With billions of devices connected to cloud applications and services, secure programming and provisioning of integrated circuits form the foundation for protecting chips. The journey to understand the security challenges related to IC programming and provisioning begins with some definitions. The devices we will talk about here are mostly microcontrollers (MCUs) or application-specific integrated circuits (ASICs), but they may also be field-programmable gate arrays (FPGAs) or memory chips.

Definitions

• Programming means loading software code onto the devices, often into flash memory. The larger the program, the longer it takes to do this, so programming at scale—perhaps thousands of devices at a time—requires sophisticated equipment and processes.
  As devices have become smaller and more complex, they have become harder to physically handle. More advanced and expensive equipment has been needed to program them in volume. And as volumes increase, so do reliability and security concerns.
  It’s one thing to have a programming error on a few chips. But errors in thousands of devices, particularly those that are one-time–programmable, can be immensely expensive. And if the end product is a defibrillator, even one programming error is one too many.

• Provisioning means providing devices with the credentials and functionality to execute programs within a secure ecosystem, i.e., one that bad actors cannot hack. IoT applications are driving the demand for secure provisioning.
  Each device needs a unique identity and some cryptographic keys. These are both based on random numbers and together form a root of trust for the device. The cryptographic keys used within a public key infrastructure (PKI) facilitate secure, encrypted communications, most commonly between devices and servers.
  The servers can be on-premises or in the cloud. The cryptographic data representing device identities and keys, along with the random numbers used to generate them, is normally managed and protected by a hardware security module (HSM), a type of high-security computer underpinned by a random-number generator.

What’s the difference?

A significant difference between programming and provisioning is that in programming, designers assemble all code and then “push” it to the device in one shot. In provisioning, the programmer and the device have a conversation, and sometimes that conversation can include a third party like a certificate authority. The device and the programmer work together to create and inject the required credentials so that they can be individually identified. These credentials must also be deployed in a way that they cannot be read, altered, cloned or interfered with in any other fashion.

In both programming and provisioning, security is a growing concern. The human element comes into play, so training is vital, as are well-documented processes that provide device traceability and proof of origin. However good the technology, ensuring that someone cannot corrupt programs or device credentials is a prime consideration.

Why device security is no longer optional

Security failures are commonplace and have been widely reported in recent years. IoT networks with thousands of sensors at their edge offer a large attack surface for malicious actors—some of whom are financially motivated, others politically so. This blog post from Conosco outlines the scale of the problem and describes four real-world examples. Standards and legislation for IoT security are evolving. NIST is running a Cybersecurity for IoT Program. Its goal is “to cultivate trust in the IoT and foster an environment that enables innovation on a global scale through standards, guidance and related tools.”

Crucially, legislation is increasingly placing the responsibility for IoT security on the shoulders of C-suite executives within organizations that deploy and manage IoT networks.

A common thread throughout discussions about IoT device security is that it needs to have its foundation in hardware and be considered at the outset of system design. It cannot be effectively implemented as an add-on or an afterthought. Early consideration is an essential requirement in achieving cost-effective secure provisioning, too. Without secure provisioning, there is no device security. Without device security, there is no network security.

What’s needed for secure provisioning of semiconductor devices?

• A trusted supply chain to provide end-to-end chain of custody for the device and guarantee its authenticity
• A secure facility to prevent unauthorized access to equipment and devices
• An HSM to generate and inject random numbers with high entropy (the degree of “randomness”)
• A secure and well-documented process to provide traceability back to the source of each device (the earlier designers define this, the lower the final costs of provisioning)
• A robust recruitment process to prevent access by anyone with malign intent
• Hardware and software integration expertise
• Cryptographic expertise to ensure effective integration of the PKI
• Continuous training to maintain an effective security process as devices and application requirements evolve

Secure provisioning is not simple, and it’s not inexpensive. This is particularly true if the resources deployed for provisioning cannot be fully utilized.

Should semiconductor device provisioning be done in-house or outsourced?

This decision requires a cost-benefit analysis based on the requirements set out earlier, the type and volume of devices and how frequently the work is needed.

At first glance, it may seem more economical and more secure to provision devices in-house, keeping full control of the process. However, this assumes that the substantial resources required—outlined above—are utilized most of the time, that engineers skilled in all the necessary disciplines are readily available with contingency plans for absences and that the resources deployed are both agile and scalable.

Designers should also consider capital costs. HSMs can cost $20,000 or more, although they are increasingly available as a cloud service from various providers for about $1,000 per month. Physical infrastructure costs, such as buildings, are not so easily amortized.

While obtaining the HSM is simple enough, properly configuring, implementing and safeguarding it is another story. For many OEMs, the preferred option is to work with experienced partners that can guarantee the required level of resources, both human and technological, and properly apply that expertise and experience to maximize productivity and minimize costs, deliver scalability and eliminate concerns about resource utilization.

Instead of using an HSM, some silicon devices can generate random numbers from within their fabric. Provisioning may then include loading firmware onto these devices to enable random-number extraction from a physical unclonable function (PUF). Secure MCUs that utilize PUFs for security include chips from Intel, NXP and Xilinx. In addition, Macronix offers nonvolatile memory with integral PUF technology.

A further option is to use secure elements alongside the ICs that perform the main system functions. Secure elements are chips with their own operating system designed primarily for secure storage and management of cryptographic keys. They typically have limited ability to run other applications and they still need to be provisioned. Secure elements include Infineon’s OPTIGA family, STMicroelectronics’ STSAFE authentication series, NXP’s EdgeLock family, Microchip’s TrustFLEX devices and the TO136 from Idemia and Trusted Objects.

With all of these options, it’s essential to have a trusted partner with the expertise and proven track record to meet your requirements. At Avnet, we’ve provided programming and provisioning services to OEMS for a wide range of applications, including EV charging stations, connected medical devices, shipping container tracking systems, connected fitness equipment, connected home heating systems, e-bike trackers, industrial printer accessory authentication, fleet management and industrial gas sensors and surveillance systems.

By EETimes