Who’s Responsible For Security?

Experts at the Table, part 1: Where security is working, where it isn’t, and what to do about it.

Semiconductor Engineering sat down to discuss security issues and how to fix them with Mark Schaeffer, senior product marketing manager for secure solutions at Renesas Electronics; Haydn Povey, CTO of Secure Thingz; Marc Canel, vice president of security systems and technologies at Arm; Richard Hayton, CTO of Trustonic; Anders Holmberg, director of corporate development at IAR Systems. What follows are excerpts of that conversation.

L-R: Anders Holmberg, Marc Canel, Mark Schaeffer, Haydn Povey, Richard Hayton. Photo credit: Brian Bailey

SE: One of the main causes of security problems is complexity. How do we solve that?

Povey: Complexity is a massive issue for everyone. Whether you’re building a power station or a car, it’s made up of layers upon layers of components and systems. Ownership needs to be embedded in all of those, from the ground up. There is a need for identity to be injected early. There needs to be management of identities. We need to own each of the components over the lifetime of a system, and come back to that at various points in time. And we need to be able to manage these subsystems, integrate them and integrate the security. But there are so many parts, so many pieces of complex code, that it’s a real challenge to manage all of those. The solution is to simplify. You need to understand the individual components to make sure those components work properly. You need to own them, update them and certify them. Certification is a key piece of this. If you can’t formally prove the system is right, then it’s probably wrong. And you can only do that at the small level, whether that’s the microcontroller or the TEE (Trusted Execution Environment) level.

Canel: Complexity is one dimension of the challenge. There is a layering of technologies, from the physical IP, in which the key that will make the root of trust is embedded, all the way up to the application and everything in between. There also is complexity in the processes to build all of these things, to provision them, to load the code and to load the keys. One of the big challenges is there is no standardization across the overall IoT world. There are vertical ecosystems, whether this is in the embedded world or automotive. If you go from General Motors to Ford, you will find different ecosystems and different players, different rules and different requirements. That lack of normalization and standardization is making things more complicated because processes and technologies have to be replicated from vertical market to vertical market.

SE: But it’s more than that, right? It’s a fragmented ecosystem, as well.

Schaeffer: Yes, and the complexity is exceeding the capabilities of most people to manage it. A great example is the Equifax hack. The CEO claimed one person didn’t do his job. That’s absurd. There was nobody cross-checking this person? And there were no other security mechanisms in place? And this is the CEO of a company whose job is to manage trust and security. That’s a big failure, and it’s happening across the spectrum. People either aren’t being held accountable, or they can’t understand that it’s so complicated.

Hayton: Understanding is a key part. We all say security is good, but people don’t know what they should do. And in an ecosystem that’s complicated, how do you know if the other guys are doing the right thing? There are plenty of people who are designing a product where security is not what they’re designing the product for. It’s just something they ought to be doing as a matter of course. If no one is holding them to account, and no one knows how to hold them to account because it’s their secret IP, how do you even know that’s the case?

Schaeffer: That’s true, and a good example is a TLS (Transport Layer Security) stack. People say they have a TLS stack, it has all the security, and you can trust the vendor. But the provisioning of the keys and the storage of the keys is outside the scope of what the TLS vendor is responsible for, and…