With the ever-expanding landscape of the internet of things, we are now in an environment where every semiconductor and chip IP vendor is, or soon will be, launching their own “security” chip. No matter the type of IoT product, all security is moving deeper into hardware, and ultimately down to the silicon layer. In order to explain how we arrived here, it’s necessary to first take a look back.
GPC chips to ASICs
A good place to start is general-purpose computing chips (GPC chips). One of the biggest purveyors of GPC chips is Intel, followed by AMD. These chips exploded in popularity in the 1990s because they could do everything well; consequently, billions of them were sold. But over time, especially as products began shrinking in size during the last decade, gradually there was a shift towards application-specific integrated circuits (ASICs). (Make no mistake, Intel did, does and will continue to sell millions of general-purpose processors. However, its meteoric rise in the 1990s and 2000s has been tempered of late. IoT and small device forays have failed, for example, the Edison line.)
Better known as specialty chips, ASICs rose in popularity as companies realized they didn’t need very powerful GPCs, but rather only parts of them to perform basic tasks. As a result, these new smaller chips increasingly became more common. Then, as early IoT devices were introduced, device makers found these chips were ideal due to the smaller size, lower power consumption and lower cost, along with the fact that they could be produced at mass scale. ASICs fit the bill well.
This shift also led to the next phase of specialty semiconductors: power control chips by Infineon, graphics chips by NVidia, automotive chips by NXP and so on. Following that, companies saw that manufacturers were creating specialized chips geared towards security. Mobile was also growing steadily at this time, further pushing the need for smaller chips as phones gradually added more varied sensors and capabilities.
Secure silicon and the supply chain
The market has now reached a point where most mature and respected semiconductor companies want to have a security play. For example, Infineon makes Trusted Platform Modules while other companies, like Renesas, produce secure microcontroller units (MCUs). This is a fascinating evolution since we began with companies creating security software running on general-purpose chips, but then slowly started moving down the layers to companies selling secure MCUs capable of tasks such as key generation, secure key storage and boot verification. Originally, these security functions were relegated to software, but now the MCU is handling these natively through APIs.
Companies like Xilinx also have security capabilities within more advanced chips, field-programmable gate arrays, while STMicroelectronics is releasing products like its ST-Safe line.
What we are also now witnessing is increased interest in secure memory. Consequently, products like Micron’s Authenta are now going to be natively capable of various security capabilities, such as health monitoring, including previously mentioned functions such as secure key storage.
Thus, we have now reached the point where the industry is talking about secure silicon, a space where companies like Intrinsic-ID play a leading role. Silicon-rooted security will be used to anchor everything on top of it. As a result, you will be able to trust your silicon chip and move all way up to applications, as well as uniquely identify devices at the hardware level.
However, as with any important development, there are also inherent risks. In this case, it’s that all IoT security chip makers will need to take great pains to understand where they source their silicon from. Consequently, a trust chain – and, in this case, a trusted supply chain — will be critical to ensure authenticity.
Trust chains or anchors must be strong as well as neutral. Some trust anchors are hardware based while others are rooted in software.
Some of the device hacks we are seeing today could be avoided. Implementing strong security standards early on is important step to avert future attacks. It’s worth noting that companies don’t need to install expensive chips on every device. As long as they are doing what they can to secure their devices, it will make it that much harder for hackers to be successful. And with the new IoT Cybersecurity Improvement Act of 2017 taking shape, the reality is that compliance and regulation is not too far down the road. The smart thing to do is to stay ahead of the curve and build security into the product design.
PKI’s important role in the IoT security chip
A critical element to successful IoT security chips will be public key infrastructure (PKI). All IoT devices with these chips will require a strong identity, which will then be used for secure authentication. Devices will need to prove who they are and not something else. They will even generate their own identity and store it safely, courtesy of PKI. In addition, it is conceivable that every device will have a certificate to prove its trustworthiness. And that is the one of the biggest goals of the internet of things: to create a trustworthy global system of systems. In that world, the chances of unauthorized access will be greatly reduced.
The chip has come a long way in the last several decades. It has gone from being massively powerful but also power hungry, to gradually dwindling to miniature size and form. Now, as we enter the age of the IoT chip, billions of devices and machines will be connecting with one another. It may take several years, but hopefully over time most device-makers will ultimately choose a secured IoT chip, ensuring that only approved devices and systems are communicating with each other. By doing so, they will be taking a bold step to certify the security of their devices — and ensure a victory against attackers.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.