the gsa trusted iot ecosystem for security (ties)
TRANSCRIPT
Tom KatsioulasBoard Chair, GSA TIESEmail: [email protected]
The GSA Trusted IoT Ecosystem for Security (TIES)
Version 1.0: October 19, 2020
GSA TIES Executive Summary
Join GSA TIES - Leaders will ride the IoT wave. Laggards will watch it go away.
*Source: ABI Research
SoC-enabled IoT services are projected to grow to $460 billion* by 2026 • Connected ecosystems are emerging in the value chain to enable monetization• Lagging end-to-end secure & trusted infrastructure poses major barriers to adoption
GSA sees a potential to fuel growth in the IoT value chain from chips inside• 250+ members in semiconductors expanding to systems end application providers • TIES intends to be a collaborative contribution ecosystem that enables higher value to all
Ecosystem IQ and value is maximized with diverse experts from chip-to-cloud • Define use cases and business models starting from end-applications down to chips• Leverage TIES collective IQ to educate and promote how to monetize IoT services
Smart-Connected Product Supplier Economics
*Source: Harvard Business Review
• No traceability or configurability• High OPEX, low differentiation
Disconnected Supplier Product PortfolioSupply Chain & Field Use
• Better visibility on product field use• Remote lifecycle management• Reduced support costs and RMAs• Lower OPEX, higher differentiation• New IoT services business models• Trust, security and safety issues
SmartConnectedSupplier*
Product-as-a-Service Managed PortfolioField Usage Analytics
Managed Device Lifecycle
Attacks Related to Supply Chain Issues
The roots of security issues lie in the structure of the electronics industry at large
Suppliers of fixed cost HW to rebrandingcompanies have no incentive to add security
The Big Hack Supermicro
Uncovering the alleged malicious component insertion would require looking at the whole value chain, from design through manufacturing, and monitoring every step
Mirai botnet Xiongmai
*Supply Chain Implants: https://www.youtube.com/watch?v=C7H3V7tkxeA&feature=youtu.be
Security & Trust Issues - Complex System and Parts
Vast attack surface making it extremely difficult to track down intrusions & hacks*Sources: Goldman Sachs, McKinsey, and others
End Customer Business ApplicationsOperations Maintenance | Asset Management | Factory Control
Device Management & ServicesConfigure | Update | Debug | Monitor
App Management & ServicesData| Analytics | Events |Reports
Critical Industrial Infrastructure & Automation SystemsPLCs | Control Systems | SCADA | Motion Control
Intelligent Gateways, Comms, Network ServicesFog | Edge Analytics| Mobile | Wireless | WAN/LAN
Sensors, Actuators, Edge Devices, ProcessingHW | Embedded SW| Protocols| Agents | Local Apps
System, Protocol+
Data Integration+
Security Services
• Growing Attack Surface in Systems
• Breaches Impact All Parts of the Stack
• Costly to Identify Root Causes
• Limited Knowledge Base on Attacks
• Untraceable Chain of Liability
• Critical Infrastructure Threatened
Security & Trust Issues - Fragmented IoT Supply Chain
Complex supply chain makes it hard to trace & trust every component in a system*Sources: Goldman Sachs, McKinsey, and others
Device OS+AppsApple, Google,
Microsoft
Enterprise Integ IBM, HP, Cisco,Accenture, PwC
IoT PlatformsSiemens, GE,
ARM, Windriver
ConnectivityAT&T, Verizon,
Vodafone
Vertical Sol.ADT, ComcastP&E, DIRECTV
Applications & Services
Embedded SystemsThales, Telit, Sierra Wireless
Smart IndustrialSchneider, GE, Siemens,
Connected CarsBosch, Delphi, Denso, Yazaki
Vertically Specialized Systems
Wearables, Homes, Cities, Industrial, Automotive, Transportation, Health Care
Connected Things
Comm ICsQualcomm, Broadcom
ProcessorsIntel, ARM, Qualcomm
MCUs & AnalogRenesas, STM, Microchip, NXP
SensorsInvenSense, TI, Maxim
StorageMicron, WD,
Marvel, Hynix
Semiconductors & Components
Backbone (Routing/Optical)Cisco, Juniper, Alcatel, Google
Access (Cellular/Wi-FiCisco, Ericsson, Nokia, Netgear
Security (Network, Edge)Equinix, Argus, Duo, …
Networking Infrastructure
• Multiple Verticals, Varied Profiles
• Several Actors in the Value Chain
• Disparate Rules Among Suppliers
• Untrusted Device Vulnerabilities
• Rebranded Low Cost Hardware
• No Economic Incentive for Security
Trust in Complex IoT Systems & Supply Chains
Requirements Design Development Commissioning Operating Decommissioning
Trusted Lifecycle - Each part of the system and value chain must be monitored to preserve trustworthiness
Operational User
System Builder
ComponentBuilders
TRUST
Hardware | Software | IP | Service Suppliers
Components
Integrated System
Operational System
OEM (In House) | 3rd Party | Solution Provider
System Owner | Operator | Service Provider
Requirements
Deployment
Trust Flow - Starts top-down, evolves bottom-up
*Source: www.iiconsortium.org Internet of Things Volume G4: Security Framework
Permeation of Trust - Assurance & CredentialsOperational
UserSystem Builders
ComponentBuilders
SpecSpec
Part System
TRUST in SystemTRUST in Component
Standards Regulations
ECU
• The electronics value chain is sequential. Value creation is incremental to cover cost and failures• Failures due to vulnerabilities* that are discovered after deployment multiply costs and risks• Economic value for IoT Services realized at the end-application requires a “shift left” mentality
• Start from defining end-application use cases to drive a “secure-by-design” systems and apps
Value Creation in the Electronics Supply Chain
*Reimagining Fabs – Advanced Analytics in Semiconductor Manufacturing, McKinsey & Company 2017
Product Delivery Cost
Cost & Risk of Failure
IC Design NPI Ramp Manufacturing System Test Field Use Recycling Assembly & Test
50% Increase in test and verification
12-18 months of interactive debugging
85-95% yield and 80-90%utilization
30% of capital costs relate to testing
No end-to-endtraceability at the device level
No feedback loop at end of life
Functional Safety and Security
Ecosystem IQ from chip-to-cloud barriers to adoption and drives higher value* Quality and Security vulnerabilities should be considered up-front during chip design
Principles of Evolving Complex Ecosystems
IoT SolutionEcosystem
*Source: IDC European IoT Security Why the IoT Supply Chain of Trust Matters*Source: IBM Institute of Business Value -The new age of ecosystems
Built-in Security
Partner Trust
Cost vs. Value
Requires
Who pays for end-to-end solutions and how can participants share the gain?
Trusted IoT Ecosystem Security Vision
GSA TIES Strawman Proposal Highlights*• Motivation: Promote secure solutions to accelerate adoption of IoT
• Focus: Collaborate on use cases to be monetized by end applications
• Objective: Define end-to-end solutions from diverse domain experts
• Benefits: Develop and share new ideas to capture higher ecosystem value
• Consortia: Provide new use cases resulting in best practices contributions
• Openness: Allow parties to participate and add value in a consistent way
• Interactions: Multiply value-add through ecosystem network effects
• Governance: Minimize conflicts while promoting growth of Ecosystem IQ
*Refer to Exhibit A Subject Matter Proposal which outlines the operating plan
Business Interests
ScalablePlatform
Evolving a Scalable Operating ModelContent Categories
Hardware Design & Product
Trusted Supply Chain
Vulnerability & Trust Metrics
Embedded System Security
Security Infrastructure
Edge, ML/AI Applications
Trusted Digital Twins
New XaaS Business Models
Content Type
White Paper
Presentation
Webinars
PoC Demonstrator
Use Case Examples
Solution Advertorials
Best Practices Guides
Industry Guidelines
• GSA Bylaws• TIES Governance• SWG* Process• Platform Concept
*SWG – Sub Working Group focusing on an specific solution topic
Proposal Outline
Executive Summary
Industry Problem
Use Case Examples
Proposed Solution
Beneficiaries
Value Proposition
Industry Guidelines
Recommended Team
Platform Concept - How Ecosystem IQ GrowsBusiness Organizations
• SWGs define use cases and promote solutions
• Published content is open to add-on components
• New members can broaden scope of solution
Industry & Business Views
Add SolutionComponents& Members
Liaison Organization Views
Liaison Organizations
• SWGs define business use case requirements
• Liaison parties develop standards & best practices
• Best practices are fed back to enhance solutions
*Example of standards organizations involved in end-to-end security & supply chain traceability
Standards and Best Practices
Define End-to-End Use Case
List Participants & Offerings
Describe Solution & Value
Promote Solution & Results
The GSA TIES Value PropositionEconomic Value
Chip suppliers OEMs/ODMs App/Service Providers
• Reduce SKU & Production Cost
• Track/Provision SKUs in Field
• Prevent IP Theft and Clones
Enroll - Track - Provision• Enable RoT Based Services/Apps
• Authenticate Device, not User
• Secure Content and Payments
Protect Users, Apps, & Data
• Automate Device Onboarding
• Track/Update Devices in Field
• Enable Remote Debug & PLM
Track - Provision - Certify
Services & Apps
Enablement Increase End-to-end Solution ValueTraceability Reduce Barriers & Risk of Failures Ecosystem IQ
$$$$