Securing IoT Devices to avoid an Internet of Trouble - Part 2

Recently the CEO of EPS Global, Colin Lynch sat down with Haydn Povey, founder and CEO of Secure Thingz and the Chief Strategy Officer at IAR Systems, to discuss the topic of IOT security. Haydn has just returned from the World Economic Forum in Davos, Switzerland, where he has been acting in an advisory role on the key requirements for security of connected devices, and on the future minimum standards.

In part one of this podcast, Haydn and Colin discussed the current security landscape, and how the Internet of Things can quickly become the internet of trouble if devices are left unsecured. If you missed it, you might want to go back and listen to episode 6 which frames this conversation.

In Part 2, Colin and Haydn look at the solutions for manufacturers, and how they can best protect their IP. Let’s jump back in.

Listen to Part 1

Transcript of: Securing IoT Devices to avoid an Internet of Trouble - Part 2

Colin Lynch: Let’s start with the solution. We're the production partner here at EPS Global, the IP and the solution comes from Secure Thingz. If I take all these problems we've well defined now, what's the silver bullet in the Secure Thingz solution that really helps customers address this.

Haydn Povey: So there are two pieces to that. When we talk about security, we also need to broaden it out a little bit to include IP theft, cloning, counterfeiting, and some of the security issues that we see from businesses, not just the malware attacks. Because fundamentally, the bad thing about a malware attack is it devalues your brand, and that devalues your company. And it really is all about value.

What we try and do to impact that is provide tools and work with our customers, which enables them to integrate security very easily, our tagline is ‘Security made simple’. And taking a lot of the security that it would normally take six to 12 to 18 months to create in projects, and actually enable them to deliver that in a matter of days or weeks. And in the case of demos, perhaps even minutes. What that means is that first of all the ability to impact security at the right level, which is in the design phase - bringing in identity and update management in the Secure Boot framework that you need to provide a robust device early into the into the framework. At IAR we have approaching 200,000 developers using our tools on a daily basis, who can now simply add security into that development flow, protecting their code, protecting their customers, and enabling these updates.

What we can then do though, is also use that same technology to define the keys and Public Key Infrastructure materials which need to go into every device. As you'll know very well the whole point of manufacturing over the last 30 years has been to consolidate and make as ‘cookie-cutter’ as possible and everything being the same and driving up efficiency. The nature of smart manufacturing and identity is we need to maintain that, but we also need to put in unique identities and you need PKI (Public Key Infrastructure) framework such that the devices can be acted on individually. And through our solution, the OEM can wrap their application, make sure that all the PKI infrastructure stuff is in there, and then share that over secure links to the hardware security modules (HSMs) integrated into the programming machines at your sites.

This means that the IP is never in the open, it can't be stolen because it's never available to be stolen. It avoids cloning and counterfeiting because the OEM can define exactly where it's made and exactly how many are made. And we can define exactly how those devices are manufactured with each device having individual keys and certificates cut out on the production line. This means that we really constrain the problem. The device can't be attacked, there's no way in, we have created a shell around that. The IP is not available so you can't find the backdoors, you can't find the faults in the code, and ultimately, every device is really truly unique, which is incredibly hard to counterfeit and clone at scale.

Colin Lynch: And in doing all of this, you obviously help with the problem of updating over the air and connecting to the cloud and all of the above as well, right?

Haydn Povey: Absolutely. Because every device is born uniquely, we can upgrade or support people in doing firmware over-the-air updates to a class of devices, to groups of devices or to individual devices. In fact, again, the key material, what's called the ‘intermediate certificate’, can be onboarded directly into a cloud service, such as Azure or AWS. Therefore, all of the hard work and risk associated with onboarding, many of those devices can be automated, and certainly can be made a lot more simple for the end user. You have to think through the entire flow to be able to solve this scale of problem.

Colin Lynch: Very interesting. I guess, with that being the solution from a design and security perspective, where we see our collaboration is on the production side. EPS Global has a network of 23 secure provisioning centers globally, in all the places where electronics are made. I think that it was in that service network you saw the benefit of our collaboration?

Haydn Povey: Most certainly, EPS is a highly trusted partner for many manufacturers and OEMs globally, and obviously that trust is a big part of what we do as well. But from a business perspective, the ability of having those manufacturing sites globally, and yet locally to the OEMs is really important.

Colin Lynch: I guess from our point of view, there's an old business school mantra when you're making products which is you have a desire to have good [quality] and fast and cheap, but you can only pick two. When I look at this solution, there's really genuine aspects of good and fast and cheap in what we're offering. I'll just elaborate on that…

Our ability to integrate is based on hardware upgrades, HSMs which we retrofit into our existing automatic programming handlers or integrate into new ones. I think I'd always give the example of our first customer, you mentioned them in Part I of this podcast – the HVAC client in the United States. We're the production partner in that engagement, you supplied us the hardware (HSM) in Cambridge, we shipped it, installed it and delivered first articles inside two weeks in our first ever engagement with Secure Thingz. Just as a measure of the ease in how quickly we can enable our network, this is a great example, I think.

And obviously, at EPS we make a lot of our own equipment, not all equipment, we do work with other partners, but the fact that we make a lot of our own equipment really enables us to scale. And I think scalability is going to be a massive part of what customers are going to require of us in the coming years. The service model from the point of view of what we set out to do, is we only offer provisioning as a service, we’re not in the business of supplying capital equipment. So the partnership with Secure Thingz is very well aligned.

A client can:

1. Download your software
2. Select inside the tool chain any of EPS’s centers worldwide
3. Send their data there; and
4. Receive programmed chips back.

And as you've mentioned, we're a trusted partner, which is obviously great to hear. But in fact, from a customer point of view, once you're inside the Secure Thingz ecosystem and working with partners like EPS, trust doesn't form an essential part of the chain because we will never see the customer's IP.

Haydn Povey: That's absolutely right. You talked about how traditionally, you can have two out of the three (good, fast, cheap). I think there’s another triplet that we can talk about, which is Simple, Secure, and Scalable. Certainly the partnership with EPS enables us to work with our customers, with your customers and scale to the billions and trillions of devices which need to be secured as we move forward. We need to move to an Internet of Trust. That means all of the devices need to be secure. But we need to do that at a volume that we've never seen before, not even SIM cards really for mobile phones. Every device, every connection needs to be based on that security, and the relationship that we have means we are able to take the customer base using the AI or tools, or NXP or Renesas tools or some other IDE, create their applications and deploy those on a global scale which is critical to achieving the goals of the World Economic Forum and elsewhere.

Colin Lynch: Haydn you’ve mentioned a number of markets - we've already talked about the loT in the automotive space, but are there any other industries where security may be critical? I'm thinking mainly of medical devices and critical infrastructure where these tools and our solutions could possibly have a lot of resonance.

Haydn Povey: Absolutely. Industrial, medical, critical infrastructure, automotive are all critical areas, but really every connected device counts. If we look at medical devices, we have seen some horror stories out there in the past, such as insulin pumps which are connected on hospital networks but not protected, so actually relatively easy to hack and deliver overdoses of medicine and obviously, that has very dire consequences.

We've seen that with devices which are integrated into humans, pacemakers and other ones in hospital or home settings where people really need to think about the misuse, as well as the use.

Similarly, in critical infrastructure we've seen things like water treatment plants being hacked and the water being overdosed with fluorine and causing mass poisoning events. Transportation systems and even power grids, when the NSA (National Security Agency) did a review of the power grids a couple of years ago they estimated that 20% of their critical nodes were hosting Trojans. Of course, that is a really challenging problem for a lot of critical infrastructure around the world.

Colin Lynch: I think that's a great exposition of the collaboration, some definitions of the problem and, hopefully solutions that customers will find useful.

Thanks so much for spending time with us today Haydn, it’s been a really interesting conversation and I really appreciate it.

Haydn Povey: Thanks Colin.

Glossary of Terms

• Secure Thingz: Global domain experts in device security, embedded systems, and lifecycle management.
• IoT: Internet of Things
• PTSI: Product Security and Telecommunications Infrastructure
• GDPR: General Data Protection Regulation
• ETSI: European Conference of Postal and Telecommunications Administrations
• EN 303 645: European Standard for Cyber Security for Consumer Internet of Things

Do you have semiconductors you need programmed?

Outsource your IC programming to EPS Global and remove the complexity and considerable time burden of programming from in-circuit test. This will allow you to introduce increased efficiencies on your production line and cost savings to your organization.

We are strategically located in all major automotive electronic clusters worldwide. Our state-of-the-art, fully automated systems will program, 3D coplanarity check, laser mark and tape & reel your product and we can guarantee rapid delivery to help you meet your production deadlines.