In the last quarter of this year there was a 98% increase in malware targeting IoT devices. The threat landscape is rapidly changing, from an increase in state-backed cyber attacks, as well as financially motivated attacks on businesses – security has never been so critical. Reflecting this sharp increase, governments in the UK, US and EU are solidifying security legislation and minimum security standards.
So how can businesses protect their microcontrollers from malign actors and do it simply? Answering questions like what is the real cost of IoT security, can it be implemented in projects that are already in-flight and what are the repercussions if IoT security is not implemented? This is episode 15 of the Critical Lowdown.
Ahead of the Electronica Trade Show in Munich, EPS Global CEO Colin Lynch sat down with Chief Strategy Officer for IAR Systems, and former guest on the Critical Lowdown, Haydn Povey, for a commentary of the chip security landscape as we head into 2023, from legislative sanctions and how to get ahead. Let's jump right in.
Haydn Povey [HP]: Colin, one of the key aspects that we've been talking around for a while with security is “security made simple” and how we make it easy for the supply chain to bring in security early on new projects, as well as on existing projects. How do you see that going from an EPS perspective?
Colin Lynch [CL]: It's a great question, and I know it's something that is in the minds of a lot of customers Haydn. It can seem like quite a complex problem when you start to look at security, but the simplicity of the process, and the simplicity of understanding the actual cost of the process has been a huge emphasis of the work we've done together.
If you look at our solution today, where you take a product like Embedded Trust or Orbit, you can either develop the application using this toolchain from inception; or you can develop using any toolchain of your choice, in some cases using free tools that you can download off the web as your starting point, and add security later. You can choose an SDK and do your development in 10 units, 100 units, 1000 units in your lab, with the identical setup that EPS will use in volume production.
I think that's a really key point for developers from a time-to-market and integrity of the process point of view. You can securely provision 10 prototype units in your lab by pointing at the HSM in your lab, and then when you’re ready for volume production you use the same tool set but point at the production HSM in EPS Mexico, EPS Malaysia, EPS Romania, who then can produce units by the hundreds of thousands for you wherever in the world you want them. The ecosystem and the logistics that we have really combines the toolchain from IAR / SecureThingz as well as EPS’s footprint to make it easy. You have a one-stop shop for logistics, it's very cost effective.
In the case of Orbit, if you want to just use the late stage security (called Embedded Secure IP), you could be using free tools from any of the major chip companies, for example with Renesas you can encrypt or encode and put your anti-cloning/your keys into that after production; you can then transfer those anywhere around the world. The only cost for that is reflected in a programming fee from EPS Global. One Invoice; one billing, which includes royalties for the various software tools you've used, included the price. It's really very, very simple. Plus you’re doing that in an environment where there's a lot of integrity of the process. You've got the encryption at your end which is completely within your own control, and no software ever leaves your door that isn't encrypted. EPS Global or your eventual production partners never see your software in the clear.
It's got a number of things that actually make it very flexible. It's important for customers to realize that from our side it doesn't involve huge investments to deliver secure provisioning. We're able to integrate IAR/SecureThingz technology into our existing footprint.
If you are looking for 10,000 pieces, we're not trying to mask amortization of huge capital costs into the pricing. It is a very cost-effective solution for us to deliver, so that value is reflected in the pricing.
Overall, we need customers to engage, see it for themselves so that they get comfortable with the process, and they will recognize that the job of making it simple has been addressed in the solutions.
HP: I completely agree, we see a lot of our customers generally looking at moving from CAPEX to OPEX-based businesses because of the way that any costs can be immortalized, and I think that this mechanism enables you to take security and just make it part of the standard build, make it really, really easy and very scalable as well.
CL: You're familiar with our business philosophy? We've never sold machines. We're a Provisioning-as-a-Service business, we've always had that as a model, so hopefully that resonates with customers.
One of the things that I'm often asked is about the legislative sanctions associated with this. I mean, where is that moving? I'm very conscious that in the UK in particular the legislative progress is at a very advanced stage, but I know there’s progress in the USA and Europe as well. Do you want to give us a quick update on that?
HP: As you say, the Product Security and Telecommunications Infrastructure, or PSTI bill in the UK is now in its absolute final stage, which is what's called “Royal Assent”. This basically means that the Houses of Parliament, The Commons, and The Lords have been through the legislation. It’s been through the smoothing phase, questioned and poked. It's been through that process, the amendments, improvements have been made, and therefore it's ready to go, King Charles is ready to sign the paperwork.
"This introduces penalties of up to £10m ($13m) or 4% of global revenue, whichever is the higher."
It requires just some basic hygiene from our perspective:
We've been leading the way here in the UK. What we have seen though in the EU is that they have picked up the work that we have done and recast it slightly, both through ETSI in the first case, and now it's going through the official framing from ENISA, which is a formal standards body of the commission.
What we're seeing here is the same types of requirements around enhanced security in general to make sure that devices can't be owned, better identity, proper lifecycle ownership around updates and management, but most importantly, and very relevant to this conversation is also an adherence to a secure supply chain. It requires that the OEM’s have faith in their supply chain so that they can point to the work that they do internally, to do the first one; ten; one hundred devices, and then how they pick that up and how they take that to scale. This type of service from EPS Global is really critical in meeting that requirement. The security is made simple. The requirement to demonstrate that security has been implemented, whether it's through the development cycle or towards the end of the project, where people are just trying to put in IP protection, production control, or inject identities. In these cases, we can demonstrate meeting these new legislative requirements.
CL: If I put myself in the head of a customer who's making industrial control, or in the HVAC business or the smart metering business:
"I've just been through 2 years of supply chain hell, trying to get parts to keep my business going, but the shortage is about to ease, should I be looking at these security requirements now?"
HP: Absolutely. The legislation is coming through and is in place. We've seen the same in the US with the IoT Cybersecurity improvement Act, and that's been followed up also with the White House Cybersecurity Labeling Program for Internet-of-Things (IoT) devices, which is voluntary but largely mandated.
Companies must address this. They must address this certainly if they're producing consumer goods, but also if they're at the industrial or medical domain, because these things are obviously all hyper connected these days.
"For many companies, it's actually already a bit too late, and this is where the Orbit technology is able to help, because we can help companies integrate security at a late stage by downloading the libraries targeting the Orbit security frameworks in the programming machines.
Even if they have projects in flight, or maybe even they're doing a mid-life kicker, you can still add security, and you can still differentiate the product and meet the security requirement."
Of course, security has always done best when it's done early, but we all have to realize that this is a best case or best practice. The reality is people always have projects in flight.
CL: Very interesting.
HP: We've seen the legislation come through, and this is to meet a number of high profile hacks which have been out there. Colin, you were telling me recently that you had read a book called “This Is How They Tell Me the World Ends: The Cyber Weapons Arms Race”. Tell me a bit more about that.
CL:It was a very interesting read, written by Nicole Perlroth, who's a New York Times journalist working in this field for over 10 years. She has a really interesting history of how hacking was formally invented in the US and then exported around the world, and how cyber-attacks originally targeted the IT world for example Microsoft and Apple, and a lot of the big IT providers. She demonstrated how they've worked through these challenges over the years, and how in more modern times, as IT providers have hardened their systems with experience and time, that a lot of the focus in hacking has moved to the IoT and industrial systems.
We've seen how the Russian invasion on February 24th was preceded by cyber-attacks on the power and water grid, the country's infrastructure, a lot of the damage that is still being done today in terms of turning off the power in Ukraine is being done by cyber-attacks rather than by missiles.
I think it was interesting in this book that a lot of those systems, ventilation, air conditioning, are far more exposed than what we would consider traditional IT infrastructure. I remember thinking as I was reading it that, a lot of those systems are right in the market that's been addressed by the microcontroller space, as opposed to the more traditional Wintel environments that would have been the original sources of Hackathon. It was an interesting read for me, very present in this year with the tragedy that's unfolded in the Ukraine, and a real salutary lesson into where exposures exist in our industrial infrastructure and our ecosystem that we probably were unaware of up to this year. For guys like you and I who are who are selling into that market and who are trying to promote security, it was a real wake up for me in terms of some of the jobs to be done in this space.
I'm not suggesting that the work we're doing is a cure-all, or a solution to every problem, but it certainly does help harden somebody's systems and raise the threshold in terms of vulnerability and it'll be interesting to see how that unfolds in the next few months, because I think it's going to be on the legislative agenda of most Western democracies in the very near future, if it's not already top of the list.
HP: Absolutely. As you say, I think it's really highlighted the weak underbelly of the infrastructure that runs all of our countries these days and the hidden costs of these weak points. It's very easy to see how people would be able to black out cities or entire countries and the impact very quickly on the social fabric that we all rely on. If the lights go out, it's difficult…
CL: It does make you think a little bit about the cost of security, doesn't it? A lot of people tend to think of the cost of security, and in the case of our solution is reflected probably in a security enabled chip that's a slight premium to the regular version, it's reflected in a programming cost which probably wasn't in your original Bill-of-Materials, and they tend to be the costs people focus on. But the cyber-attacks really make you think about the actual costs should it happen to you.
I know you've given this area a lot of thought. Do you want to maybe expand on your some of your ideas in that area?
"There's a lot of costs to do with security, but the costs of not doing security are massive."
A great example of this that I saw recently is an insurance company and a breakfast cereal manufacturer who were affected by an operational technology hack and have recently just settled at around $100m worth of damage. The insurance company was trying to claim that it was an Act of War to try and slip out of paying reparations, but these things have phenomenal impact on the operations of big companies. These are all just operational technology systems which are all fallible.
There are really 5 areas I point to when we stop talking about security as a cost, and start talking about security as a value and as a capability.
There's a whole range of incredibly value-added solutions which security enables, and security is the only enabler of. This whole: “Yes, there's a cost.” Fine. That's absolutely there, but the value not just from protecting people but enabling all these services is incredible.
CL: It's a change in how you approach the problem but if you were to try and achieve any of those things outside of a secure infrastructure, you'd be exposing yourself to a huge attack surface if you hadn't thought of security first when you're trying to look at those things. It's a really interesting idea.
If I bring us to the final item were going to talk about, the dynamic between Secure Elements vs. Secure Microcontrollers, and the difference. The Secure Element market has existed for a long time. It's got a very stable supply chain, and a lot of the vendors in that in that space have programming infrastructures and provisioning infrastructures that are well established. It's probably a more nascent offering in microcontrollers; secure microcontrollers are, relatively speaking, newer products. Do you want to discuss where customers may see advantages in the microcontroller space going forward?
HP: Yes, absolutely. With all these things over time, systems become more integrated and functionality becomes more integrated into our devices. Reducing costs and simplifying integration, SIMs (Subscriber Identification Modules), or TPMs (Trusted Platform Modules), have been around for a while, and they are a great solution in a lot of applications where you need a very high EAL level, because the cost of a break or particular a class break could be substantial. But there is a huge array of applications where you don't need that very high EAL level, you can go for something which is far more fit for purpose for IoT devices because the requirements are subtly different, perhaps these systems are not going to disappear for a long time and then pop up and make substantial payments. If you think about the traditional SIM, it's the bank card, and you may have a bank card in your drawer for six months and then just take it out to do a major payment, perhaps paying for a car. That type of high security is backed up with high-end computer centers as well.
IoT doesn't work like that. We need to have great security, but it doesn't need to be perfect in the same way. The integration of Secure Enclaves into devices is a better fit value-wise, it reduces the cost of an additional chip, additional board space, the additional supply chain purchasing and management of all those just integrated in.
Secondly, that integration also enables a whole new set of use cases where because it's on-chip, we can interact with it a lot faster, a lot simpler or a lot better using internal mail boxes to get keys generated, to exchange certificates and key material on-chip.
Both of these have their positions in the market, but moving forward we strongly believe that embedded SIMs or Secure Enclaves will dominate over the next 5 to 10 years.
CL: As well as the cost you mentioned, there is also a performance advantage, between integrating the Secure Enclave on board and then with all of those advantages, I think there's challenges on us, we're looking at and addressing them, but we've really got to look at the supply chain that exists for secure elements and see where we can achieve similar efficiencies for customers. I think we're on the right path in that regard.
HP: The nature of SIMs of course is that they all look identical. If you were doing millions of SIMs for mobile phones or bank cards, it's a perfect solution because they are all pretty identical, apart from the credentials going in each SIM individually. The challenge with the IoT is that it is a high mix marketplace, hopefully high volume as well. But the reality is you you'll do a batch of 1000 or 10,000 on a machine, and then they get consumed and you'll do something else, and you mix it around and around. That high mix, medium to high volume means that securing enclaves are much better positioned for those marketplaces.
CL: I'm thinking that 50,000-500,000 type of space on a particular SKU is really where you're likely to see a lot of the market?
HP: Absolutely. But then, as you get to the higher echelons, the millions, then of course the cost implications actually dominate, and therefore again, the integration of a secure enclave makes a lot more sense. If you can save twenty cents, forty cents, or a dollar on millions of units, then that has a substantial impact on costs of goods and return on investment.
CL: That’s a good exposition of our thoughts as we're approach the end of 2022!
Do you have any wrapping up remarks? I might add a few of my own before we close.
HP: I think the key thing is twofold.
CL: In thinking about how I’d summarize our conversation today, unusually probably sitting here on the call as the CEO of EPS Global rather than the SecureThingz CEO, I'd say the work that's been done in the product development at SecureThingz this year is the biggest change we're offering, and it's a huge enabler.
If I'm a customer now, I can take a design I did yesterday, download free software to add security to designs I've already done, and that can be delivered globally in any volume I want. That's starting to look like the sort of solutions I was hoping we would have as we've been on this journey over the last couple of years, and obviously, there's work to do in improvements, and we're still working in the low millions of units, and we have yet to sort of work our way towards the tens of millions of units, but I believe those types of volumes are ahead of us over the next couple of years. I really do think we're at a point where customers have a very straightforward pathway to working with us.
I'd emphasize the extent to which we are two separate companies and that that can look like it's possibly clunky on the outside to some people. Where do I get support? How do I get questions answered? I mean, it's been quite seamless. Secure Thingz hardware is integrated into our hardware and the software is part of our supply chain. From a customer's point of view, yes, you're working with two companies, it’s clear: the support and the solution support is coming from SecureThingz, and the provisioning, volume production and logistics all coming from EPS Global. There's one order. One invoice. One cost that's clearly understood.
I'm hoping that's going to be a catalyst to enabling significant growth. I know we're going to Electronica next week and we're going to be talking to several customers there, I'm really looking forward to seeing what they think of this, because I've got a feeling that we've made a really interesting step function change to our offering in the last 3 to 6 months.
HP: We've seen customers being able to integrate security in the matter of hours, rather than weeks or months. I think that that is a fantastic offering to the marketplace that we can demonstrate.
In closing there's no longer any excuses. “Just do security”, to steal your tagline!
CL: Thanks. It's been great chatting.
Outsource your IC programming to EPS Global and remove the complexity and considerable time burden of programming from in-circuit test. This will allow you to introduce increased efficiencies on your production line and cost savings to your organization.
We are strategically located in all major automotive electronic clusters worldwide. Our state-of-the-art, fully automated systems will program, 3D coplanarity check, laser mark and tape & reel your product and we can guarantee rapid delivery to help you meet your production deadlines.