Haydy Povey, CEO of Secure Thingz, talks about IoT security product security, what customers are telling him, and how the awareness created by the World Economic Forum will impact how we look at and deploy embedded security.
Embedded security is one of the biggest challenges for IoT companies. It’s not only about preventing IoT products from being hacked, but about companies protecting their processes and safeguarding their intellectual property. Among the executives that we often talk to within the world of embedded security, Haydn Povey is one of those prominent advocates of IoT security. As CEO of Secure Thingz, an IAR Systems company, he has a deeper background that includes responsibility while previously at Arm for driving its security roadmap, and now also on the board of the IoT Security Foundation. In this interview, he explains some of the challenges around IoT product security, what customers are telling him, and how the awareness created by the involvement of the World Economic Forum will impact how we look at and deploy embedded security.
Nitin Dahad: From a security point of view, what are the challenges that you see for 2022?
Haydn Povey: Currently, we see three major challenges in the market. The first is consumer IoT legislation coming to bear, which puts the onus on manufacturers to make their products cyber-secure. This includes the U.K.’s Product Security and Telecommunications Infrastructure Bill, which supports fines of £10 million for security violations, and similar schemes coming up for the EU. Pressure is also coming from standards such as EN 303 645 from the European Telecommunications Standards Institute (ETSI) and the baseline recommendations from the European Union Agency for Cybersecurity (ENISA) which will have legal enforcement within the next 18 months. OEMs must implement security in their designs right now to meet the future cybersecurity requirements, given long component lead times and supply chain impacts.
The second challenge is about protecting end users, and system integrators, against malware injection, both to protect system behavior and to avoid vast trojan or distributed denial of service (DDoS) attacks such as we saw in the Mirai attack. OEMs have to make sure the products are safe in their use at the customer, and do not become an entry point for attacks, especially where remote updates are required in the field, often providing an Achilles Heel in systems design.
But it’s not only the end customer’s implementation which is at risk. The manufactures themselves need to implement IP security in the earliest stages of the supply chain – that’s the third big challenge we see:
the OECD estimates that the cost of cloning or counterfeit goods globally is $500 billion a year – the largest percentage of that by value is electronics. The EU estimates that there is a €60 billion a year impact based on IP theft alone, and that almost 300,000 European jobs are lost because of IP theft. OEMs need to ensure that their applications are built correctly, that in manufacturing their IP is not out in the open, how to provision and program devices uniquely – and how to use those at scale.
Nitin Dahad: But the increased security requirements don’t just apply to consumer electronics, right?
Haydn Povey: Absolutely, this also concerns applications in industrial, automotive, or medical electronics – anything which is connected to the internet and networks is at risk and needs to be protected from attacks. There’s a lot of machine-to-machine communication in industry 4.0 and each device in this complex system needs to be validated. The concept of “zero trust” is about authenticating and onboarding systems – a challenging task, which some companies try to solve with digital twins and cloud-based connectivity, but that requires a lot of software components.
Nitin Dahad: What are your customers telling you about their security challenges?
Haydn Povey: They have many questions. Where do we start with such a multifaceted problem? How do we protect our customers? How do we protect our intellectual property and our brand? However, they are ready to tackle them – but they lack cybersecurity experts! In fact, the industry needs 3.5 million engineers globally. But there are simply not enough. So, what we do is, we make security simple. We make it available for engineers who don’t have any security expertise, who just need to get their job done.
Nitin Dahad: Securing the supply chain seems to be a major challenge for many organizations. How do you address that?
Haydn Povey: Basically, we are trying to make things very simple with wizards and configuration boxes. A user simply needs to go through a few of steps, such as: do you want to have individual identities with formal cryptographic certificates? Do you want two or three levels of certificates? Are your update slots on the microcontroller or off-chip memory? You only have to tick a box or choose from a menu to set your requirements. We are trying to make this very easy for the engineers: by correctly choosing from options, customers can automatically generate a ready-to-run source code they can own, edit and integrate with their main application. The output of our wizard is something which we call the “secure boot manager” and the OEMs can leverage the component SESIP compliance we have achieved on the software to support formal product compliance.
Nitin Dahad: Recently you announced your active support for the Consumer IoT Security Statement of Support presented through the World Economic Forum’s Council of the Connected World. This statement talks about five key capabilities for setting a baseline for security, what are these?
Haydn Povey: These five key capabilities actually originates from the 13 best practices that we talk about in the IoT Security Foundation. These 13 are then reported through more than 100 standards, specifications and guidelines across the world. The legislation calls on three of them as mandatory and they sound very high level, but they have far-reaching consequences as these things always do. Number one: do not use universal default passwords. Two: implement a vulnerability disclosure policy, which means you have to tell your customers that your product has a fault, and you are ready to fix that with proper software versioning. Which is the third key capability: keep your software updated. In addition, there are two other capabilities related to securing data that are important – number four: secure communications; and five: ensure that personal data is secure.
Nitin Dahad: How can this statement within the World Economic Forum make a difference for organizations to cope with the growing security challenges worldwide?
Haydn Povey: I think it is critically important that the C suite executives – the CEO, the COO or the CSO – are fully aware of the consequences of the upcoming legislation. They have to be pulling it through, as do the politicians, because the legal requirements are going to have the same impact as GDPR did four years ago. The C suite have to take responsibility for the security of their products and the impact on their customers. They have to remember that they are going to be personally liable when things go wrong. The World Economic Forum is very powerful because it reaches out to the Fortune 500 and the politicians and tells them that they are now responsible for driving better behavior in their organizations. You have to plan for it, you have to fund it, then enable your engineering team to get your products meeting the security requirements. Security traditionally is seen as a cost, but it’s not – it is a fundamental business enabler.
Nitin Dahad: How does your company address the requirements of this statement?
Haydn Povey: The goal of our “Embedded Trust” secure development solution and our production hardware security module “Secure Deploy” is this: security made simple. And that’s what they do: simplifying security designs. In the same way as we don’t expect every engineer to redesign a TCP IP or TLS stack, we shouldn’t expect everybody to be experts in the fundamentals of security. Embedded Trust and Secure Deploy are just another solution there to support them in how to implement the specific security layers in a software through the product’s whole life cycle, how to implement that in volume production, and how to program and provision identities into every device uniquely.
Nitin Dahad: For volume production solutions, how do you cooperate with production equipment suppliers?
Haydn Povey: We’ve worked with a set of partners – for example System General, a global leader of device programming machines – who basically implement our Secure Deploy module in programming machines. With that you can program each chip securely with the right code and there’s nothing added or changed. At the same time each chip is provisioned with a truly unique certificate. And we can ensure that only the right number of devices are made at only the right machines to prevent counterfeiting and gray production. Any manufacturer can do this from anywhere in the world by creating a virtual private network (VPN) from their production management system to the devices being programmed. We also work with big distributors globally, and their programming partners like EPS Global and Hi-Lo Systems. Our common goal is a trusted supply chain, which is especially needed in automotive, industrial, and medical electronics.
Nitin Dahad: What we have discussed has mainly related to implementing security functions in new designs. But how about products that are already in use in the field – how can OEMs make those secure?
Haydn Povey: You are correct, we see that there is a huge number of companies who are challenged to add security to their applications, but they cannot justify starting over their development project to add security from the start. This is where Embedded Trust comes in: the latest version, version 2.0, of our security solution allows them to rapidly integrate security into their existing applications, no matter where they are in their lifecycle and what development tools they used to create their code.
Nitin Dahad: So, are we likely to see you soon at the World Economic Forum talking about IoT Security?
Haydn Povey: I feel very blessed that we have been invited by the World Economic Forum as embedded and security experts, also thanks to the fact that we are a founding member of the IoT Security Foundation. Currently we are doing some videos around security, so you can expect to hear more about our security concepts on World Economic Forum’s platform soon.
This article was originally published on Embedded.
Nitin Dahad is a correspondent for EE Times, EE Times Europe and also Editor-in-Chief of embedded.com. With 35 years in the electronics industry, he’s had many different roles: from engineer to journalist, and from entrepreneur to startup mentor and government advisor. He was part of the startup team that launched 32-bit microprocessor company ARC International in the US in the late 1990s and took it public, and co-founder of The Chilli, which influenced much of the tech startup scene in the early 2000s. He’s also worked with many of the big names—including National Semiconductor, GEC Plessey Semiconductors, Dialog Semiconductor and Marconi Instruments.