Security Gap Grows

There is far more talk about security in designs these days, and far more security features being added into chips and systems. So why isn’t it making a dent in the number of cyberattacks?

According to the Online Trust Alliance, there were 159,700 cyber incidents in 2017 around the globe. But the group notes that because most incidents are not reported, the real number could be twice as large. This is about twice what it was in 2016, with the biggest increase due to ransom-based attacks. Also of note, 93% were avoidable, the agency said.

But those statistics are only a hint of how large this problem is becoming. There’s a big difference between reported incidents and cyber attacks. Check Point Software said there were 7.58 million attacks yesterday alone. The vast majority of those don’t result in reportable incidents, but the number of attacks is growing as more devices are connected and the overall attack surface increases.

Several key problems still exist when it comes to security. First, most consumers still aren’t willing to pay for added security, in large part because it’s not clear that if they pay more they are any less prone to damaging attacks. The Mirai attack in 2016 was orchestrated as part of a game, using devices that had nothing to do with the sites that were taken down.

Perhaps even worse, Meltdown and Spectre tap into hardware vulnerabilities in chips that were considered highly secure when they were initially sold. What’s considered secure today may not be secure in five months or five years. No one is quite sure when security holes will be exposed, and trying to plan for every possible future breach is impossible.

While there is still a need for security software and better strategies for detecting and preventing breaches in hardware, over the past half year the strategy among systems and IP companies has been tilting toward security as a service. It’s too early to tell whether this approach will be more lucrative for those selling security, but it does at least recognize that security needs to be addressed in real-time throughout product lifecycles, whether those last for two years in the case of consumer electronics, or 20 years in the case of industrial applications.

Second, while companies struggle to integrate various components and subsystems to allow them to connect to the Internet, the primary focus in most cases is just to get these devices working. Security remains is a concern after silicon or systems are proven to work. This is similar to how most design teams approached power prior to the finFET era. It always was considered something that could be addressed after performance goals were met, and generally not something that would derail a contract if the power budget was slightly too high.

But power issues are hard to ignore at 16/14nm and below. Thermal runaway, poor performance, accelerated aging and signal integrity issues can render a device unusable and unfit for sale. Security flaws aren’t quite so obvious, and in the past it generally has been the responsibility of end users to add security with antivirus software, virtual private networks, and seemingly endless list of passwords that very few people can remember.

The fact that devices are still being shipped with “admin” as the user, and “password” as the default password, is a sign of just how little attention is paid to security. And as more devices are connected, sometimes to devices in other countries, there’s no telling how many breaches have occurred or will occur. In a connected world, it’s not just your device that can cause you problems. It’s other devices developed by companies you’ve probably never heard of. That should make security a much higher priority, but for most people it remains someone else’s problem.

Third, security is a supply chain issue. It’s not hard to see why security in the smart phone world is so much better than in other markets. It’s controlled by a few very large vendors, with tight control over their supply chains. That’s a far cry from security in a commercial refrigerator or sprinkler controller, where parts are bought based upon spec and price from all over the world.

Disaggregation of a supply chain can create all sorts of problems, ranging from embedded code the OEM doesn’t know is there, to counterfeit parts with back doors. And any of these can serve as an entry point to home or business networks, where valuable data can be collected and mined.

Put in perspective, concern about security is growing, but it’s certainly not growing as fast as the attack surface or the sophistication of the attackers.