Yet again, a massive attack puts the focus on cybersecurity. The late October widespread denial-of-service hacking was top of mind at a panel of experts gathered at the ARM TechCon conference in Santa Clara, Calif. this week. The experts concluded that the whole product chain has to be secure, down to the chip itself. Devices are only as secure as the weakest link in their supply chain.
According to panel members, the lesson of the October attack was that seemingly benign household products pose a cyber danger. “Even harmless devices can be used to take down all kinds of services, said Chowdary Yanamadala, SVP of ChaoLogix, referring to the massive denial-of-service attack. “This will turn into terrorist attacks if we’re not careful. It will move beyond the annoying denial-of-service attacks.”
The solution to the vulnerability is not easy. It will involve a range of changes in how connected devices are secured. “You need to have multiple layers of security. Ease of attack and scale of attack put the whole system at risk,” said Yanamadala. He noted that protecting the perimeter is not sufficient. “If you protect yourself against side channels, you’re not done.”
Even with all the vulnerabilities, Yanamadala believes some ground has been taken in the security wars. “A lot of the components of the security puzzle have been solved. In some markets, much of the security problem has been solved,” he said. “IoT is not as secure as the financial market because the IoT market is still developing. So we should think about how this can be handled in the future.”
The focus on what needs to be secured is a moving target. The October attacks revealed that all parts of the connected chain needed to be secure. “There was a time when good software was good enough. Now each part has to be secured -- the network, the software, and the hardware,” said Yanamadala. “The attackers will look for the weakest link in the chain. If there are weak links, it doesn’t matter how secure the rest of the system is.”
The Insides of the Chip Needs to Be Secure
Moderator Ed Sperling, editor-in-chief of Semiconductor Engineering, suggested that the product’s security chain has to include the contract manufacturer. “Even Apple is using third parties for assembly. How do you secure what’s inside the product if you’re not manufacturing it?” he asked.
The answer may be that contract manufacturers have to take some responsibility for making sure the products are secure. “Signing off on the code and the functionality of the chip is critical. You have to create a route of trust,” said Eric Sivertson, CEO of QuantumTrace. “We need to know the code that is running on the devices. Right now, very few foundries have to sign on their work.”
One of the problems is that the IoT world is creating tons of inexpensive connected products. These devices are made by companies that may not have deep resources to ensure the security inside the products. “Cost is relative. Security is much cheaper if you do it in the device rather than at the system level,” said Yanamadala. “A few pennies spent to secure the chip more robustly is less expensive than securing the brand and avoiding recalls. It may be a two-cent cost, which is cheaper than recalling and fixing products in the field.”
Is Regulation the Answer?
Many of the new IoT devices are popular because they are inexpensive. These devices are pushed for their low cost, and they are not likely to come with sophisticated security. Yet these cheap devices are now a link in the connected chain. “The issue today is that no one really cares about security as long as the device is cheap and it works. The device makers are not like the traditional PC and phones makers who have teams of people working on security,” said Asaf Shen, VP of ARM. “The device makers are already working on the next model. Neither the users nor makers are interested in solving this. Someone has to step in and regulate it.”
Small connected products may ultimately have to comply with security requirements that guard liability in larger products. “The answer may lie in holding companies libel for security vulnerabilities and putting in regulations backed by audits. Having secure processes and being libel to be audited has been around in auto and in the military,” said Tim Dry, a marketing manager at GlobalFoundries. “The path and processes need to be audited and that means guards at the gates.”
[image via Pexels.com]
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.