Table 1
the Silicon Summit: Venky Anant, Nuri Dagdeviren, Paul Kocher,
Sami Nassar, and Volker Politz
the ones that do exist tend to be in
large established companies that take
security seriously. The average IoT
company is probably lucky if they have
a single security expert, and probably
they will have no one really qualified.
One statistic from LinkedIn is that
there are several openings for security
experts for every existing security
expert. The horsepower available to
the entire industry is not enough. Paul
admitted even Rambus has trouble
finding enough qualified engineers.
The result is that security is likely
going to have to be delivered either
in the form of security modules, actual
chips, or at the least in the form of
IP that experts designed. If security is
left to the IoT companies themselves
then there won't be any. Even a
company as well resourced as Chrysler
managed to have such weak security
that a couple of researchers famously
hijacked a Jeep with a Wired magazine
journalist inside and eventually put it
into the ditch.
Complexity is the enemy of security
and so the solutions need to be
simple to use and to implement. If
they are not, then people will make
mistakes. At DAC a couple of weeks
ago, I attended a talk by Brian Payne,
a security expert from Netflix, who
made the same point. "Complexity is
the enemy of security. It needs to be
easy for people who don't have a PhD
in computer security to get security
right through simple-to-use libraries
and so on." With the semiconductor
focus of GSA, that also means simple-
to-use hardware devices. Otherwise
we will all be vulnerable.
Sami from NXP hit on the same idea.
We need end-to-end secure hardware
+ software (either s/w, or IP blocks,
or separate chip). The best is probably
to isolate the security in a separate
chip where we can can pour in more
knowledge and test it harder, submit
it to third-party review, and so on.
That also has the advantage that we
can continue to evolve the product,
the "thing", without needing to keep
reassessing the security.
One of the questions asked was about
standards and regulation. Paul said
that there will be disasters, devices
that don't work. The best will be
trustworthy products and that has the
potential to create new semiconductor
companies that can move into the top
10. He thinks it is an industry-changing
issue. But regulation only works when
it is clear what you need to do. Security
regulations for flights today would
not have been appropriate for the
Wright brothers or even early planes.
If regulation occurs too early then the
technology advances will not happen.
And if you think the situation is bad in
chip companies in the US, it is much
worse outside.
IoT
Special Edition
PC
IoT
Vendor security expertise
Deep
Typically
limited
Product lifespan
5years 10-20 years
User attention to security
Highish Low/none
User tolerance for security issues
High
Low/none
Connected to physical world
No
Yes
Number of software platforms
Few Huge number
Security tools
Yes
No
Vendors can afford security patching
Yes
No
New-Tech Magazine Europe l 45