Security for IoT Is a Requirement, Not a Choice

It is hard to attend any sort of meeting to do with semiconductors without hearing about the Internet of Things (IoT), and probably the hottest subtopic is IoT security. Some devices will contain our health data, some are dangerous. Even the apocryphal internet-enabled toaster could potentially burn down your house. The second day of this year’s EDPS in Monterey was completely dedicated to semiconductor security.
A couple of weeks ago, the GSA held their Silicon Summit and one of the topics was securing the IoT. This took the form of a panel session moderated by Venky Anant of McKinsey. The panelists were Nuri Dagdeviren from Microchip (actually from Atmel that Microchip acquired), Paul Kocher from Rambus (the cryptography part, not the memory part), Sami Nassar from NXP, and Volker Politz from Imagination.

The reason IoT security is important, and different from other types of security is three fold:
The devices, the “things” will be pervasive with 20-30B of them predicted by 2020 or so We are not used to doing security on devices like this with limited power, we are used to PCs and smartphones with a lot of compute resource The devices contain a lot of private information like medical or financial Paul Kocher, who was the founder of the legendary Cryptography Research prior to its acquisition by Rambus, was scathing about security in general. The three big trends he saw were a lot more devices, more valuable data and more complex systems. But that means more targets for attackers, more value for the attackers, and more vulnerabilities. We are already failing at computer security and IoT security is much harder. Computer security today is largely unsuccessful. If someone really wants something valuable, they usually get it. He had a little matrix showing why he is so worried about IoT security as seen in table 1. One thing that all the panelists agreed on was that software is “the problem.” We haven’t learned how to build good software and so it is buggy. Computer architecture has been constructed primarily for performance and to minimize cost, not for security. Things are evolving because security, or rather the lack of it, limits technology value and the market is evolving from both a regulatory and a liability point of view. One thing that remains to be seen is whether companies claiming good security (when they don’t have it) will poison the well, or whether companies that do security well will be able to differentiate.

Venky Anant, Nuri Dagdeviren, Paul Kocher, Sami Nassar, and Volker Politz
One of the big challenges facing the industry overall is that there are not enough trained security experts, and the ones that do exist tend to be in large established companies that take security seriously. The average IoT company is probably lucky if they have a single security expert, and probably they will have no one really qualified. One statistic from LinkedIn is that there are several openings for security experts for every existing security expert. The horsepower available to the entire industry is not enough. Paul admitted even Rambus has trouble finding enough qualified engineers.
The result is that security is likely going to have to be delivered either in the form of security modules, actual chips, or at the least in the form of IP that experts designed. If security is left to the IoT companies themselves then there won’t be any. Even a company as well resourced as Chrysler managed to have such weak security that a couple of researchers famously hijacked a Jeep with a Wired magazine journalist inside and eventually put it into the ditch.
Complexity is the enemy of security and so the solutions need to be simple to use and to implement. If they are not, then people will make mistakes. At DAC a couple of weeks ago, I attended a talk by Brian Payne, a security expert from Netflix, who made the same point. “Complexity is the enemy of security. It needs to be easy for people who don’t have a PhD in computer security to get security right through simple-to-use libraries and so on.” With the semiconductor focus of GSA, that also means simple-to-use hardware devices. Otherwise we will all be vulnerable.
Sami from NXP hit on the same idea. We need end-to-end secure hardware + software (either s/w, or IP blocks, or separate chip). The best is probably to isolate the security in a separate chip where we can can pour in more knowledge and test it harder, submit it to third-party review, and so on. That also has the advantage that we can continue to evolve the product, the “thing”, without needing to keep reassessing the security.
One of the questions asked was about standards and regulation. Paul said that there will be disasters, devices that don’t work. The best will be trustworthy products and that has the potential to create new semiconductor companies that can move into the top 10. He thinks it is an industry-changing issue. But regulation only works when it is clear what you need to do. Security regulations for flights today would not have been appropriate for the Wright brothers or even early planes. If regulation occurs too early then the technology advances will not happen.
And if you think the situation is bad in chip companies in the US, it is much worse outside.