Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Kudelski, a Swiss security firm, has launched a Secure IP portfolio for IoT products. The new offering provides a hardware enclave for baking security primitives into new chip designs while safeguarding secrets across the complete product development and deployment lifecycle. It allows IoT vendors to embed a hardware root of trust directly into chips, which is harder to hack than software only implementations.
Kudelski has been a leader in protecting content on devices like set-top boxes and payment systems for decades. The new IoT support extends this expertise to more dynamic workflows required for IoT use cases.
Michela Menting, digital security research director at ABI Research, told VentureBeat that this is part of an industry trend from silicon IP firms to add support for various security primitives directly into their chip design libraries. Silicon security provides better security than software alone because it is more difficult for hackers to penetrate.
Securing the IoT hardware ecosystem
Menting said that Arm was a forerunner in this space with security IP for various use cases. This helped pave the way for secure IP adoption and improvement by various semiconductor and hardware vendors.
“Arm’s success initially for smartphones, with tech like CryptoCell and TrustZone and today for IoT, is really pulling the market forward and driving other silicon IP and semiconductors to target this market and also to innovate,” Menting explained.
Various vendors are also developing secure IP building blocks in addition to Arm and Kudelski, including Intel, Intrinsic-ID, Inside Secure, Secure IC, Maxim, MIPS, Rambus, Silex and Synopsys, among many others. Other vendors are targeting the open-source RISC-V ecosystems, including companies like Dover Microsystems, Veridify, Hex Five and SiFive.
These vendors are rallying behind emerging new IoT hardware security standards established by governments and vendors. The U.S. National Institute of Standards and Technology (NIST) recently launched the Federal Information Processing Standard (FIPS) 140 series to coordinate hardware and software security systems.
ARM Holdings introduced the Platform Security Architecture (PSA) specifications in 2017 and the first strategies went live in 2019. Another group of vendors, including ST Microelectronic, NXP Semiconductors and AWS, have developed the Security Evaluation Standard for IoT Platforms (SESIP).
A complex process
The new Secure IP offering from Kudelski supports all these emerging standards. Kudelski’s IoT senior vice-president Hardy Schmidbauer told VentureBeat that a key differentiator compared with other secure IP offerings is support for services to help IoT vendors implement secure processes across the silicon development and deployment lifecycle. This complex process involves steps like secure personalization and credential management.
When an IoT vendor first creates a chip, it comes out as a complete blank, identical to others. In the personalization step, the vendor stamps a unique ID code into non-volatile memory on each chip and records this into its database.
Credential management involves adding unique encryption keys to each chip, while also protecting these from being altered or captured by adversaries. The combination of managing the unique serial number and encryption keys helps create the foundation for all the processes for security updating software and protecting the integrity of each device.
Kudelski has also added support for various security operations directly in a hardware security enclave that supports features like a random number generator, secure key storage and countermeasures against side-channel and fault attacks.
The platform also allows vendors to support capabilities like remote feature authorization and over-the-air updates. This extensive set of services takes advantage of Kudelski’s over thirty years of experience in secure hardware design and system infrastructure.
Menting said security IP is a big market that will continue to grow with the uptick of new IoT devices. But each device has different security needs depending on the use case and the risk it represents. An industrial control system will have different requirements than a home lighting controller.
“Not all devices need the same things and so you can offer a broad range of different IP offerings for different use cases,” she said.
Vendors are currently offering a wide range of security IP cores to support services like:
- Root of trust
- Secure boot
- Cryptographic accelerators
- True random number generators
- Physical, unclonable functions
- One-time programmable memory
- Trusted execution environments
- Memory protection units
- Tamper resistance
- Side channel analysis, resistance
New hardware supply chain requirements
This breadth of capabilities is required to extend the software bill of materials (SBOM) now mandated to protect software into hardware.
“We are seeing growing interest within both the commercial and government sectors in the implementation of a hardware bill of materials (HBOM) to augment security compliance and assurance provided by a software bill of materials,” said Andreas Kuehlmann, Chairman and CEO of Cycuity (formerly Tortuga Logic), which provides tools for testing hardware security.
The HBOM must cover the entire design supply chain from IP providers to chip development organizations, all the way to their integration into actual products.
He argues that just as organizations should ensure the security of the supply chain, it is also essential to communicate to downstream partners and consumers about its due diligence and security assurance. Hardware security adds new requirements.
Even when a trusted supplier conducts thorough security verification that vets third-party security IP, it also needs to ensure that risks such as the leakage of root device keys are not introduced during compliance and integration steps.
The industry is in the early stages of developing the cohesive strategy required to ensure security across the hardware supply chain.
“Currently, industry and government efforts have not mastered many operational aspects of building products, as most organizations aren’t coordinating and communicating a cohesive hardware security approach across the roster of supply chain partners to produce the final product,” Kuehlmann said.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.