IC Security Threat Grows As More Devices Are Connected

Designing for security is beginning to gain traction across a wider swath of chips and systems as more of them are connected to the Internet and to each other, sometimes in safety- and mission-critical markets where the impact of a cyber attack can be devastating.

But it’s also becoming more difficult to design security into these systems. Unlike in the past, connectivity is now considered essential to functionality. And rather than a single chip, many of these devices are now multi-chip implementations with multiple layers of connectivity used for updates and communication within a system or between systems. Identifying security holes is becoming much harder, and plugging them sometimes requires the cooperation of multiple vendors.

“We’re connected now with everything,” said Dana Neustadter, DesignWare security IP product marketing manager at Synopsys. “Even a sensor could be connected through the Internet, and then it can open yet another attack surface. And we’ve been talking about AI for all the good reasons, but AI can also be used to more efficiently break the system. As technology evolves, data becomes more important, and we see more attacks. It’s a continuum, and security has been part of that for a while. But in the past, security was at the end of the chip design process. That was okay then, but not today. The pressure is much higher, and the risks are much more serious.”

Those concerns are echoing across the semiconductor supply chain these days as the number of connected devices continues to explode.

“What’s different is the number of IoT devices,” said Andreas Kuehlmann, CEO at Tortuga Logic. “IoT devices are traditionally not the most expensive devices. The margins on these devices are very low, and as a result security is treated like as an option, if it’s there at all. The problem with security fundamentally comes down to the weakest link. Hackers string vulnerabilities together. They just need to find one — maybe on a chip, maybe in software, another one maybe on the chip, maybe in software, and so on. Then they can string an attack together.”

Most people are aware when an IoT device is connected to the Internet. What they often don’t see is when it’s connected to other devices across a shared network, sometimes even without the permission of the user.

“One of the leading industry sectors in security, both in hardware and software, is probably the automotive industry, because it’s so focused on safety,” Kuehlmann said. “There are lots of regulations coming, lots of standards coming in the automotive industry. That is driving the concept of, ‘You don’t have a product if you don’t design it in a secure manner.’ This is going to be applied much more broadly. Even for people who think there’s no harm if the refrigerator gets hacked, they don’t understand the refrigerator may be the entry point to hack your broader network. That is the level up that we need. It’s not about securing the refrigerator. It’s about securing the entire system because everything is interconnected. We need to level up the standards for every device. If you do a chip, even for a low-end consumer device, security has to be part of the requirements and security has to be part of the design.”

An increase in the number of people working from home over the past year has widened the potential attack surface even further

“Once upon a time, the network used to be inside the walls of the company,” noted Scott Durrant, DesignWare IP solutions marketing manager at Synopsys. “Then people started carrying around laptops, which created an extension of the corporate environment. Now, with everybody working from home, it moves it out even further. Over the years, there has been a transition from the IT organization needing to trust the computer. It was managed by IT, and they would assume that if access was coming from one of these managed machines, then it was authorized to access. With people working in all sorts of different environments right now, from the hotel room or from their home, it just broadens the attack surface.”

Ecosystem security
Standards in security today are spotty, at best. They vary greatly by industry segment, by which levels in a security stack are deemed to be the most critical, as well as what exactly needs to be secured within a company. That puts added burden on chipmakers and IP vendors to do their part and communicate their solutions effectively. It doesn’t help if security is designed into an IP block, for example, and no one knows how to leverage it.

But sharing of data has become more difficult as security issues continue to mount.

“We would expect this industry to be adopting cloud-based software-as-a-service massively, but the reality is different,” said Guillaume Boillet, director of product management at Arteris IP. “The design environment itself is almost always in a customer-owned data center. There has been some push to leverage the benefits of the cloud, and of course it’s very appealing because now you can scale your data centers. But I don’t have an example where, all of a sudden, you’ve got a need for more computing power and you would rather rely on the cloud than build a rack. This is not happening for multiple reasons. One, people are very protective of their IP, of what they’re doing, so it’s been an hindrance for us in terms of support, etc. Also, moving to the SaaS model requires a total rethink of the licensing, because it’s a totally different monetization scheme. I’ve seen examples where this scenario would have required a lot of work and a lot of revamping of the toolset.”

There has been a long-running debate about which is more secure, the cloud or an on-premise data center. There are no clear answers. It depends on the individual configurations and how technology is connected, how and where data is accessed, and whether the data is considered valuable enough to warrant an attack.

All of those variables factor into how data moves throughout an organization, and lately it has put a crimp on the willingness to share that data within companies as well as between companies. That, in turn, creates a problem for a highly integrated supply chain and complex heterogeneous chip designs.

“We’ve got all this information and the need to share information, but we’re retreating back a little bit to compartmentalization,” said John Hallman, product manager for trust and security at OneSpin Solutions. “Even if everyone is under one roof, I can’t talk to the guy on the other side of the wall because that means only one person can be compromised instead of two. In the past, data sharing just didn’t exist. Then it improved. Now we may be going back to something closer to that with some type of controlled information. Otherwise, your risk of compromise goes up considerably.”

Security challenges
Adding to this heightened threat awareness is the fact that attackers don’t actually have to break into a corporate network to stage an attack.

“They potentially can put software on your PC because you’re off browsing the web,” Durrant said. “The next thing you know, you’ve got a virus or malicious software on it and you don’t necessarily know who’s got control of it or who’s using it. As such, it has become very important to authenticate not just the machine, but also the user of the machine with multi-factor authentication, which has only grown in importance. That’s all part of protecting the CIA triumvirate of security — confidentiality, integrity, and availability. Confidentiality is the concept that data needs to be visible and usable by authorized users but not by anybody else. You protect the confidentiality of that information. Integrity means that nobody or nothing should be able to change the data undetected. This could be from a lightning strike that hits a wire over which that data is traveling and flips some bits. You want to be able to know that happened. It’s not necessarily malicious, although malicious activity certainly is an important part, as well. Availability refers to data should be available to authorized users when they need it. It should not be available to unauthorized users. That, while simply stated, is a complex thing to implement.”

In fact, companies that have implemented security have begun touting it much higher on the list of competitive advantages. Some chipmakers now point to their security stacks as a differentiator for some markets, or a requisite technology in others, and they have begun to extend that message into the realm of privacy.

“Security in the IoT involves two things,” said Shawn Slusser, SVP of Sales, Marketing and Distribution, Infineon Americas. “One is authentication for making sure the people who are using the system are really the right people to be using the system, or that the information that’s flowing is the right information. And then you have the privacy aspect. How do you protect people’s privacy, using encryption and things like this, so the privacy needs of people are respected even though they’re all connected. That’s a real challenge.”

In the automotive sector, the emphasis has been on safety and security, but privacy is coming up in more discussions, mainly on the V2X aspect of things, said Thierry Kouthon, technical product manager at Rambus Security. “The idea is that if all vehicles start exchanging information with one another, someone spying could identify vehicles, and they’d know that Senator X is always driving from A to B at this point in time, or his vehicle is having this kind of behavior. There is also an identification system that a vehicle uses to announce itself, and this should be devoid from specific numbers that pinpoint the owner or the vehicle itself. However, it is not a perfect system. Hackers use AI or patterns to track who it is.”

Technology can be used to change IDs that are specific to a vehicle or to create sessions that change over time, so the identification changes over time.

“This is usually covered at the public-key infrastructure (PKI) level, where it’s possible to imagine that pinpointing information is anonymous, and rendered trustworthy because of information that is related to the manufacturer,” said Kouthon. “In the future, manufacturers may be able to establish protocols and data that allow their vehicles to safely communicate without identifying the vehicle itself. Maybe you could get to the point where you know it’s a Chevy or a Mercedes, but not further than that.” This means security and privacy would need to happen at all levels in the vehicle.

Security also needs to be beefed up at the cloud level. But unlike the IoT and many end-point devices, cloud security is much more regulated.

“There are laws and regulations, because more and more data is in the cloud and is transferred in this ecosystem,” said Synopsys’ Neustadter. “The amount of data is increasing, but so is the amount of information that is sensitive, either because it’s private data that’s important to the user, or because it’s for some other reasons, important for the business, important for the country, or for the smart grid or otherwise. There’s more data, and more sensitive data across the system.”

Layers of security
A key takeaway in nearly all security conferences and presentations is that no security is perfect, and with enough persistence, time, and resources, anything can be hacked. Talk of nation-state hacking used to be considered far-fetched. The recent SolarWinds attack changed that perception, as well as the idea that systems can be built to be impregnable. The challenge is to make it hard enough to penetrate devices, systems, and systems of systems so that most attackers will give up.

This requires a two-pronged approach. One involves building greater sensitivity to data movement and heat that is anomalous. So if a chip is being used when part of a system is supposed to be dark, that should set off alarm bells.

“We now have enhanced security features that include DPA (differential power analysis), and we have multiple temperature sensors within the die to pick up hotspots,” said Manuel Uhm, director of silicon marketing at Xilinx. “We also test for aging of different aspects, as well.”

While aging may seem like a separate issue, understanding aging in relation to a mission-critical or safety-critical application is essential to understanding whether unusual activity is due to wearing out of circuits, or if data flows are being disrupted by an attack.

The second prong involves layers of security within and around a chip. It starts with a root of trust, and layers of security are built on top of that. In addition, all of this needs to be constantly monitored, because one weak link in this chain can compromise the entire security scheme.

“The idea of layered security, and building security into the solution, is important as system architects and SoC architects consider their architectures,” Durrant said. “It really needs to be a core part of the solution. It’s not something that you can layer on top after devices are manufactured. In the rush to deliver a product, security will become an afterthought because it doesn’t necessarily add functionality to the product. However, security protects the functionality that you’re building in, and therefore it tends to be thought of a little bit later. But it’s so important that it be a core consideration in developing the architecture from the ground up. That’s the only way that you can really put robust protection in place.”

This holistic approach is essential and increasingly challenging as complexity rises and as more advanced electronics are deployed in applications such as cars, industry, and medicine. It requires understanding the behavior of all of the individual components, as well as the system in which those components will operate.

“If you look at the IP level, you do hardware IP-related security items,” Frank Schirrmeister, senior group director, solutions and ecosystems at Cadence. “But also in the verification domain, formal verification allows you to do a lot of negative testing to figure out the things that are not actively in a test bench. There’s also the discussion around creating attack labs to model attacks. There’s a lot happening concerning tracking and making sure the right tests are captured. There’s also the ability to automatically capture things, and automatically add tests with things that are done around Portable Stimulus. At the lowest level, it really is hardware and software that need to work together, which is a classic problem we know how to deal with. From there you go up in the stack, and you add things like containerization, and the hypervisor portions where you have different security levels you can deal with, and then it goes all the way up to the data center, through the networks and the data center with encryption and everything. You need to look at it holistically and everybody needs to do their part.”

This includes ensuring that no one is tampering with the data used to create these devices in the first place. A lot of safety certification includes whether the tools can insert any issues, and by extension, are you prepared in your development processes to deal an engineer who has been paid off to insert malicious code or a back door at the last minute? Those items need to be layered on top of a security assessment within the company.

The security stack

Fig. 1: Layers of a security stack. Source: Dover Microsystems

Jothy Rosenberg, CEO of Dover Microsystems, explained that a security stack is similar to the traditional networking stack. “There’s a correlation between these two models. There’s a physical layer in the OSI model, and we see a corresponding physical layer in the chip security stack. At the very lowest level — the physical layer — you’ve got to protect these devices.”

This is particularly difficult with embedded devices on a factory floor, for example, or when smart meters and distribution systems are spread out across an electric grid.

“There, you’ve got a whole bunch of things that need to happen at the physical protection layer, and that’s a lot of different people,” Rosenberg said. “Unique to security is the next layer up, where you’ve got a root of trust, which is really describing managing keys, etc. That’s true of big servers down to little embedded devices, because they all need to encrypt things, and sign things and then of course decrypt. That’s the layer of keys, crypto, and secure boot. We see lots of people providing those capabilities. We are really focused on solving the problem that embedded devices have because 98% of the world’s processes are in embedded devices. They’re not very well protected, and they’re running more and more complicated, dangerous things. If something goes wrong, these things could actually hurt people or property. The next layer up is compartmentalization, otherwise known as virtualization. Like hypervisors, compartmentalization is used in the embedded systems world. Above that is encryption, to make sure things are protected as they move around data, and data protection. This includes the operating system, and all the things that are associated with that such as intrusion detection, firewalls, and the like. Finally, there are the applications running on those operating systems, and applications have a real role in security, as well.”

Getting this right is critical — and difficult. “Unless you’ve got some real depth and expertise in security, it’s easy to implement things that have holes. For this reason, it’s important in considering security technologies to utilize technologies that have been proven and thoroughly tested and vetted, and that’s where drawing on proven implementations of secure protocols, secure encryption algorithms, security random number generators, and security IP is really important. Many people have gotten themselves in trouble by building their own when they didn’t truly understand how to do it. There are resources available to take advantage of things that have been proven to work well,” Durrant added.

Conclusion
Security awareness is growing, but so are the capabilities of the attackers, and so is the complexity and connectedness of the systems that need to be protected. The solution is to use a rigorous methodology, and then remain on alert when something unusual happens.

“Start from the requirements utilizing the Common Weakness Enumeration, which is then broken into testing and verification requirements,” said Tortuga Logic’s Kuehlmann. “Those security requirements need to be verified as part of the development process and can be run like functional verification on a daily basis. If any of the various key security requirements fail, you do remediation. Just as there is timing sign-off, power sign-off, and design sign-off, we need security sign-off. It’s closing the loop. We don’t have a product until everything is passing. It’s a rigorous methodology that allows you to do security sign off, according to the requirements. That links back to regulations, certifications, and standards, and all of it comes together in a holistic approach.”

—Ed Sperling contributed to this report.