2023: The Year to Implement IoT Security

Haydn Povey [HP]: Colin, one of the key aspects that we've been talking around for a while with security is “security made simple” and how we make it easy for the supply chain to bring in security early on new projects, as well as on existing projects. How do you see that going from an EPS perspective?

HP: I completely agree, we see a lot of our customers generally looking at moving from CAPEX to OPEX-based businesses because of the way that any costs can be immortalized, and I think that this mechanism enables you to take security and just make it part of the standard build, make it really, really easy and very scalable as well.

HP: As you say, the Product Security and Telecommunications Infrastructure, or PSTI bill in the UK is now in its absolute final stage, which is what's called “Royal Assent”. This basically means that the Houses of Parliament, The Commons, and The Lords have been through the legislation. It’s been through the smoothing phase, questioned and poked. It's been through that process, the amendments, improvements have been made, and therefore it's ready to go, King Charles is ready to sign the paperwork.

"This introduces penalties of up to £10m ($13m) or 4% of global revenue, whichever is the higher."

It requires just some basic hygiene from our perspective:

• Proper Identity,
• Proper Supply Chain,
• Proper capabilities inside the OEM to deal with the life cycle of products.

We've been leading the way here in the UK. What we have seen though in the EU is that they have picked up the work that we have done and recast it slightly, both through ETSI in the first case, and now it's going through the official framing from ENISA, which is a formal standards body of the commission.

What we're seeing here is the same types of requirements around enhanced security in general to make sure that devices can't be owned, better identity, proper lifecycle ownership around updates and management, but most importantly, and very relevant to this conversation is also an adherence to a secure supply chain. It requires that the OEM’s have faith in their supply chain so that they can point to the work that they do internally, to do the first one; ten; one hundred devices, and then how they pick that up and how they take that to scale. This type of service from EPS Global is really critical in meeting that requirement. The security is made simple. The requirement to demonstrate that security has been implemented, whether it's through the development cycle or towards the end of the project, where people are just trying to put in IP protection, production control, or inject identities. In these cases, we can demonstrate meeting these new legislative requirements.

HP: Absolutely. The legislation is coming through and is in place. We've seen the same in the US with the IoT Cybersecurity improvement Act, and that's been followed up also with the White House Cybersecurity Labeling Program for Internet-of-Things (IoT) devices, which is voluntary but largely mandated.

Companies must address this. They must address this certainly if they're producing consumer goods, but also if they're at the industrial or medical domain, because these things are obviously all hyper connected these days.

"For many companies, it's actually already a bit too late, and this is where the Orbit technology is able to help, because we can help companies integrate security at a late stage by downloading the libraries targeting the Orbit security frameworks in the programming machines.

Even if they have projects in flight, or maybe even they're doing a mid-life kicker, you can still add security, and you can still differentiate the product and meet the security requirement."

Of course, security has always done best when it's done early, but we all have to realize that this is a best case or best practice. The reality is people always have projects in flight.

HP: We've seen the legislation come through, and this is to meet a number of high profile hacks which have been out there. Colin, you were telling me recently that you had read a book called “This Is How They Tell Me the World Ends: The Cyber Weapons Arms Race”. Tell me a bit more about that.

HP: Absolutely. As you say, I think it's really highlighted the weak underbelly of the infrastructure that runs all of our countries these days and the hidden costs of these weak points. It's very easy to see how people would be able to black out cities or entire countries and the impact very quickly on the social fabric that we all rely on. If the lights go out, it's difficult…

HP:

"There's a lot of costs to do with security, but the costs of not doing security are massive."

A great example of this that I saw recently is an insurance company and a breakfast cereal manufacturer who were affected by an operational technology hack and have recently just settled at around $100m worth of damage. The insurance company was trying to claim that it was an Act of War to try and slip out of paying reparations, but these things have phenomenal impact on the operations of big companies. These are all just operational technology systems which are all fallible.

There are really 5 areas I point to when we stop talking about security as a cost, and start talking about security as a value and as a capability.

1. The first is obviously brand and reputational damage. Looking at the companies who have been successfully attacked, it's a huge problem for them, and they're going to question their suppliers when these systems go wrong. If you're on the hook for one of these major attacks, are they ever going to buy from you again? Your reputation is going to be dragged through the mud. That's not just consumer electronics, that's medical, industrial, automotive. Every single vendor has a reputation they need to uphold.
2. Companies who are leading with security are able to charge more for their products. Security is going from It's just something I need to do, to something where you can stand at the front of the audience, wave the flag and go: “We are doing something around security”. It’s inherently a better thing.
The White House IoT Labeling Program in the US is part of making this visible to consumers, but we also see visibility in these other marketplaces as well.
3. Beyond that those services, there are lifecycle management revenues to be made. Just because we have to support a device for a period of time, 5 years, 10 years, whatever it is, doesn't mean that that has to be absolutely free. We're all used to support and update agreements, and update should be part of your product, and it changes the dynamic. The hardware becomes something where a service is delivered, as opposed to the service in and of itself, and it changes to everything being as a service.
4. We can then also add feature enablement or feature enhancements. If we build systems with inherent upgradability and patching capability, which we now have to, that doesn't mean we just have to fix things. It means we can also sell additional features and engage in freemium-like models of pushing out technology with certain functionality, but then adding functionality years down the line and have an ongoing revenue model.
5. We now know who the customers are, so we have a relationship with the customer. We're not waiting on mailing cards or system integrators to report back where our kit is. You can inherently see who the users are, and what are they doing.

There's a whole range of incredibly value-added solutions which security enables, and security is the only enabler of. This whole: “Yes, there's a cost.” Fine. That's absolutely there, but the value not just from protecting people but enabling all these services is incredible.

HP: Yes, absolutely. With all these things over time, systems become more integrated and functionality becomes more integrated into our devices. Reducing costs and simplifying integration, SIMs (Subscriber Identification Modules), or TPMs (Trusted Platform Modules), have been around for a while, and they are a great solution in a lot of applications where you need a very high EAL level, because the cost of a break or particular a class break could be substantial. But there is a huge array of applications where you don't need that very high EAL level, you can go for something which is far more fit for purpose for IoT devices because the requirements are subtly different, perhaps these systems are not going to disappear for a long time and then pop up and make substantial payments. If you think about the traditional SIM, it's the bank card, and you may have a bank card in your drawer for six months and then just take it out to do a major payment, perhaps paying for a car. That type of high security is backed up with high-end computer centers as well.

Secure MCUs Provide Better Value and Better Performance for the IoT

IoT doesn't work like that. We need to have great security, but it doesn't need to be perfect in the same way. The integration of Secure Enclaves into devices is a better fit value-wise, it reduces the cost of an additional chip, additional board space, the additional supply chain purchasing and management of all those just integrated in.

Secondly, that integration also enables a whole new set of use cases where because it's on-chip, we can interact with it a lot faster, a lot simpler or a lot better using internal mail boxes to get keys generated, to exchange certificates and key material on-chip.

Both of these have their positions in the market, but moving forward we strongly believe that embedded SIMs or Secure Enclaves will dominate over the next 5 to 10 years.

HP: The nature of SIMs of course is that they all look identical. If you were doing millions of SIMs for mobile phones or bank cards, it's a perfect solution because they are all pretty identical, apart from the credentials going in each SIM individually. The challenge with the IoT is that it is a high mix marketplace, hopefully high volume as well. But the reality is you you'll do a batch of 1000 or 10,000 on a machine, and then they get consumed and you'll do something else, and you mix it around and around. That high mix, medium to high volume means that securing enclaves are much better positioned for those marketplaces.

HP: Absolutely. But then, as you get to the higher echelons, the millions, then of course the cost implications actually dominate, and therefore again, the integration of a secure enclave makes a lot more sense. If you can save twenty cents, forty cents, or a dollar on millions of units, then that has a substantial impact on costs of goods and return on investment.

2023: The Year to Implement IoT Security

HP: I think the key thing is twofold.

1. First of all, the legislative framework has solidified. People can no longer ignore this it's not arbitrary, it's mandatory. Organizations have to understand this and it impacts everybody up to and including the C-Suite. This is exactly the same as GDPR, your company's reputation. Your freedom is in doubt if you don't pay attention to this. We will see CEOs sent to jail, and we will see some big fines being imposed for failure to comply.
2. The other thing is that the technologies have improved through the chip shortages. The ability to add security at any phase of the life cycle is now there and I don't think there's any longer any excuses you can't say “Oh, I'll do it in my next project”. Do it today. Do it now.

HP: We've seen customers being able to integrate security in the matter of hours, rather than weeks or months. I think that that is a fantastic offering to the marketplace that we can demonstrate.

In closing there's no longer any excuses. “Just do security”, to steal your tagline!