Table 1

the Silicon Summit: Venky Anant, Nuri Dagdeviren, Paul Kocher,

Sami Nassar, and Volker Politz

the ones that do exist tend to be in

large established companies that take

security seriously. The average IoT

company is probably lucky if they have

a single security expert, and probably

they will have no one really qualified.

One statistic from LinkedIn is that

there are several openings for security

experts for every existing security

expert. The horsepower available to

the entire industry is not enough. Paul

admitted even Rambus has trouble

finding enough qualified engineers.

The result is that security is likely

going to have to be delivered either

in the form of security modules, actual

chips, or at the least in the form of

IP that experts designed. If security is

left to the IoT companies themselves

then there won't be any. Even a

company as well resourced as Chrysler

managed to have such weak security

that a couple of researchers famously

hijacked a Jeep with a Wired magazine

journalist inside and eventually put it

into the ditch.

Complexity is the enemy of security

and so the solutions need to be

simple to use and to implement. If

they are not, then people will make

mistakes. At DAC a couple of weeks

ago, I attended a talk by Brian Payne,

a security expert from Netflix, who

made the same point. "Complexity is

the enemy of security. It needs to be

easy for people who don't have a PhD

in computer security to get security

right through simple-to-use libraries

and so on." With the semiconductor

focus of GSA, that also means simple-

to-use hardware devices. Otherwise

we will all be vulnerable.

Sami from NXP hit on the same idea.

We need end-to-end secure hardware

+ software (either s/w, or IP blocks,

or separate chip). The best is probably

to isolate the security in a separate

chip where we can can pour in more

knowledge and test it harder, submit

it to third-party review, and so on.

That also has the advantage that we

can continue to evolve the product,

the "thing", without needing to keep

reassessing the security.

One of the questions asked was about

standards and regulation. Paul said

that there will be disasters, devices

that don't work. The best will be

trustworthy products and that has the

potential to create new semiconductor

companies that can move into the top

10. He thinks it is an industry-changing

issue. But regulation only works when

it is clear what you need to do. Security

regulations for flights today would

not have been appropriate for the

Wright brothers or even early planes.

If regulation occurs too early then the

technology advances will not happen.

And if you think the situation is bad in

chip companies in the US, it is much

worse outside.

IoT

Special Edition

PC

IoT

Vendor security expertise

Deep

Typically

limited

Product lifespan

5years 10-20 years

User attention to security

Highish Low/none

User tolerance for security issues

High

Low/none

Connected to physical world

No

Yes

Number of software platforms

Few Huge number

Security tools

Yes

No

Vendors can afford security patching

Yes

No

New-Tech Magazine Europe l 45