Tom KatsioulasBoard Chair, GSA TIESEmail: tomkat@gsaglobal.org

The GSA Trusted IoT Ecosystem for Security (TIES)

Version 1.2 - February 15, 2021

GSA TIES Executive Summary

Enable end-to-end value-creating interactions via open participatory ecosystem

*Source: ABI Research

SoC-enabled IoT services are projected to grow to $460 billion* by 2026 • Connected ecosystems are emerging in the value chain to enable monetization• Lagging end-to-end secure & trusted infrastructure poses barriers to adoption

GSA can provide a platform for growing a secure value chain from chips inside• 250+ members in semiconductors expanding to systems, software and applications• TIES intends to be a collaborative ecosystem platform that enables higher value to all

Ecosystem IQ and value is maximized with diverse expertise from chip-to-edge • Define use cases and business models starting from end-applications down to chips• Leverage TIES collective IQ to educate and promote how to monetize IoT services

Smart-Connected Product Supplier Economics

*Source: Harvard Business Review

• No traceability or configurability• High OPEX, low differentiation

Disconnected Supplier Hardware ProductsSupply Chain & Field Use

• Better visibility on product field use• Remote lifecycle management• Reduced support costs and RMAs• Lower OPEX, higher differentiation• New IoT services business models• Trust, security and safety issues

SmartConnectedSupplier*

Product-as-a-Service Managed HardwareLifecycle Management

Edge Data& IoT ServicesField Use Analytics

Attacks Related to Supply Chain Issues

The roots of security issues lie in the structure of the electronics industry at large

Suppliers of fixed cost HW to rebrandingcompanies have no incentive to add security

The Big Hack Supermicro

Uncovering an alleged malicious component insertion would require looking at the whole value chain, from design through manufacturing, and monitoring every step

Mirai botnet Xiongmai

*Supply Chain Implants: https://www.youtube.com/watch?v=C7H3V7tkxeA&feature=youtu.be

Security & Trust Issues - Complex System and Parts

Vast attack surface making it extremely difficult to track down intrusions & hacks*Sources: Goldman Sachs, McKinsey, and others

End Customer Business ApplicationsOperations Maintenance | Asset Management | Factory Control

Device Management & ServicesConfigure | Update | Debug | Monitor

App Management & ServicesData| Analytics | Events |Reports

Critical Industrial Infrastructure & Automation SystemsPLCs | Control Systems | SCADA | Motion Control

Intelligent Gateways, Comms, Network ServicesFog | Edge Analytics| Mobile | Wireless | WAN/LAN

Sensors, Actuators, Edge Devices, ProcessingHW | Embedded SW| Protocols| Agents | Local Apps

System, Protocol+

Data Integration+

Security Services

• Growing Attack Surface in Systems

• Intrusions May Impact Full Stack

• Costly to Identify Root Causes

• Limited Knowledge Base on Attacks

• Untraceable Chain of Liability

• Critical Infrastructure Threatened

Security & Trust Issues - Fragmented IoT Supply Chain

Complex supply chain makes it hard to trace & trust every component in a system*Sources: Goldman Sachs, McKinsey, and others

Device OS+AppsApple, Google,

Microsoft

Enterprise Integ IBM, HP, Cisco,Accenture, PwC

IoT PlatformsSiemens, GE,

ARM, Windriver

ConnectivityAT&T, Verizon,

Vodafone

Vertical Sol.ADT, ComcastP&E, DIRECTV

Applications & Services

Embedded SystemsThales, Telit, Sierra Wireless

Smart IndustrialSchneider, GE, Siemens,

Connected CarsBosch, Delphi, Denso, Yazaki

Vertically Specialized Systems

Mil-Aero, Industrial, Automotive, Transportation, Homes, Cities, Health Care, Wearables

Connected Things

Comm ICsQualcomm, Broadcom

ProcessorsIntel, ARM, Qualcomm

MCUs & AnalogRenesas, STM, Microchip, NXP

SensorsInvenSense, TI, Maxim

StorageMicron, WD,

Marvel, Hynix

Semiconductors & Components

Backbone (Routing/Optical)Cisco, Juniper, Alcatel, Google

Access (Cellular/Wi-FiCisco, Ericsson, Nokia, Netgear

Security (Network, Edge)Equinix, Argus, Duo, …

Networking Infrastructure

• Multiple Verticals, Varied Profiles

• Several Actors in the Value Chain

• Disparate Rules Among Suppliers

• Untrusted Device Vulnerabilities

• Plethora of Technical Standards

• No Economic Incentive for Security

Trust in Complex IoT Systems & Supply Chains

Requirements Design Development Commissioning Operating Decommissioning

Trusted Lifecycle - Each part of the system and value chain must be monitored to preserve trustworthiness

Operational User

System Builder

ComponentBuilders

TRUST

Hardware | Software | IP | Service Suppliers

Components

Integrated System

Operational System

OEM (In House) | 3rd Party | Solution Provider

System Owner | Operator | Service Provider

Requirements

Deployment

Trust Flow - Starts top-down, evolves bottom-up

*Source: www.iiconsortium.org Internet of Things Volume G4: Security Framework

Permeation of Trust - Assurance & CredentialsOperational

UserSystem Builders

ComponentBuilders

SpecSpec

Part System

TRUST in SystemTRUST in Component

Standards Regulations

ECU

• The electronics value chain is serial. Value creation is incremental to cover cost and field failures• Failures due to vulnerabilities* being discovered after field deployment increase costs and risks• Economic value for IoT Services can be realized at the end customer with a “shift left” approach

• Start from end-application use cases to evolve “secure-by-design” hardware & Software

Value Creation in the Electronics Supply Chain

*Reimagining Fabs – Advanced Analytics in Semiconductor Manufacturing, McKinsey & Company 2017

Product Delivery Cost

Cost & Risk of Failure

IC Design NPI Ramp Manufacturing System Test Field Use Recycling Assembly & Test

50% Increase in test and verification

12-18 months of interactive debugging

85-95% yield and 80-90%utilization

30% of capital costs relate to testing

No end-to-endtraceability at the device level

No feedback loop at end of life

Functional Safety and Security

Ecosystem IQ is needed to enable trusted solutions for high value IoT services* Quality and Security vulnerabilities should be considered up-front during hardware design

Principles of Evolving Complex Ecosystems

IoT SolutionEcosystem

*Source: IDC European IoT Security Why the IoT Supply Chain of Trust Matters*Source: IBM Institute of Business Value -The new age of ecosystems

Built-in Security

Partner Trust

Cost vs. Value

Requires

Who pays for end-to-end solutions and how can participants share the gain?

TIES Collaborative Ecosystem Platform

GSA TIES Operating Model Highlights*• Motivation: Promote secure solutions that accelerate adoption of IoT

• Focus: Collaborate on use cases that enable high value IoT services

• Objective: Evolve connected end-to-end solutions across domains

• Benefits: Reduce costs and risks while delivering higher value offerings

• Sharing: Provide use cases and guidelines that promote best practices

• Openness: Allow parties to participate and add value in a consistent way

• Interactions: Amplify value-add through ecosystem network effects

• Governance: Minimize conflicts while promoting growth of Ecosystem IQ

*Refer to Exhibit A of the Joint Stakeholder Agreement (JSA)

Business Interests

ScalablePlatform

Evolving a Scalable Operating ModelContent Categories

Hardware Design & Product

Trusted Supply Chain

Vulnerability & Trust Metrics

Embedded System Security

Security Infrastructure

Edge, ML/AI Applications

Trusted Digital Twins

New XaaS Business Models

Content Type

White Paper

Presentation

Webinars

PoC Demonstrator

Use Case Examples

Solution Advertorials

Best Practices Guides

Industry Guidelines

• GSA Bylaws• TIES Governance• SWG* Process• Platform Concept

*SWG - Solutions Working Group focusing on end-to-end use cases

Proposal Outline

Executive Summary

Industry Problem

Use Case Examples

Proposed Solution

Beneficiaries

Value Proposition

Industry Guidelines

Recommended Team

Participatory Platform - How Ecosystem IQ GrowsCompany Participation

• SWGs define use cases and promote solutions

• Published content is open for add-on feedback

• New members can broaden & enhance solutions

Industry & Business Feedback

Add SolutionComponentsand Members

Liaison Organization Feedback

Liaison Participation

• SWGs describe use case requirements and gaps

• Liaison parties develop standards & best practices

• TIES promotes best practices to the ecosystem

*Example of standards organizations involved in end-to-end security & supply chain traceability

Standards and Best Practices

Define End-to-End Use Case

List Solution Components

Describe Solution & Value

Promote Solution Benefits

Supply Chain Traceability Standards

Trusted systems internal protocol Chip Authentication Protocol Authentication Access Protocol Provenance & Traceability Link

TrustedDevices & Apps

Component Group Traceability System Group TraceabilityLogistics Group Traceability End Application Traceability

Component Provenance & Traceability Distributed Storage Layer (Consortium)

Trusted PrivateComponent Data

Trusted PrivateLogistics Data

Trusted Private Assembly Data

Trusted PrivateOEM Data

Internal External Internal External

Data Exchange Network – Secure Data Access and Transfer

*Courtesy of SEMI & IPC

The GSA TIES Value PropositionEconomic Value

Chip suppliers OEMs/ODMs App/Service Providers

• Reduce SKU & Production Cost

• Track/Provision SKUs in Field

• Prevent IP Theft and Clones

Enroll - Track - Provision• Enable RoT Based Services/Apps

• Authenticate Device, not User

• Secure Content and Payments

Protect Users, Apps, & Data

• Automate Device Onboarding

• Track/Update Devices in Field

• Enable Remote Debug & PLM

Track - Provision - Certify

IoT Services

Enablement Increase End-to-end Solution ValueTraceability Reduce Barriers & Risk of Failures Ecosystem IQ

$$$$