Take a fresh look at your lifestyle.

Simplifying Embedded Security Implementation

Embedded security is one of the biggest challenges for IoT companies. It's not only about preventing IoT products from being hacked, but about companies protecting their processes and safeguarding their intellectual property. One of the executives that people often speak with within the realm of embedded security, Haydn Povey is among those prominent advocates of IoT security. As CEO of Secure Thingz, an IAR Systems company, he has a deeper background which includes responsibility while previously at Arm for driving its security roadmap, and today also on the board of the IoT Security Foundation. In this interview, he explains a few of the challenges around IoT product security, what customers are telling him, and how the awareness created by the involvement of the World Economic Forum will impact the way we look at and deploy embedded security.

Nitin Dahad: From a security perspective, do you know the challenges that you simply see for 2022?

Haydn Povey: Currently, we have seen three major challenges on the market. The first is consumer IoT legislation coming to bear, which puts the onus on manufacturers to make many cyber-secure. This includes the U.K.'s Product Security and Telecommunications Infrastructure Bill, which assists fines of lb10 million for security violations, and other alike schemes approaching for that EU. Pressure is also coming from standards such as EN 303 645 in the European Telecommunications Standards Institute (ETSI) and the baseline recommendations in the European Union Agency for Cybersecurity (ENISA) which will have legal enforcement over the following 1 . 5 years. OEMs must implement peace of mind in their designs now to meet the future cybersecurity requirements, given long component lead times and supply chain impacts.

The second challenge is about protecting customers, and system integrators, against malware injection, both to protect system behavior and to avoid vast trojan or distributed denial and services information (DDoS) attacks for example we saw in the Mirai attack. OEMs need to make sure the products are secure in their use at the customer, and don't become an access point for attacks, especially where remote updates are required within the field, often providing an Achilles Heel in systems design.

But it is not only the end customer's implementation that is at risk. The manufactures themselves need to implement IP peace of mind in the earliest stages of the supply chain – that's the third big challenge we see:

the OECD estimates the cost of cloning or counterfeit goods globally is $500 billion a year – the largest percentage of that by value is electronics. The EU estimates that there is a EUR60 billion annually impact based on IP theft alone, and that almost 300,000 European tasks are lost due to IP theft. OEMs need to ensure that their applications are built correctly, that in manufacturing their IP is not outside, how to provision and program devices uniquely – and how to use those at scale.

Nitin Dahad: However the increased security requirements don't merely affect electronic devices, right?

Haydn Povey: Absolutely, this also concerns applications in industrial, automotive, or medical electronics – anything which is attached to the internet and networks reaches risk and requires to be protected against attacks. There's lots of machine-to-machine communication in industry 4.0 and every device within this complex system must be validated. The concept of \”zero trust\” is all about authenticating and onboarding systems – a frightening task, which some companies try to solve with digital twins and cloud-based connectivity, but that needs lots of software components.

Nitin Dahad: What are your customers telling you about their security challenges?

Haydn Povey: They have many questions. Where will we begin with such a multifaceted problem? How do we protect our customers? How can we protect our intellectual property and our brand? However, they're ready to tackle them – however they lack cybersecurity experts! In fact, the needs 3.5 million engineers globally. But you will find not enough. So, what we do is, we make security simple. We make it readily available for engineers who don't have any security expertise, who just need to obtain job done.

Nitin Dahad: Securing the availability chain seems to be a significant challenge for many organizations. How do you address that?

Haydn Povey: Basically, we're attempting to make things quite simple with wizards and configuration boxes. A person simply must go through a few of steps, for example: do you want to have individual identities with formal cryptographic certificates? Do you want 2 or 3 levels of certificates? Are the update slots on the microcontroller or off-chip memory? You simply need to tick a box or select from a menu to create your requirements. We are attempting to make this super easy for the engineers: by correctly choosing from options, customers can automatically produce a ready-to-run source code they are able to own, edit and integrate using their main application. The creation of our wizard is something which we call the \”secure boot manager\” and the OEMs can leverage the component SESIP compliance we've achieved on the software to aid formal product compliance.

Nitin Dahad: Recently you announced your active support for that Consumer IoT Security Statement of Support presented through the World Economic Forum's Council of the Connected World. This statement talks about five key capabilities for setting set up a baseline for security, what are these?

Haydn Povey: These five key capabilities actually originates from the 13 guidelines that we discuss within the IoT Security Foundation. These 13 are then reported through more than 100 standards, specifications and guidelines across the world. The legislation calls on three of these as mandatory and they sound very high level, but they have far-reaching consequences as these things always do. Number 1: don't use universal default passwords. Two: implement a vulnerability disclosure policy, and that means you need to tell your customers that your product includes a fault, and you're simply ready to fix that with proper software versioning. The third key capability: keep the software updated. In addition, there's two other capabilities associated with securing data that are important – number four: secure communications; and five: ensure that private data is secure.

Nitin Dahad: Just how can this statement inside the World Economic Forum really make a difference for organizations to deal with the growing security challenges worldwide?

Haydn Povey: I think it is critically important that the C suite executives – the CEO, the COO or even the CSO – know the consequences from the upcoming legislation. They need to be pulling it through, as do the politicians, because the law will have the same impact as GDPR did 4 years ago. The C suite have to take responsibility for the security of the products and also the effect on their customers. They need to keep in mind that they will be personally liable when things fail. The planet Economic Forum is very powerful since it reaches out to the Fortune 500 and also the politicians and tells them that they are now accountable for driving better behavior within their organizations. You have to arrange for it, you need to fund it, then give your engineering team to obtain your products meeting the security requirements. Security traditionally is viewed as a cost, but it's not – it's a fundamental business enabler.

Nitin Dahad: So how exactly does your organization address the requirements this statement?

Haydn Povey: The aim of our \”Embedded Trust\” secure development solution and our production hardware security module \”Secure Deploy\” is that this: security made simple. And that's the things they're doing: simplifying security designs. In the same way as we don't expect every engineer to redesign a TCP IP or TLS stack, we shouldn't expect everybody to be experts within the fundamentals of security. Embedded Trust and Secure Deploy are just another solution there to aid them in how to implement the particular security layers in a software through the product's very existence cycle, how to implement that in volume production, and the way to program and provision identities into every device uniquely.

Nitin Dahad: For volume production solutions, how can you cooperate with production equipment suppliers?

Haydn Povey: We've worked with some partners – for example System General, a global leader of device programming machines – who basically implement our Secure Deploy module in programming machines. With this you can program each chip securely using the right code and there is nothing added or changed. Simultaneously each chip is provisioned having a truly unique certificate. And that we can make sure that just the right number of devices are made at only the right machines to prevent counterfeiting and gray production. Any manufacturer can do this from anywhere on the planet by creating a virtual private network (VPN) from their production management system towards the devices being programmed. We also work with big distributors globally, as well as their programming partners like EPS Global and Hi-Lo Systems. Our common goal is really a trusted logistics, that is especially necessary for automotive, industrial, and medical electronics.

Nitin Dahad: What we have discussed has mainly associated with implementing security functions in new designs. But exactly how about items that are already in use in the field – how can OEMs make those secure?

Haydn Povey: You're correct, we have seen that there is a large numbers of companies who're challenged to add security for their applications, but they cannot justify starting over their development project to add security from the start. This is when Embedded Trust is available in: the latest version, version 5.0, of our security solution allows them to rapidly integrate security to their existing applications, wherever they're within their lifecycle and just what development tools they accustomed to create their code.

Nitin Dahad: So, are we likely to help you soon in the World Economic Forum referring to IoT Security?

Haydn Povey: Personally i think very blessed we have been asked by the World Economic Forum as embedded and security experts, also thanks to the proven fact that we're a founding person in the IoT Security Foundation. Currently we are doing some videos around security, so that you can be prepared to learn more about our security concepts on World Economic Forum's platform soon.