It is hard to attend any sort of meeting
to do with semiconductors without
hearing about the Internet of Things
(IoT), and probably the hottest
subtopic is IoT security. Some devices
will contain our health data, some
are dangerous. Even the apocryphal
internet-enabled
toaster
could
potentially burn down your house.
The second day of this year's EDPS in
Monterey was completely dedicated to
semiconductor security.
A couple of weeks ago, the GSA held
their Silicon Summit and one of the
topics was securing the IoT. This took
the form of a panel session moderated
by Venky Anant of McKinsey. The
panelists were Nuri Dagdeviren from
Microchip (actually from Atmel that
Microchip acquired), Paul Kocher
from Rambus (the cryptography part,
not the memory part), Sami Nassar
from NXP, and Volker Politz from
Imagination.
The reason IoT security is important,
and different from other types of
security is three fold:
The devices, the "things" will be
pervasive with 20-30B of them
predicted by 2020 or so
We are not used to doing security on
devices like this with limited power, we
are used to PCs and smartphones with
a lot of compute resource
The devices contain a lot of private
information like medical or financial
Paul Kocher, who was the founder of
the legendary Cryptography Research
prior to its acquisition by Rambus, was
scathing about security in general.
The three big trends he saw were a
lot more devices, more valuable data
and more complex systems. But that
means more targets for attackers,
more value for the attackers, and
more vulnerabilities. We are already
failing at computer security and IoT
security is much harder. Computer
security today is largely unsuccessful.
If someone really wants something
valuable, they usually get it. He had
a little matrix showing why he is so
worried about IoT security as seen in
table 1. One thing that all the panelists
agreed on was that software is "the
problem." We haven't learned how to
build good software and so it is buggy.
Computer architecture has been
constructed primarily for performance
and to minimize cost, not for security.
Things are evolving because security,
or rather the lack of it, limits technology
value and the market is evolving from
both a regulatory and a liability point
of view. One thing that remains to be
seen is whether companies claiming
good security (when they don't have
it) will poison the well, or whether
companies that do security well will be
able to differentiate.
Venky Anant, Nuri Dagdeviren, Paul
Kocher, Sami Nassar, and Volker Politz
One of the big challenges facing the
industry overall is that there are not
enough trained security experts, and
Security for IoT Is a Requirement, Not a
Choice
Paul McLellan, Cadence
IoT
Special Edition
44 l New-Tech Magazine Europe