the gsa trusted iot ecosystem for security (ties)...tom katsioulas board chair, gsa ties email:...
TRANSCRIPT
Tom KatsioulasBoard Chair, GSA TIESEmail: [email protected]
The GSA Trusted IoT Ecosystem for Security (TIES)
Version 1.2 - February 15, 2021
GSA TIES Executive Summary
Enable end-to-end value-creating interactions via open participatory ecosystem
*Source: ABI Research
SoC-enabled IoT services are projected to grow to $460 billion* by 2026 • Connected ecosystems are emerging in the value chain to enable monetization• Lagging end-to-end secure & trusted infrastructure poses barriers to adoption
GSA can provide a platform for growing a secure value chain from chips inside• 250+ members in semiconductors expanding to systems, software and applications• TIES intends to be a collaborative ecosystem platform that enables higher value to all
Ecosystem IQ and value is maximized with diverse expertise from chip-to-edge • Define use cases and business models starting from end-applications down to chips• Leverage TIES collective IQ to educate and promote how to monetize IoT services
Smart-Connected Product Supplier Economics
*Source: Harvard Business Review
• No traceability or configurability• High OPEX, low differentiation
Disconnected Supplier Hardware ProductsSupply Chain & Field Use
• Better visibility on product field use• Remote lifecycle management• Reduced support costs and RMAs• Lower OPEX, higher differentiation• New IoT services business models• Trust, security and safety issues
SmartConnectedSupplier*
Product-as-a-Service Managed HardwareLifecycle Management
Edge Data& IoT ServicesField Use Analytics
Attacks Related to Supply Chain Issues
The roots of security issues lie in the structure of the electronics industry at large
Suppliers of fixed cost HW to rebrandingcompanies have no incentive to add security
The Big Hack Supermicro
Uncovering an alleged malicious component insertion would require looking at the whole value chain, from design through manufacturing, and monitoring every step
Mirai botnet Xiongmai
*Supply Chain Implants: https://www.youtube.com/watch?v=C7H3V7tkxeA&feature=youtu.be
Security & Trust Issues - Complex System and Parts
Vast attack surface making it extremely difficult to track down intrusions & hacks*Sources: Goldman Sachs, McKinsey, and others
End Customer Business ApplicationsOperations Maintenance | Asset Management | Factory Control
Device Management & ServicesConfigure | Update | Debug | Monitor
App Management & ServicesData| Analytics | Events |Reports
Critical Industrial Infrastructure & Automation SystemsPLCs | Control Systems | SCADA | Motion Control
Intelligent Gateways, Comms, Network ServicesFog | Edge Analytics| Mobile | Wireless | WAN/LAN
Sensors, Actuators, Edge Devices, ProcessingHW | Embedded SW| Protocols| Agents | Local Apps
System, Protocol+
Data Integration+
Security Services
• Growing Attack Surface in Systems
• Intrusions May Impact Full Stack
• Costly to Identify Root Causes
• Limited Knowledge Base on Attacks
• Untraceable Chain of Liability
• Critical Infrastructure Threatened
Security & Trust Issues - Fragmented IoT Supply Chain
Complex supply chain makes it hard to trace & trust every component in a system*Sources: Goldman Sachs, McKinsey, and others
Device OS+AppsApple, Google,
Microsoft
Enterprise Integ IBM, HP, Cisco,Accenture, PwC
IoT PlatformsSiemens, GE,
ARM, Windriver
ConnectivityAT&T, Verizon,
Vodafone
Vertical Sol.ADT, ComcastP&E, DIRECTV
Applications & Services
Embedded SystemsThales, Telit, Sierra Wireless
Smart IndustrialSchneider, GE, Siemens,
Connected CarsBosch, Delphi, Denso, Yazaki
Vertically Specialized Systems
Mil-Aero, Industrial, Automotive, Transportation, Homes, Cities, Health Care, Wearables
Connected Things
Comm ICsQualcomm, Broadcom
ProcessorsIntel, ARM, Qualcomm
MCUs & AnalogRenesas, STM, Microchip, NXP
SensorsInvenSense, TI, Maxim
StorageMicron, WD,
Marvel, Hynix
Semiconductors & Components
Backbone (Routing/Optical)Cisco, Juniper, Alcatel, Google
Access (Cellular/Wi-FiCisco, Ericsson, Nokia, Netgear
Security (Network, Edge)Equinix, Argus, Duo, …
Networking Infrastructure
• Multiple Verticals, Varied Profiles
• Several Actors in the Value Chain
• Disparate Rules Among Suppliers
• Untrusted Device Vulnerabilities
• Plethora of Technical Standards
• No Economic Incentive for Security
Trust in Complex IoT Systems & Supply Chains
Requirements Design Development Commissioning Operating Decommissioning
Trusted Lifecycle - Each part of the system and value chain must be monitored to preserve trustworthiness
Operational User
System Builder
ComponentBuilders
TRUST
Hardware | Software | IP | Service Suppliers
Components
Integrated System
Operational System
OEM (In House) | 3rd Party | Solution Provider
System Owner | Operator | Service Provider
Requirements
Deployment
Trust Flow - Starts top-down, evolves bottom-up
*Source: www.iiconsortium.org Internet of Things Volume G4: Security Framework
Permeation of Trust - Assurance & CredentialsOperational
UserSystem Builders
ComponentBuilders
SpecSpec
Part System
TRUST in SystemTRUST in Component
Standards Regulations
ECU
• The electronics value chain is serial. Value creation is incremental to cover cost and field failures• Failures due to vulnerabilities* being discovered after field deployment increase costs and risks• Economic value for IoT Services can be realized at the end customer with a “shift left” approach
• Start from end-application use cases to evolve “secure-by-design” hardware & Software
Value Creation in the Electronics Supply Chain
*Reimagining Fabs – Advanced Analytics in Semiconductor Manufacturing, McKinsey & Company 2017
Product Delivery Cost
Cost & Risk of Failure
IC Design NPI Ramp Manufacturing System Test Field Use Recycling Assembly & Test
50% Increase in test and verification
12-18 months of interactive debugging
85-95% yield and 80-90%utilization
30% of capital costs relate to testing
No end-to-endtraceability at the device level
No feedback loop at end of life
Functional Safety and Security
Ecosystem IQ is needed to enable trusted solutions for high value IoT services* Quality and Security vulnerabilities should be considered up-front during hardware design
Principles of Evolving Complex Ecosystems
IoT SolutionEcosystem
*Source: IDC European IoT Security Why the IoT Supply Chain of Trust Matters*Source: IBM Institute of Business Value -The new age of ecosystems
Built-in Security
Partner Trust
Cost vs. Value
Requires
Who pays for end-to-end solutions and how can participants share the gain?
TIES Collaborative Ecosystem Platform
GSA TIES Operating Model Highlights*• Motivation: Promote secure solutions that accelerate adoption of IoT
• Focus: Collaborate on use cases that enable high value IoT services
• Objective: Evolve connected end-to-end solutions across domains
• Benefits: Reduce costs and risks while delivering higher value offerings
• Sharing: Provide use cases and guidelines that promote best practices
• Openness: Allow parties to participate and add value in a consistent way
• Interactions: Amplify value-add through ecosystem network effects
• Governance: Minimize conflicts while promoting growth of Ecosystem IQ
*Refer to Exhibit A of the Joint Stakeholder Agreement (JSA)
Business Interests
ScalablePlatform
Evolving a Scalable Operating ModelContent Categories
Hardware Design & Product
Trusted Supply Chain
Vulnerability & Trust Metrics
Embedded System Security
Security Infrastructure
Edge, ML/AI Applications
Trusted Digital Twins
New XaaS Business Models
Content Type
White Paper
Presentation
Webinars
PoC Demonstrator
Use Case Examples
Solution Advertorials
Best Practices Guides
Industry Guidelines
• GSA Bylaws• TIES Governance• SWG* Process• Platform Concept
*SWG - Solutions Working Group focusing on end-to-end use cases
Proposal Outline
Executive Summary
Industry Problem
Use Case Examples
Proposed Solution
Beneficiaries
Value Proposition
Industry Guidelines
Recommended Team
Participatory Platform - How Ecosystem IQ GrowsCompany Participation
• SWGs define use cases and promote solutions
• Published content is open for add-on feedback
• New members can broaden & enhance solutions
Industry & Business Feedback
Add SolutionComponentsand Members
Liaison Organization Feedback
Liaison Participation
• SWGs describe use case requirements and gaps
• Liaison parties develop standards & best practices
• TIES promotes best practices to the ecosystem
*Example of standards organizations involved in end-to-end security & supply chain traceability
Standards and Best Practices
Define End-to-End Use Case
List Solution Components
Describe Solution & Value
Promote Solution Benefits
Supply Chain Traceability Standards
Trusted systems internal protocol Chip Authentication Protocol Authentication Access Protocol Provenance & Traceability Link
TrustedDevices & Apps
Component Group Traceability System Group TraceabilityLogistics Group Traceability End Application Traceability
Component Provenance & Traceability Distributed Storage Layer (Consortium)
Trusted PrivateComponent Data
Trusted PrivateLogistics Data
Trusted Private Assembly Data
Trusted PrivateOEM Data
Internal External Internal External
Data Exchange Network – Secure Data Access and Transfer
*Courtesy of SEMI & IPC
The GSA TIES Value PropositionEconomic Value
Chip suppliers OEMs/ODMs App/Service Providers
• Reduce SKU & Production Cost
• Track/Provision SKUs in Field
• Prevent IP Theft and Clones
Enroll - Track - Provision• Enable RoT Based Services/Apps
• Authenticate Device, not User
• Secure Content and Payments
Protect Users, Apps, & Data
• Automate Device Onboarding
• Track/Update Devices in Field
• Enable Remote Debug & PLM
Track - Provision - Certify
IoT Services
Enablement Increase End-to-end Solution ValueTraceability Reduce Barriers & Risk of Failures Ecosystem IQ
$$$$