New Tech Europe | Jan 2017 | Digital Edition

IoT Special Edition

managed to have such weak security that a couple of researchers famously hijacked a Jeep with a Wired magazine journalist inside and eventually put it into the ditch. Complexity is the enemy of security and so the solutions need to be simple to use and to implement. If they are not, then people will make mistakes. At DAC a couple of weeks ago, I attended a talk by Brian Payne, a security expert from Netflix, who made the same point. "Complexity is the enemy of security. It needs to be easy for people who don't have a PhD in computer security to get security right through simple-to-use libraries and so on." With the semiconductor focus of GSA, that also means simple- to-use hardware devices. Otherwise we will all be vulnerable. Sami from NXP hit on the same idea. We need end-to-end secure hardware + software (either s/w, or IP blocks, or separate chip). The best is probably to isolate the security in a separate chip where we can can pour in more knowledge and test it harder, submit it to third-party review, and so on. That also has the advantage that we can continue to evolve the product, the "thing", without needing to keep reassessing the security. One of the questions asked was about standards and regulation. Paul said that there will be disasters, devices that don't work. The best will be trustworthy products and that has the potential to create new semiconductor companies that can move into the top 10. He thinks it is an industry-changing issue. But regulation only works when it is clear what you need to do. Security regulations for flights today would not have been appropriate for the Wright brothers or even early planes. If regulation occurs too early then the technology advances will not happen. And if you think the situation is bad in chip companies in the US, it is much worse outside.

PC

IoT

Vendor security expertise

Deep

Typically limited

Product lifespan

5years 10-20 years Highish Low/none

User attention to security

User tolerance for security issues Connected to physical world Number of software platforms

High

Low/none

No

Yes

Few Huge number

Security tools

Yes Yes

No No

Vendors can afford security patching

Table 1

the Silicon Summit: Venky Anant, Nuri Dagdeviren, Paul Kocher, Sami Nassar, and Volker Politz

there are several openings for security experts for every existing security expert. The horsepower available to the entire industry is not enough. Paul admitted even Rambus has trouble finding enough qualified engineers. The result is that security is likely going to have to be delivered either in the form of security modules, actual chips, or at the least in the form of IP that experts designed. If security is left to the IoT companies themselves then there won't be any. Even a company as well resourced as Chrysler

the ones that do exist tend to be in large established companies that take security seriously. The average IoT company is probably lucky if they have a single security expert, and probably they will have no one really qualified. One statistic from LinkedIn is that

New-Tech Magazine Europe l 45