Alpesh Saraiya — Senior Director Product Management, Intrinsic ID |
“A cynic is a man who knows the price of everything but the value of nothing.”
— Oscar Wilde (1854-1900), Irish poet and playwright —
That the Internet of Things represents great opportunity is not news. It is also well known that security is a growing concern for makers of IoT products, and that security is becoming costlier as the hacking world gains in size and expertise. Risk and liability are paramount concerns for business executives worldwide, and the increase in cyber-attacks contributes to concerns for damage to a company’s brand and reputation, higher insurance premiums and increases in regulatory burdens.
But security need not be looked at as a necessary evil. It can be used to business advantage – and can actually contribute to an improved financial picture. Let’s look at three ways investment in security contributes, to paraphrase Mr. Wilde, to an increase in a company’s value, not just higher costs.
Today: A Penny Saved, a Penny Earned
The increasing awareness and market demand for security has resulted in OEM manufacturers of smart home products, wearables and other connected products scouring for an effective and cost-effective security solution. As a result, semiconductor companies which deliver on both fronts can command higher prices for secure chips, sometimes marketed with separate SKUs for the distinguishing security capabilities they deliver.
For semiconductor makers, this essentially instant financial gain is courtesy of security based on internally generated keys, or what we call intrinsic keys, which reduce system BOM cost by eliminating additional hardware components for key storage. Examples of this include one-time programmable (OTP) memory, or an external chip such as a secure element (SE) and trusted platform module (TPM).
One margin-driving advantage enjoyed by companies that deploy security via intrinsic keys derives from time to market. The ability to deploy security flexibly — that is, at any point in the supply chain — gives rise to new business opportunities. Deployment in the field of high-value features implemented at incremental chip cost enables chip makers, OEMs, and operators to monetize post-deployment upgrades, driving more profitable business models.
Tomorrow: Latent but Real Risks
Thinking longer term, business benefits from security are derived from risk management, including reducing the frequency and impact of breaches, protecting a company’s brand and revenue, and mitigating costs of breaches.
Some impacts of breaches are not recognized immediately but nevertheless have a real effect — and impose real costs — on a company. These include:
- Business interruption
- Crisis management
- Security and privacy investigation costs
- Regulatory defense costs
- Value of stolen IP
- Liability claims
- Fines and penalties
- Cyber extortion
All companies are subject to these costs. Altman Vilandrie & Company found that nearly half the companies surveyed in a recent study had experienced a breach in the last 2 years, with resulting damages in some cases exceeding $20 million from a single breach. Some companies eventually recover over time, others become decimated into oblivion.
The impact on public companies is readily quantified by observing changes in their stock prices. Examples of public companies victimized by breaches have become common in recent years. So have examples of executives, up to and including CEOs, whose professional standing has suffered in the wake of breaches that occurred on their watch. To the extent companies come to grips with these threats and take steps to invoke appropriate security they contribute to enhanced shareholder value.
How to tackle this? Semiconductor makers can address the direct and indirect costs of breaches by adding strong security to chips used in IoT products. It has been shown that companies investing in IoT security experience fewer breaches. And when they do occur, the impact of those breaches is of a lesser magnitude.
Always: The Supply Chain
Efficient management of a supply chain is critical to any business at all times, but sound security practices incorporating intrinsic keys offer specific benefits. These stem from simplifying the supply chain by reducing the number of entities involved; allowing for easier provisioning logistics; enabling more flexible inventory management; and reducing the attack surface.
Key storage methods based on OTP memory involve programming of keys by using special equipment, and is done early in the supply chain by, typically, the semiconductor manufacturer or its distributor. By contrast, generating keys from within chips eliminates the need for externally sourced, OEM-specific keys that must be injected into connected products. This simplifies supply chain logistics and product portfolio planning and management.
Using intrinsic keys also substantially reduces the attack surface. It eliminates the need for the IoT device maker to procure and hand over root keys for its products to the semiconductor manufacturer, or to trust the manufacturer to create root keys. By not letting third parties handle keys, occasions where the keys are exposed are reduced.
Narrowing the number of entities involved similarly reduces the opportunities for bad actors to steal keys. Nobody can seize the root key since it is never stored in non-volatile memory.
The risk of IoT breach continues to increase, as does the business risk to companies deploying products for the IoT and the companies making the chips that power them. This very real business risk makes it incumbent on semiconductor makers to anticipate and head off the growing skill set of hackers but to do so in a way that their companies can see a real business advantage. But they need not fear. As we’ve seen, with the right security any company can have an optimistic view of its business future — there’s no need to play Mr. Wilde’s cynic.
Alpesh Saraiya is senior director product management at Intrinsic ID, and has served in senior product roles at some of the world’s top electronics companies. His experience managing secure, connected products includes leading the webOS Core for LG Electronics’ Smart TVs and other connected IoT applications such as smart home, smart car, wearables and mobile. He held senior marketing roles at Broadcom and C-Cube Microsystems, as well as R&D positions at IBM. Alpesh holds a Master of Science degree in Computer Engineering from Syracuse University and a Bachelor of Science degree in Electrical and Computer Engineering from the University of Tennessee, Knoxville.