Who’s Responsible For Security?

Experts at the Table, part 1: Where security is working, where it isn’t, and what to do about it.


Semiconductor Engineering sat down to discuss security issues and how to fix them with Mark Schaeffer, senior product marketing manager for secure solutions at Renesas Electronics; Haydn Povey, CTO of Secure Thingz; Marc Canel, vice president of security systems and technologies at Arm; Richard Hayton, CTO of Trustonic; Anders Holmberg, director of corporate development at IAR Systems. What follows are excerpts of that conversation.

L-R: Anders Holmberg, Marc Canel, Mark Schaeffer, Haydn Povey, Richard Hayton. Photo credit: Brian Bailey

SE: One of the main causes of security problems is complexity. How do we solve that?

Povey: Complexity is a massive issue for everyone. Whether you’re building a power station or a car, it’s made up of layers upon layers of components and systems. Ownership needs to be embedded in all of those, from the ground up. There is a need for identity to be injected early. There needs to be management of identities. We need to own each of the components over the lifetime of a system, and come back to that at various points in time. And we need to be able to manage these subsystems, integrate them and integrate the security. But there are so many parts, so many pieces of complex code, that it’s a real challenge to manage all of those. The solution is to simplify. You need to understand the individual components to make sure those components work properly. You need to own them, update them and certify them. Certification is a key piece of this. If you can’t formally prove the system is right, then it’s probably wrong. And you can only do that at the small level, whether that’s the microcontroller or the TEE (Trusted Execution Environment) level.

Canel: Complexity is one dimension of the challenge. There is a layering of technologies, from the physical IP, in which the key that will make the root of trust is embedded, all the way up to the application and everything in between. There also is complexity in the processes to build all of these things, to provision them, to load the code and to load the keys. One of the big challenges is there is no standardization across the overall IoT world. There are vertical ecosystems, whether this is in the embedded world or automotive. If you go from General Motors to Ford, you will find different ecosystems and different players, different rules and different requirements. That lack of normalization and standardization is making things more complicated because processes and technologies have to be replicated from vertical market to vertical market.

SE: But it’s more than that, right? It’s a fragmented ecosystem, as well.

Schaeffer: Yes, and the complexity is exceeding the capabilities of most people to manage it. A great example is the Equifax hack. The CEO claimed one person didn’t do his job. That’s absurd. There was nobody cross-checking this person? And there were no other security mechanisms in place? And this is the CEO of a company whose job is to manage trust and security. That’s a big failure, and it’s happening across the spectrum. People either aren’t being held accountable, or they can’t understand that it’s so complicated.

Hayton: Understanding is a key part. We all say security is good, but people don’t know what they should do. And in an ecosystem that’s complicated, how do you know if the other guys are doing the right thing? There are plenty of people who are designing a product where security is not what they’re designing the product for. It’s just something they ought to be doing as a matter of course. If no one is holding them to account, and no one knows how to hold them to account because it’s their secret IP, how do you even know that’s the case?

Schaeffer: That’s true, and a good example is a TLS (Transport Layer Security) stack. People say they have a TLS stack, it has all the security, and you can trust the vendor. But the provisioning of the keys and the storage of the keys is outside the scope of what the TLS vendor is responsible for, and most people don’t even understand that.

Povey: Absolutely. There should be a requirement for a sign posting of best practices for security. Most companies would like to do the right thing. At the heart of it we’re all trying to get products out there that will stand on their own two feet in the marketplace, and to enhance usability of those products. A lot of people don’t know where to start with security, though. I’m on the executive steering committee of the IoT Security Foundation. We’re trying to publish best practices. It’s not a question of, ‘Here’s what you must do.’ It’s a set of best practices with a checklist you can go through and define the level of compliance. There is so much fragmentation, how do you know when you are secure? It’s very difficult. You can spend a lot of money trying to certify, and you’ll probably never get there because systems are too complex. But at least if there is a set of best practices that can be applied to your product, to your organization, to your specification, then you can at least indicate you’ve gone through a process. You can manage that and manage some standards around the complexity that is inherent in any product.

Holmberg: If you look at this from a pure software perspective. You mentioned the Equifax hack. We had the SSL stack hack a few years ago and the Mirai attack last year. All those high-profile things are software issues. That’s interesting because it doesn’t matter if you get all the hardware security right. You still need to get your software right. All these high-profile hacks boil down to bad software quality.

SE: Who takes responsibility for that? Is it the software side? The hardware side? The OEM?

Canel: That’s a very good question, and it’s what drives the rollout of security with some systems. Nobody wants to pay for security. Security gets added when there is a regulatory requirement, or when there is a reputation at risk. And even then, we see what can happen with a company like Equifax. So the industries that typically look really hard at security—aside from the government and military—involve payments, particularly in regulated environments. It’s also the Hollywood studios and the entertainment industry, which are concerned about the protection of their materials, and it’s the mobile network operators, which are protecting subscriptions. That’s why secure elements are the basis of SIM (subscriber identification module) cards. The responsibility typically lies in the system—in the definition of the system. If you look at what each one of these industries did, there is typically a major service provider with assets to protect. They will look at what happens throughout their supply chain, whether that’s a technology supply chain or the process, and they will ensure there are the right bits of technology with the right level of requirements and the right processes in place. And then they make distributors or OEMs responsible for their own portion of the system. But you need to have someone with muscle who ensures that throughout the complete system everything has been taken care of.

Povey: If you take airline manufacturers, for them security means this was correctly manufactured to a certain standard in a certain way using the proper metal. It went through the right process and the right quality assurance. They manage those as statistical assets. What we’re talking about is the same for digital assets. You can see this happening in automotive for safety reasons. It’s happening in medical. And it’s happening in payment systems and banking, because you can lose money without it. Now it’s starting to bubble down to IoT. There will be regulation at some point, but it will be industry-specific for these particular assets.

Schaeffer: Metering vendors are probably the most knowledgeable about security. They’re always talking about getting keys right back to the factory. There are a couple differences between a metering vendor and the maker of a medical device. A CEO knows the hacking of a meter will directly affect their revenue. It’s not a liability issue. They lose money directly. Cell phones are a great example. Another aspect is that the user has the incentive to hack their own device. You’re not going to hack your pacemaker, but you will hack your phone. And if you look at who has an incentive, it goes right to the CEO. If you think about Equifax, there were probably dozens of people who knew there was a problem, but they didn’t have the power or the incentive to do anything about it. With security, you can do a really great job and the best thing that can happen to you is you don’t get fired. If you do a great job, no one notices. So where is the incentive?

SE: If you do a really good hack no one notices, either.

Schaeffer: That’s true.

Povey: Moving forward, the person with responsibility for security should be the chief information security officer. That person should not just be responsible for the IT, the incoming data. They should be responsible for the security, the privacy and the management of the product that they ship out. You have to have someone in the C-suite who owns and drives that product. They need to manage the processes and make sure they’re enforced. Security traditionally is seen as a cost. That’s a misnomer. It is the underlying value for the whole next generation of services. It moves from making a transactional sale, selling a widget to a company, to making it strategic with increasing value and creating a long-term value chain. Those requirements are very much for the C-suite, and people have to take responsibility. The other part of this is that if the company gets this wrong, the C-suite takes the bullet. The CIO, CISO and the CEO are on the stand. They have the duty of caring for the company, the shareholders and the employees. That’s where security has to lie in an organization.

Related Stories
Making Secure Chips For IoT Devices
Technology is improving, but so is awareness about the need for security.
IIoT Grows, But So Do Risks
Things are coming together for the Industrial Internet of Things, but security is a huge and growing issue.
What Does An IoT Chip Look Like?
As the definition of IoT evolves, so do architectures.
Security Issues Up With Heterogeneity
Supply chain becomes central focus as more processors and memories are added into devices.

Leave a Reply

(Note: This name will be displayed publicly)