Hagi.
“After the chip or product leaves the factory, the opportunities to
achieve high assurance bootstrapping of identities diminishes. They’re
still possible, but you don’t have that high security opportunity to do
that and it’s going to cost more to actually bootstrap an identity. The
lowest cost opportunity to bootstrap an identity is to be as close as
possible to the foundry and we’re looking at this as well.
“Silicon manufacturers bootstrap things like silicon identities and
that gives you trust in a specific chip. You then have to give access
to customers, so that they can leverage those hardware-grounded
identities to authenticate against a set of cloud-deployed services
and applications and gateways and networks using their issued
credentials.” According to Hagi, the manufacturing processes involved
in getting a chip from a wafer to it being packaged into a SOC, for
example, involves very careful orchestration.
“You’re introducing delays, so you have to make sure that you are
able to inject secrets into those devices, into the chip and the die as
well as into the device in aggregate without impacting your costs too
much.”
Once the device is deployed then you bring in elements of
monitoring and threat intelligence and correlation of activities that the
IoT device can measure and report on, explains Hagi.
“Is the device being subjected to some kind of an anomalous
activity which is an indication of an attack and if it is an attack,
what do we do about it? What are the response options? How do we
orchestrate that?”
Hagi believes that attacks are likely to affect fleets of devices, so
how do you coordinate a response across a relatively large number of
connected devices?
“This is a challenge that we haven’t really been facing because
security, so far, has been about a threat actor attacking a server or
attacking a singular target. It has been very rare to see attacks that
in aggregate impact a large number of devices all at once,” Hagi
explains, “and in IoT, that prospect is real and we have to figure out
what to do about it.”
Hagi argues that companies need to build mechanisms so that
devices can actually receive updates securely and from a trusted
source and be able to enact on that.
“It’s also about, perhaps, identifying a signature of an attack
and then updating the device to recognise locally that signature and
rejecting a connection attempt or being able to cope with it until, if you
will, a more established fix or patch is available. Basically, you need to
be able to respond right away.”
Companies need to understand the whole process behind incident
response orchestration and coordination, argues Hagi.
“The IoT is becoming more automated, with the development of
microservices architectures and agile infrastructure where code is
being updated on a minute-by-minute basis.
“We have to create IoT devices agile enough to be updated on that
frequency. It’s a very difficult challenge when you’re thinking about
highly constrained devices and mesh networks that don’t have a lot of
battery power.”
Silicon Labs has recognised that the IoT will not flourish without
security. It is now a real priority and it requires organisational focus
and direction.
“That was really the mission that they put in front of me,” said
Hagi. “We have to make sure that we not only build the most secure
products on the market, but we also enable our customers to leverage
our capabilities within the hardware and software stacks to build
secure solutions.”
Security requires a high degree of coordination and collaboration,
according to Hagi. “I’m hoping the industry will collaborate to get us
to that level where we can buy, as consumers, an IoT product and be
confident that it’s secure.”
www.newelectronics.co.uk 14 January 2020 19
/www.newelectronics.co.uk