By Jean-Eric Michallet, Leti Vice President for Sales and Marketing
The pervasiveness of the Internet of Things (IoT) and its connections ranging from $1 objects to connected cars requires security to be reliable, simple, safe and affordable. Because the Internet of Things is made up of objects (hardware) connected to a network (software), security has to be factored in from the application or use’s conception. In short, assuring IoT security will require strategies to manage the entire value and supply chains.
Attendees at the recent Leti Innovation Day 2016 in Lyon, France, heard several variations of that message from industry experts and Leti scientists, against a backdrop of a proliferation of security and data threats.
Didier Lamouche, CEO of Oberthur Technologies, a provider of embedded security software products and services, noted industry forecasts of 10 billion connected devices shipped annually by 2020. This amounts to an exponential increase in security risks, as well. “This is the wave we have to catch,” he said.
Security is a brand problem
Recalling the 2013 data breach at Target in the U.S., in which 40 million credit and debit card numbers and 70 million items of customer personal information were compromised, Lamouche said that cybersecurity is not only a problem for security officers and CIOs. It has become a problem for CEOs and board of directors, as the 2014 resignation of Target CEO Gregg Steinhafel showed. In fact, he said, cybersecurity is becoming a brand problem, because of the severe damage fraud and data breaches can cause for a company.
Retail is not the only at-risk industry. Lamouche noted that more than 76 million Sony PlayStation user accounts were breached and 3.6 million connected vehicles in the U.S. and Europe have been hacked.
In recent years, “card not present” (CNP) transactions, primarily online purchases, accounted for approximately 65 percent of fraud in Europe, Australia and Canada, and 49 percent in the U.S., which still amounted to $6 billion in 2014.
Credits cards with continuously updated security codes
To address the growth of CNP fraud, Oberthur has developed MOTION CODE for credit card issuers. It secures online transactions by automatically and randomly updating a cryptogram security code on the back of the card. If the card is lost or stolen, it can be rendered useless quickly.
Keynoting the session on “Strengthening Security with Advanced Technologies,” Jean-Marie Saint-Paul, Europe application director for Mentor Graphics, outlined numerous security challenges involving hardware.
Who can you trust?
Thieves looking for ways to steal money, companies looking for competitors’ vulnerabilities and even users “playing” with the system can create risks. The supply chain presents numerous risks, as well. Specific hardware challenges include:
- A “vast space” of possible intrusions during IC, printed circuit board and embedded design and in the supply chain
- Unknown bugs and frequent field updates that open back doors for attackers
- The “fading of a trusted foundry” and proposed solutions that may not be viable
- Counterfeit ICs that cause economic loss similar to yield loss discovered much later
- For mission-critical apps, fake ICs that compromise devices risking security and safety
“Whatever structure we put in place, we have to put it in place with something we trust,” he said.
Digital disruption across the board
Borrowing information from IBM, Saint-Paul closed his presentation with a slide that highlights some of the most disruptive changes in business, industry and society at large that digital technology has enabled.
- World’s largest taxi company owns no taxis (Uber)
- Largest accommodation provider owns no real estate (Airbnb)
- Largest phone company owns no telco infrastructure (Skype)
- World’s most valuable retailer owns no inventory (Alibaba)
- Most popular media owner creates no content (Facebook)
- Fastest-growing banks have no actual money (SocietyOne)
- World’s largest movie house owns no cinemas (Netflix)
- Largest software vendors don’t write apps (Apple, Google)
The slide also asked when disruption will happen in semiconductors and electronics, when the world’s largest trusted foundry will own no fab or equipment, the top trusted contract manufacturer will own no assembly line and the leading secure electronics supplier will not purchase boards or chips. Will it be true? Maybe not, Saint-Paul said, but the industry needs some new models to reinvent itself.
Sameer Sharma, general manager of Intel’s IoT Group, said the IoT will provide pervasive, real-time intelligence from the physical world to data centers and the cloud: mobile devices via networks, and industrial and home applications via gateways. He cited a projection of 50 billion devices sharing 44 zetabytes of data.
Intel and Leti recently signed a multi-year collaboration agreement involving a variety of subjects such as making the IoT more secure, enabling 5G networks and device innovation, and driving the future of high-performance computing.
85 percent of systems not connected
Combining revealing statistics from the past with projections about the direction the industry is headed, Sharma noted that the rapidly evolving digital era is spurring transformation across many fields, supported by a shift to open standards. Fixed-function ASICs are giving way to programmable architectures, dedicated appliances are now parts of virtualized systems, and purpose-built hardware is transforming into general-purpose hardware and software-defined functions.
Dramatically declining costs are a key driver for this transformation. In the past 10 years, the costs for sensors have fallen 2x, the cost of bandwidth has dropped 40x and the cost of processing 60x.
One of the most arresting facts Sharma shared relates to the huge potential, and need, for more hardware and software systems to keep up with the exponential growth of connected devices. Eighty-five percent of deployed systems are not connected and do not share data with each other or the cloud.
IoT threat landscape
Even so, Sharma said, attacks on IoT devices will increase rapidly due to hyper-growth in the number of connected objects, “poor security hygiene” and high value of data on those devices. A recent study of IoT devices showed that an average of “25 holes or risks of compromising the home network” were found on every device evaluated.
Sharma outlined a path to IoT security paved by infrastructure, end-to-end security, and 5G network and connectivity and standards. He said the Intel IoT Platform offers secure, scalable and interoperable building blocks for data acquisition, analytics and actions to improve business and peoples’ lives. Like other speakers, Sharma emphasized that security must be part of system concept and design.
“Security cannot be an add-on. Those days are gone,” he said.
Devices to protect biological, radiological and chemical data
Leti’s Alain Merle noted that privacy and security far outweigh other user concerns about connected devices. Integration in advanced technology, a focus of Leti R&D, is required, including use of security primitives, or low-level cryptographic algorithms. Secure IoT nodes face a complex array of potential weaknesses beyond physical attacks, such as attacks through communication interfaces, fault injection (glitches, light, laser, electromagnetism) and software, in which a single error can open the door to a hacker.
Beyond its cybersecurity programs, Leti is working with its partners to develop dedicated security devices to protect biological, radiological, chemical and weapons data. CESTI is Leti’s evaluation laboratory to determine whether security components and devices are designed and manufactured to prevent breaches and whether they are capable of withstanding attacks from terrorists, criminals or others.
The CESTI lab has evaluated products from leading companies such as SAFRAN, Samsung, ATMEL, STMicroelectronics, Gemalto, Oberthur and Inside Secure. The lab is part of Leti’s Strategic Security and Defense Programs, which promotes the development of innovative security solutions for information and communication (ICT) technologies for transfer to defense and commercial markets.
‘System approach with partners’
In her closing remarks, Leti CEO Marie Semeria noted that reliability, security and privacy are “must haves” to support the many key uses of digital technology. “Leti relies on a combination of hardware and software, so we pursue system approaches with our partners,” she said.
Focusing on micro- and nanotechnologies, architectures, tools and design methodologies, Semeria underlined that Leti is a worldwide recognized important center of competencies in developing innovations to propose efficient and reliable elements & architectures for emergent computing systems. She highlighted several recent Leti innovations for the Internet of Things and advanced computing for health, automotive and other sectors.
Leti has unique know-how and access to shielding, sensors, architectures and embedded software technologies for designing ASICs and SOCs for security applications. Moreover, its unique concentration of experts in materials, technologies integration, design and systems, even in biology and clinical domains, allows Leti to make the best trade offs possible between security, such as resistance to attacks, and application constraints, such as power, cost and performance.
Leti will celebrate its 50th anniversary next year as part of Leti Innovation Day in Grenoble.
Semiconductor community needs to add one more data point for future growth of semiconductor industry. Other than few applications virtually all semiconductor products require direct current power and not alternating current. The lower cost of semiconductor products ( no more inverters and rectifiers ) will reduce system cost as well as provide additional security to IOT applications. This is due to the fact the attack surface area is lower for DC based IOT system. This is an active area of R&D and need support of semiconductor industry.