It is hard to attend any sort of meeting

to do with semiconductors without

hearing about the Internet of Things

(IoT), and probably the hottest

subtopic is IoT security. Some devices

will contain our health data, some

are dangerous. Even the apocryphal

internet-enabled

toaster

could

potentially burn down your house.

The second day of this year's EDPS in

Monterey was completely dedicated to

semiconductor security.

A couple of weeks ago, the GSA held

their Silicon Summit and one of the

topics was securing the IoT. This took

the form of a panel session moderated

by Venky Anant of McKinsey. The

panelists were Nuri Dagdeviren from

Microchip (actually from Atmel that

Microchip acquired), Paul Kocher

from Rambus (the cryptography part,

not the memory part), Sami Nassar

from NXP, and Volker Politz from

Imagination.

The reason IoT security is important,

and different from other types of

security is three fold:

The devices, the "things" will be

pervasive with 20-30B of them

predicted by 2020 or so

We are not used to doing security on

devices like this with limited power, we

are used to PCs and smartphones with

a lot of compute resource

The devices contain a lot of private

information like medical or financial

Paul Kocher, who was the founder of

the legendary Cryptography Research

prior to its acquisition by Rambus, was

scathing about security in general.

The three big trends he saw were a

lot more devices, more valuable data

and more complex systems. But that

means more targets for attackers,

more value for the attackers, and

more vulnerabilities. We are already

failing at computer security and IoT

security is much harder. Computer

security today is largely unsuccessful.

If someone really wants something

valuable, they usually get it. He had

a little matrix showing why he is so

worried about IoT security as seen in

table 1. One thing that all the panelists

agreed on was that software is "the

problem." We haven't learned how to

build good software and so it is buggy.

Computer architecture has been

constructed primarily for performance

and to minimize cost, not for security.

Things are evolving because security,

or rather the lack of it, limits technology

value and the market is evolving from

both a regulatory and a liability point

of view. One thing that remains to be

seen is whether companies claiming

good security (when they don't have

it) will poison the well, or whether

companies that do security well will be

able to differentiate.

Venky Anant, Nuri Dagdeviren, Paul

Kocher, Sami Nassar, and Volker Politz

One of the big challenges facing the

industry overall is that there are not

enough trained security experts, and

Security for IoT Is a Requirement, Not a

Choice

Paul McLellan, Cadence

IoT

Special Edition

44 l New-Tech Magazine Europe