More Things Are Critical Systems

Connecting unrelated devices in the IoT means many more pieces now affect reliability and security.

popularity

Defining a critical system used to be pretty obvious. It was something that could affect the health and safety of people, such as the chip inside a pacemaker or insulin pump, a car’s braking system or an airplane’s guidance system. But as more devices are connected together, that definition is changing and expanding.

More devices are now considered critical, such as a connected baby monitor or a smart smoke detector, because wrong information can injure or kill people. In addition, new devices that are coming to market can affect the operation and security of other devices if they are part of a network. But not all of these devices are designed with the kind of quality controls or built-in security that critical systems require.

“The big challenge is focusing on what happens at different nodes on the network,” said Sudhir Sharma, high-tech industry director at Ansys . “The industry claims to have a good handle on problems once data gets onto the network, but the gateways on the network are a big problem.”

One of the big challenges in the IoT world is that while many companies are building devices for it, no one really knows what it actually will look like or how the various pieces will fit together. Until a clearer picture emerges, and until there is a history of attacks and failures, it’s impossible to comprehend the weaknesses.

“Right now, nobody has a good handle on it, and it’s not something you can sketch out on a napkin,” Sharma said. “You have to do simulation and scenario planning. ARM has done a good job from the silicon perspective, and Cisco has done a good job when it comes to Internet infrastructure. But what kind of wireless technologies are we looking at? If you build a mesh network of wireless devices, what happens with EM compatibility and EMI? And it doesn’t just involve one country. There are people around the world designing products. You have to do global scenario playing and figure out where are the weakest links.”

It’s not just about devices
What makes this even harder to comprehend is that the weakest links in a chain of connected devices may not have been designed to work together. The data may be critical, but some of the devices are seen as decidedly not critical.

The fundamental issue is that with computing now done both inside and outside of devices—on the edge of the network in so-called fog servers, and in cloud servers that may be scattered around the globe—so there are many ways for data to become corrupted, stolen or even to leak. Even on captive devices that are have only limited connection to a network, components wear out, or they are subject to single-event upsets that may destroy bits of memory, or software becomes corrupted by updates and interaction with other data.

“We spent time a couple years ago thinking about the shift in information,” said Steven Woo, vice president of solutions technology at Rambus. “One startling thing we recognized was the change in the paradigm for how data is gathered and computed. We’re starting to see this in cars, which are incorporating elements of sensor fusion architectures and techniques, where you take input from disparate sources. This used to be something that was confined to the military. And we’re seeing it in phones, which used to be end devices but which now are being used to control other devices.”

Overriding all of this is an increasing value in data as tools for mining that data become more sophisticated, allowing users to retrieve more useful information.

“We’re starting to see more treatment of security as a key part of a design,” said Woo. “The basic problem is that interfaces are like doors, and you’d like to have a lock on every door, but a connected device may have 20 doors. We saw this kind of problem in the PC world years ago, when every company was working on its own hardware and software and each company tried to have their own standard. But as data becomes valuable in itself, the control plane for that data becomes equally important. You don’t want someone to be able to selectively snapshot or control that data.”

That has a fundamental impact on designs, too. As data moves freely from one device to the next, and from one network to the next, data will need to be secured from end to end. Mike Ballard, senior manager for Microchip’s Home Appliance Solutions Group and the company’s IoT/Cloud Enablement Team leader, believes the new way of viewing the electronics world is that “every system is critical.”

“If a coffee maker is hacked, that’s a critical design,” Ballard said. “If a baby monitor is hacked, it’s critical to the people using it. Once you start consuming products and open yourself up to potential threats, security becomes a critical path. We need to educate our customers so they understand the embedded space. With the IoT, you need to be dealing with security and Secure Socket Layers and they’re not necessarily familiar with that. If you look at Apple 10 years ago, it was largely ignored by hackers because 99% of the PCs ran Windows. It may be the same with IoT devices. Once millions of these devices are in the field, it will be a much bigger target.”

Safety vs. security
In the past, there was a sharp distinction between the ideas of safety and security, but those lines are blurring, along with the definition of overall device reliability.

“We tend to think of it as safety is protecting the world from a device, while security is protecting the device from the world,” said Felix Baum, product manager for embedded virtualization at Mentor Graphics. “But a lot of companies are connecting things that do not make sense, exposing a device to the outside world. If you’re a consumer, that sometimes exposes you. If you program the temperature in your house using a smart thermostat, a thief can figure out when you’re not at home. To protect devices you don’t want to expose critical features. Connectivity is one area of exposure. But we also are not seeing a lot of appliance manufacturers doing due diligence in securing devices.”

Baum said that in the past it was very difficult to corrupt an appliance such as a refrigerator because it wasn’t connected to anything but a plug. But as companies see the opportunity to boost profits by adding in connectivity, they also add a security risk. “The key is that we don’t want to tell users how to use their cell phone, but we do want to tell manufacturers how to hide critical data such as encryption algorithms and passwords so they can protect critical functions and information.”

ARM has been preaching a similar message with its Trust Zone in areas that typically aren’t viewed as critical systems. “Security needs to be designed into the CPU, GPU or MCU from the outset,” said Chris Porthouse, director of market development in the Media Processing Unit at ARM. “We’ve been pushing that information for video and display processors, too. You need to secure high-value content and link it back to a trusted execution environment. So if you’re running a video, you need to support protected content. This is important in the payment area, too. You need to make sure that what the user inputs is the same as on the screen.”

The automotive model

Whenever the semiconductor industry needs help in formulating its next moves, it falls back on the automotive industry as an example. The auto industry began squeezing pennies out of the design and manufacturing process a half-century before the first semiconductor was even invented, and it has never stopped.

Critical systems are nothing new in the automotive world, but the confluence of security, electronics and critical systems is a new wrinkle that ultimately will be need to be dealt with by many other industries.

“There are a number of open questions,” said Adam Sherer, verification product manager at Cadence. “Will the consumer market constantly update a vehicle, for example? If it’s revision 100 and the customer hasn’t done the update, will they lose safety systems? There are no hard answers yet. And it’s the same for medical and industrial markets. If you have drug pumps beneath the skin or a pacemaker, longevity depends on how you do the update.”

This also has a fundamental impact on how chips are designed and verified, which could affect everything from tools to methodologies to the cost and energy requirements of a device.

“Everyone wants a vehicle that is safe 10 years down the road,” said Sherer. “You need to catch spurious errors and plan for unexpected events. It’s the same with the IoT, where we’re going to have a huge proliferation of devices. In wearable electronics, it’s not so much about safety as dependability. There’s also a security view on this, which is a little different than the safety view, which involves unplanned events. So what you’re seeing is a mixed set of pressures.”

What makes this increasingly challenging, though, is that electronics components aren’t necessarily designed for one device. They are designed to operate in multiple design environments, with enough flexibility and programmability to extend their life and their market opportunities.

“The next generation of design and verification may need a location on a die,” he said. “And if you add safety concerns back into the system that could affect design and verification. This is a new change in electrical design, which in the past has been focused on PPA. These days you optimize all designs for power, as well as performance and area. Dependability is the next area of concern. We started with safety with design for test, and EDA now understands safety. Security is a new concept for us, and it will take time.”

Conclusion
Security is a new concept for a lot of companies, and its overlap with safety in a hyper-connected world is a brand new concept. It will take time before it becomes an accepted part—and cost—in developing components, SoCs and even systems.

“Some companies are open to this, and they come to us and ask about how to improve security,” said Microchip’s Ballard. “Others are quiet on the subject. But once you open the dialog about how data will be moving from the server down to the smartphone app, all of a sudden they tend to open up. This extends from wearables to servers. Security is a system-level challenge.”

It’s also a challenge that will grow in complexity as the complexity of systems grows, and as more problems are discovered in connected IoT devices. In fact, there is no end point where everything will be deemed secure. But as security and connectivity impact safety, there certainly will be a lot more attention focused safety and why some devices that were built in isolation are suddenly considered critical systems.