Tom KatsioulasBoard Chair of the GSA TIESHead of TrustChain at Mentor-SiemensEmail: [email protected]: [email protected]
The GSA Trusted IoT Ecosystem for Security (TIES)
IoT Smart-Connected Product Supplier Economics
*Source: Harvard Business Review
• No traceability or configurability• High OPEX, low differentiation
Old Supplier Product PortfolioSupply Chain & Field Use
• Better visibility on product field use• Remote lifecycle management• Reduced support costs and RMAs• Lower OPEX, higher differentiation• New services and business models• Trust, security and safety issues
SmartConnectedSupplier*
Product-as-a-Service Managed PortfolioField Usage Analytics
Managed Device Lifecycle
Attacks Traced to Supply Chain Issues
The roots of security issues lie in the structure of the electronics industry at large
HW + SW from XiongMai exploited to create the massive Mirai botnet
The Big Hack Supermicro
Bloomberg animation showing the alleged malicious component in the Supermicro server motherboards positioned between the SOIC-16 SPI flash chip and the BMC.
Mirai botnet Xiongmai
*Supply Chain Implants: https://www.youtube.com/watch?v=C7H3V7tkxeA&feature=youtu.be
Security & Trust Issues - Complex System & Parts
Vast attack surface making it extremely difficult to track down intrusions & hacks*Sources: Goldman Sachs, McKinsey, and others
End Customer Business ApplicationsOperations Maintenance | Asset Management | Factory Control
Device Management & ServicesConfigure | Update | Debug | Monitor
App Management & ServicesData| Analytics | Events |Reports
Critical Industrial Infrastructure & Automation SystemsPLCs | Control Systems | SCADA | Motion Control
Intelligent Gateways, Comms, Network ServicesFog | Edge Analytics| Mobile | Wireless | WAN/LAN
Sensors, Actuators, Edge Devices, ProcessingHW | Embedded SW| Protocols| Agents | Local Apps
System, Protocol+
Data Integration+
Security Services
• Growing Attack Surface in Systems
• Breaches Impact All Parts of the Stack
• Costly to Identify Root Causes
• Limited Knowledge Base on Attacks
• Untraceable Chain of Liability
• Critical Infrastructure Threatened
Security & Trust Issues - Fragmented IoT Supply Chain
Complex supply chain makes it hard to trace & trust every component in a system*Sources: Goldman Sachs, McKinsey, and others
Device OS+AppsApple, Google,
Microsoft
Enterprise Integ IBM, HP, Cisco,Accenture, PwC
IoT PlatformsSiemens, GE,
ARM, Windriver
ConnectivityAT&T, Verizon,
Vodafone
Vertical Sol.ADT, ComcastP&E, DIRECTV
Applications & Services
Embedded SystemsThales, Telit, Sierra Wireless
Smart IndustrialSchneider, GE, Siemens,
Connected CarsBosch, Delphi, Denso, Yazaki
Vertically Specialized Systems
Wearables, Homes, Cities, Industrial, Automotive, Transportation, Health Care
Connected Things
Comm ICsQualcomm, Broadcom
ProcessorsIntel, ARM, Qualcomm
MCUs & AnalogRenesas, STM, Microchip, NXP
SensorsInvenSense, TI, Maxim
StorageMicron, WD,
Marvel, Hynix
Semiconductors & Components
Backbone (Routing/Optical)Cisco, Juniper, Alcatel, Google
Access (Cellular/Wi-FiCisco, Ericsson, Nokia, Netgear
Security (Network, Edge)Equinix, Argus, Duo, …
Networking Infrastructure
• Multiple Verticals, Varied Profiles
• Several Actors in the Value Chain
• Disparate Rules Among Suppliers
• Untrusted Device Vulnerabilities
• Rebranded Low Cost Hardware
• No Economic Incentive for Security
Trust in Complex IoT Systems & Supply Chains
Requirements Design Development Commissioning Operating Decommissioning
Trusted Lifecycle - Each part of the system and value chain must be monitored to preserve trustworthiness
Operational User
System Builder
ComponentBuilders
TRUST
Hardware | Software | IP | Service Suppliers
Components
Integrated System
Operational System
OEM (In House) | 3rd Party | Solution Provider
System Owner | Operator | Service Provider
Requirements
Deployment
Trust Flow - Starts top-down, evolves bottom-up
*Source: www.iiconsortium.org Internet of Things Volume G4: Security Framework
Permeation of Trust - Assurance & CredentialsOperational
UserSystem Builders
ComponentBuilders
SpecSpec
Part System
TRUST in SystemTRUST in Component
Standards Regulations
ECU
• The electronics value chain is sequential. Value creation is incremental to cover cost and failures• Failures due to quality or security occur after product is delivered adding cost and liability• Since value capture is additive & sequential hacks and vulnerabilities are discovered too late
*Reimagining Fabs – Advanced Analytics in Semiconductor Manufacturing, McKinsey & Company 2017
Value Creation in the Electronics Supply Chain
Product Delivery Cost
Cost & Risk of Failure
IC Design NPI Ramp Manufacturing System Test Field Use Recycling Assembly & Test
50% Increase in test and verification
12-18 months of interactive debugging
85-95% yield and 80-90%utilization
30% of capital costs relate to testing
No end-to-endtraceability at the device level
No feedback loop at end of life
Functional Safety and Security
A more dynamic ecosystem collaboration is essential to increase value and trust
Value Creation & Accountability in Complex EcosystemsBuilt-in Security
Partner Trust
Cost vs. ValueIoT PartnerEcosystem
*Source: IDC European IoT Security Why the IoT Supply Chain of Trust Matters*Source: IBM Institute of Business Value -The new age of ecosystems
Requires
Who pays for security and how do partners make money on end-to-end solutions?
Digital Transformation
The GSA Trusted IoT Ecosystem - Security Solutions
Delivery
Regulatory Agencies
Industry Associations
Standards Bodies
SemiconductorsEDA, IP, IC, Foundries, OSATs
Devices & SystemsODMs, Systems, OEMs, EMS
IoT ApplicationsCSPs, IT, PLM, Apps, Operators
250+ Members
ML AI
Organizations
Digital Twins
Edge AppsKeys Certs Config
Security - Digital Assets (Product Design)
Trust - Physical Assets (Manufacturing)
PCB ID Device IDChip ID User ID
IoT Attack Surface
GSA IoT Trusted Ecosystem Proposal*• Motivation: Vast attack surface requires cross-domain ecosystem collaboration
• WG Focus: Collaboration and promotion of end-to-end solutions (scope varies)
• Objective: Solutions accelerate adoption and growth of members’ offerings
• Benefits: Members develop a competitive advantage and capture higher value
• Collaboration: Focus on addressing end-to-end business use cases across domains
• Consortia: Provide use case specs to standards bodies and promote best practices
• Partnerships: Out of scope, but promotion of partnership results is highly desirable
• Crowdsourcing: Encourage network effects and dynamic collaboration exchange*Refer to Exhibit A Subject Matter Proposal – Security Solutions Group
Scalable Operating ModelContent Categories
Hardware Design & Product
Trusted Supply Chain
Vulnerability & Trust Metrics
Embedded System Security
Security Infrastructure
Edge, ML/AI Applications
Trusted Digital Twins
New XaaS Business Models
Content Type
White Paper
Presentation
Webinars
PoC Demonstrator
Use Case Examples
Solution Advertorials
Best Practices Guides
Industry Guidelines
Proposal Outline
Executive Summary
Industry Problem
Use Case Examples
Proposed Solution
Beneficiaries
Value Proposition
Industry Guidelines
Recommened Team
• GSA Bylaws• Board Governance• SWG Team Process• Network Effects
*SWG – Sub Working Group focusing on an specific solution topic
The GSA TIES Value Proposition
Value Chain
Chip suppliers OEMs/ODMs App/Service Providers
• Reduce SKU & Production Cost
• Track/Provision SKUs in Field
• Prevent IP Theft and Clones
Enroll - Track - Provision
• Enable RoT Based Services/Apps
• Authenticate Device, not User
• Secure Content and Payments
Safeguard Users, Apps, Data
• Automate Device Onboarding
• Track/Update Devices in Field
• Enable Remote Debug & PLM
Track - Provision - Certify
Services & Apps
Configurability Secure Provisioning & Late BindingTraceability Detection of Supply Chain Attacks InfrastructureGSA Ecosystem
GSA Board meeting - May 2019
$$$$