Securing the world of electronics
The Covid-19 pandemic showed very clearly the importance of the semiconductor market to the world economy. The absence of a one dollar microcontroller preventing the shipment of a $100,000 car highlighted that very clearly.
The next ‘unexpected’ issue will be security, and executives are already highlighting this as part of the drive to secure supply chains in the widest possible sense, from the design house and the foundry through to the roll out across the industry, all Internet connected and potentially vulnerable to all kinds of attacks.
The issue of security was also clear at the recent Embedded World 2023 exhibition in Germany. Embedded controllers all now ship with security at the heart of the design. STMicroelectronics launched a secure manager alongside its latest microcontrollers, while NXP has its EdgeLock secure element and Silicon Labs has its Secure Vault.
- ST taps Kudelski for STM32H5 IoT security
- NXP secure element simplifies security for Matter devices
- Secure Vault technology protects against power attacks
What is abundantly clear though is that that security is switched off right at the start of the development process, and adding it back in at the end leaves vulnerabilities.
There are a number of ways to address the challenge of security. Designing it in from the start, with government guidelines, is one way. But there are other ways to secure embedded devices. Monitoring devices in the field can highlight bugs but can also highlight attempts at intrusion and download a new version over the air (OTA).
Memfault in the US and Percepio in Sweden are both offering such software agents, with Percepio opening up its agent to other software frameworks. UK software maintenance startup Foundries.io is also looking at providing a security service as well as preventing the switching off.
“We simplify the preparation stage, and that includes not switching off the security,” said John Weil, chief marketing officer at Foundries.io. “We flash the software and secure the build flow,” he said, “We don’t give them the opportunity to switch off the security.”
The company is looking to add links that include online links into vulnerability databases to further secure the supply chain. “Defense in depth,” said Weil.
Security is getting more attention at the highest levels.
“Now that we are committed to bringing semiconductor manufacturing back home, we need to establish the basic benchmarks that keep chips safe, reliable, and secure,” Ron Black, CEO of German RSIC-V core designer Codasip wrote to the White House earlier this month along with a range of former FBI agents.
Black points to the imbalance between developers, who have to prevent any intrusion, and hackers, who just have to find one vulnerability.
“Cybersecurity defenses must remember every known attack, discover every possible vulnerability, and anticipate every move. This is the inherent asymmetry that offensive intruders enjoy: they have all the time in the world to explore and exploit weaknesses.”
“Protecting chips is an achievable goal,” said the letter. “We can circumvent and avoid the cybersecurity hacks that have exfiltrated our finances, our medical records, our personnel records, the blueprints of our most sophisticated fighter jets and shut down critical infrastructure. Those were network breaches, and the security holes were plugged with software.”
“But if a bad actor hijacks a chip, there is no software that can stop them. This is why we have to pay attention now, before we produce the next generation of devices that will be even-more ubiquitous, from biological implants to autonomous drones.”
Codasip has been positioning for this with the recent buy of UK security specialist Cerberus Labs and Black is calling for more US government standards in security.
“The government has a primary role here, because it can require that the chips used in critical infrastructure and the defense industrial base meet these standards. Like other consumer protections, such as seatbelts in cars and labels on foods, the government can establish guidelines that industry must follow to keep our citizens safe. Nowhere is this more important than in the information technology sector. And semiconductors are the foundation of it all.”
www.codasip.com; www.percepio.com; www.foundries.io; www.memfault.com
