so that essential data is separated from non-essential data on a virtual private network.

“You do see this retrenchment,” said Mike Borza, a Synopsys scientist. “Domain computing and automotive are very much like that. You’re going to a much more capable centralized processor and bringing data into that. We see this constant push and pull between computing at the edge, whatever that environment is, versus centralized computing. And we’ve seen a move to the cloud, which is really about buying time in a data center to do work even though companies have owned most of their own computing for the past 25 years. The appropriate answer usually involves some things done in the cloud or a data center that you don’t own, and more critical things staying close to home. You have to trust that the operator of that data center is really good at security — and they are very good at security — but because they’re such big targets, you get these big breaches.”

Borza noted that this push-and-pull, where computing moves back and forth between the edge and the cloud, and the edge and the data center, ultimately will settle to where there is sufficient security.

Attacks happen
The goal here is to make it uneconomical for attackers to break into systems. And with new architectures, such as software-defined vehicles, patches can be readied more quickly than in the past, which makes attacks less profitable. As a result, the number of easy targets is shrinking.

The key now is prioritizing which systems must remain secure and require vigilant monitoring, while conducting realistic risk assessments for everything else. That’s the first step, and typically security experts can develop plans to meet those assessments. But security also needs to be constantly re-evaluated based upon new threat models because techniques that are considered sufficient today likely will not be in the future.

“You get into things like post quantum cryptography,” said Rob Knoth, group director for strategy and new ventures at Cadence. “It’s really easy to get scared by some of that stuff, but I feel that the inspiration that comes from it, where it’s, ‘This is a really hard challenge, and we’ve already solved many really hard challenges in the past. This is just the next one.’ Together, working as a collective team, not just like siloing into one company, doing one thing, that’s how we solve all these really hard problems. And it’s just food for the future.”

That team approach also is very effective at exposing weaknesses before they are designed into devices. “We’ve seen dueling papers about logic locking techniques, where they say you cannot tell what a circuit is doing because you don’t have the configuration vector that makes a circuit function,” said Rambus’ Best. “But then somebody else publishes a paper saying, ‘We built a model, and it didn’t do a brute force of the entire vector space, but it made some pretty good guesses because a lot of the vectors are nonsense. We could quickly rule out what it could or could not be, and it took us 30 seconds with this model to figure out what the locking vector was.’ There are AI tools that are amplifying the effectiveness of a single engineer on an EDA tool flow. But you also have AI tools that are assisting reverse engineers on similar-grade tool flows to reverse out photos of your die and figure out the RTL that created that net list.”

Nevertheless, while security can be devised for just about any attack, it’s more difficult to justify putting in countermeasures for attacks that are not yet mainstream.

Heterogeneous integration
The introduction of chiplets and multi-die assemblies further complicate the security picture in multiple ways, demanding more power and other resources from a system, better supply chain management, as well as more constant monitoring of every aspect of design, integration, and post-manufacturing operation.

“Once you’ve got chiplets, you need a root of trust in each chiplet,” said Dan Wilkinson, technology fellow at Imagination Technologies. “You need a protocol for those roots of trust to communicate and authenticate with each other, and then you periodically need to re-run that so you’re not just doing that at boot time. You’ve got to periodically reestablish the system credentials if you’re allowing within your threat model the notion that if you booted up and all was well, then later possibly something could happen to compromise the system. If you consider an attack on the die-to-die links as being within the scope of your threat model, now you need to at least authenticate those die links and also encrypt them if you’re worried about confidentiality and dis-integrity.”

On the plus side, chiplets allow more opportunities for isolating a problem within a device. “A multi-chiplet system isn’t that much different from a multi-node data center system and should be able to be secured with the same sort of distributed security mechanisms that you would use to secure a multi-node data center system,” Wilkinson said.

Other factors and solutions
What is less clear is the impact of longer chip and devices lifetimes, accelerated aging due to increased usage and sustained high ambient temperatures, and continual software updates throughout a device’s lifetime. All of these require tradeoffs, and it’s not always clear which are the best options.

“All the leakage analysis used to be done post-silicon in the past,” said Suhail Saif, principal product manager at Ansys. “Now the entire system is defined, so you know what kind of input will be needed to trigger the design, and then analyzed to determine whether it is revealing the secret signature. We are doing this much, much earlier, so you have time to react and change your design, implement counter-measures to dilute these signatures in noise. The downside is that if your bring-up is too early, you don’t exactly know all the different scenarios that you will have to take care of. That is where the challenge is. The advantage of doing it early is that it is very, very fast, so we can cover many more scenarios.”

If devices are in use for long periods of time, such as in cars, those tradeoffs become more challenging. “Five or ten years down the line, did the modes that I covered while designing this particular chip completely cover all the scenarios they needed to cover because of aging effects? There is no history for this,” Saif said. “Security analytics is pretty new. I’ve seen a lot of customers and users starting to do that in the last couple years, but it’s not clear if that will tell us how a device will behave 8, 10, or 12 years from now.”

It’s also extremely important in applications such as automotive, which require real-time monitoring. “There is no safety without security,” said Peter Schaefer, executive vice president and chief sales officer for automotive at Infineon. “For example, managing the battery cell with model-based control means you are watching what is going to happen and acting accordingly, not just running a control loop with the battery. That’s a big difference, and it plays into the safety of the overall battery system.”

There are two main paths for this kind of ongoing scrutiny. One is to monitor traffic on various buses and interconnects, both inside and outside the chip. Any unusual spike in network traffic, or activity when there should be none, can be flagged. This also can be monitored on the outside using digital twin technology and leveraging enormous compute and storage resources in the cloud.

“In automotive, you have to have multiple SoCs talking to each other, multiple ECUs talking to each other,” said Jean-Marie Brunet, vice president and general manager for hardware-assisted verification at Siemens EDA. “It’s an incredible synchronization model and a synchronization integration challenge, but it gives you scalability and access to heavy computation because that is fundamentally a heavy compute platform environment. It’s also custom-built for the end application.”

Conclusion
The number of cyberattacks continues to increase, but it’s becoming more difficult for hackers to make inroads into IoT and edge devices, which in the past were considered easy prey. It now takes more time, more effort, and more resources, and as more companies open up to share information about attacks, attacks will become even more difficult. But even where there is secrecy, such as in the automotive market, there is renewed attention to preventing attacks in the first place.

“Automotive is, per definition, very sensitive to hacks,” said Robert Schweiger, group director automotive solutions at Cadence. “That’s why all the companies are working on their secret sauce as to how to protect the overall car, so that no one can take over remote control and do some very weird things with the car. That would ruin the credibility of an OEM. This is why security is at the very top at the OEMs, and people are building hardware-based security systems, not only software-based. It’s part of the SoC where this security IP goes in, and lots of stuff is done on top. So you have not only one security IP, it’s a multi-layered security strategy, protecting the network, protecting the chip, protecting the software, since there are all kind of security measures that you need to really protect the car.”

In other markets, the importance of these collective efforts and shifts has been largely incremental, so it’s easy to overlook whatever progress is happening. But reports from the field paint a much more optimistic approach these days than at any time in the past, when warnings frequently went unheeded and cyberattacks were something no one wanted to talk about. Everyone is talking about it these days, at least at some level, and that openness is starting to have an impact.

— Ann Mutschler contributed to this report.