How Much Security Is Enough?

Semiconductor Engineering sat down to discuss the current state of security and what must be done in the future, with Denis Noël, head of cyber security solutions at NXP; Serge Leef, vice president of new ventures at Mentor Graphics; Andreas Kuehlman, senior vice president and general manager of the software integrity group at Synopsys; Simon Blake-Wilson, vice president of products and marketing at Rambus‘ Cryptography Research Division; Lawrence Loh, group director at Cadence; and Bernard Murphy, CTO of Atrenta. What follows are excerpts of that conversation.

SE: As we move into the IoT world, how big is the security problem? And do we even understand the implications of all of this?

Blake-Wilson: As we talk about how much security we need, that’s a difficult question to answer. Security should always start with some kind of risk assessment. You should be defining your needs on that basis. It’s particularly hard for semiconductors because of the product cycles. If you’re three to five years ahead of deployment, you don’t know what the risk profile is going to be. Another aspect is how you segregate security functionality between hardware and software. You can make the argument that something needs to be in hardware to be really secure. You also can make the argument that putting it in software gives you more ability to patch it. So you’re looking at a risk-based approach, and how to segment solutions between hardware and software.

Kuehlman: How bad is it? It’s really bad. One of the reasons is that very few people are thinking about building security into products. They’re focused on functionality. Security is always about the corner cases. It’s about the unintended that someone is exploiting. With the Internet of Things, or for anything that’s beyond a single device, you get the network effect. The security problem goes to the size of the number of devices that are connected, so it’s really bad.

Murphy: There was a very interesting paper in Communications of the ACM about a longitudinal survey. They were looking at the impact of both privacy and security breaches on the general public. They did this by monitoring Web hits on certain words, like NSA. In all cases, you would see a spike in concern, and then it would go right down again. This was true in Germany after the Angela Merkel story. There was a spike and then it went down again. So consumers don’t really care. We care about ease of use and features, but security and privacy are too abstract.

Loh: Going back to what Simon said, you do have to make a decision about how much to put in software and how much to put in hardware. That needs to be on a case-by-case basis. But one way to make that manageable is to have a very clear understanding. If software supposed to handle certain things, then the software people should only be worrying about those things. They shouldn’t have to worry a problem with the hardware that allows it to give out information. And if hardware is only supposed to do a certain job, designers shouldn’t have to extend the reach of what they’re doing to cover up what’s happening in software. That’s one way to try to keep up—and of course, we never can actually keep up because it’s a moving target. There will always be more problems. The people who are defending against hackers are grossly outnumbered. Hackers collaborate really well. Anytime a vulnerability shows up, they share it on the Internet and people exploit it. Security on the other hand is a guarded secret. If you’re implementing security you’re reluctant to say how you do it.

Leef: When you talk to venture capitalists who are funding the IoT, they hear fault-resistant pitches every day. The pitches are all about end-to-end solutions. The IoT is an implementation detail from the investor’s perspective. The observation is that it’s a gold rush. People are rushing in with intelligent lawn sprinklers, toasters and washing machines, and the edge nodes are being left extremely vulnerable. They commonly go on the Internet and download software. This is just asking for Trojans. These people aren’t even qualified to assess their security needs. They are rushing to capture territory, and the edge is where they are most vulnerable. Everyone expects an attack in the infrastructure. We have firewalls and security that is very expensive to break. But at the edge nodes they don’t know anything about security and, more important, they don’t care. As for the tradeoff between the hardware and software, hardware needs to be the root of trust. You can think you have root of trust in software, but the reality is that the hardware is the only thing that can improve your trust.

Kuehlman: What do you mean by root of trust?

Leef: What do you trust in the system? You can license IP and have it manufactured at a trailing edge foundry and add your own IP that provides a back door. Then you package it into a part that looks remarkably like another part and you as a consumer or systems integrator can’t tell the difference. You think you can trust the hardware. So somehow you need to be able to verify that you can trust the underlying hardware, because all the security layers built above that become irrelevant.

Noël: The issue is extremely serious. Everyone is very excited about IoT. It has opened up a lot of new capabilities that can change our lives. But a lot of people don’t realize what the IoT actually is and how it will evolve. There are a lot of aspects to it, and a lot of players trying to get into the market now are just launching a product. Security is seen as something that will slow down the rollout of an IoT device. The reaction is, ‘It will be fine.’ Security is, indeed, an end-to-end solution. You need to understand the hash nodes, the gateways, the cloud service.

SE: But that’s assuming you understand what the end is, right?

Noël: Exactly. It’s not just how to secure your WiFi. With the IoT it’s connected beyond your network. Another problem is that you can have a security system with three or four devices—a motion sensor, a lock sensor and a gateway—and consumers buy unsecure products and place them in the home network and this could compromise the whole network. The supply chain is global. So what do you actually trust? It will be interesting to see how insurance companies will view that if you install new devices, and how government will face this issue. And what happens with energy with a smart grid? There are some initiatives. But what about the IoT? Will governments raise the bar?

Blake-Wilson: We’ve expressed concern about the number of people taking security into account. I think that’s improving. Security has gotten a lot of attention over the past few years. You’re actually starting to see IoT security conferences. That’s an indication. In the past, that was just a marketing chatbox. Now it’s a real issue on the table.

SE: At what level, though? Is it happening for hardware, or just enterprise software and networking?

Blake-Wilson: It’s improved at all levels. It’s not where it needs to be at any level.

Kuehlman: It will have to get really bad before people pay attention. Then it gets a little bit better. So at that point it’s not really bad. It’s just bad. I want to make a controversial statement—hardware security matters much less unless it’s supported by software. Security is not something new. There have been bank robberies and house break-ins for years. What makes software so much different? It’s because an attack can be automated, it can be global, and it can be done from anyplace in the world. And you can scale it up. If it’s 1% of devices, that’s still a huge number. That’s what makes it really dangerous. Human beings cannot think exponentially. They don’t understand exponential complexity.

Murphy: The ROI of that is amazing.

Leef: The software people generally far outnumber the hardware people. So there are more people who are skilled and capable of executing software to prevent attacks.

Kuehlman: They may not be more skilled.

Leef: Okay, but there is certainly a larger population who know how to do software.