Tom KatsioulasBoard Chair, GSA TIESEmail: tomkat@gsaglobal.org

The GSA Trusted IoT Ecosystem for Security (TIES)

Version 1.0: October 19, 2020

GSA TIES Executive Summary

Join GSA TIES - Leaders will ride the IoT wave. Laggards will watch it go away.

*Source: ABI Research

SoC-enabled IoT services are projected to grow to $460 billion* by 2026 • Connected ecosystems are emerging in the value chain to enable monetization• Lagging end-to-end secure & trusted infrastructure poses major barriers to adoption

GSA sees a potential to fuel growth in the IoT value chain from chips inside• 250+ members in semiconductors expanding to systems end application providers • TIES intends to be a collaborative contribution ecosystem that enables higher value to all

Ecosystem IQ and value is maximized with diverse experts from chip-to-cloud • Define use cases and business models starting from end-applications down to chips• Leverage TIES collective IQ to educate and promote how to monetize IoT services

Smart-Connected Product Supplier Economics

*Source: Harvard Business Review

• No traceability or configurability• High OPEX, low differentiation

Disconnected Supplier Product PortfolioSupply Chain & Field Use

• Better visibility on product field use• Remote lifecycle management• Reduced support costs and RMAs• Lower OPEX, higher differentiation• New IoT services business models• Trust, security and safety issues

SmartConnectedSupplier*

Product-as-a-Service Managed PortfolioField Usage Analytics

Managed Device Lifecycle

Attacks Related to Supply Chain Issues

The roots of security issues lie in the structure of the electronics industry at large

Suppliers of fixed cost HW to rebrandingcompanies have no incentive to add security

The Big Hack Supermicro

Uncovering the alleged malicious component insertion would require looking at the whole value chain, from design through manufacturing, and monitoring every step

Mirai botnet Xiongmai

*Supply Chain Implants: https://www.youtube.com/watch?v=C7H3V7tkxeA&feature=youtu.be

Security & Trust Issues - Complex System and Parts

Vast attack surface making it extremely difficult to track down intrusions & hacks*Sources: Goldman Sachs, McKinsey, and others

End Customer Business ApplicationsOperations Maintenance | Asset Management | Factory Control

Device Management & ServicesConfigure | Update | Debug | Monitor

App Management & ServicesData| Analytics | Events |Reports

Critical Industrial Infrastructure & Automation SystemsPLCs | Control Systems | SCADA | Motion Control

Intelligent Gateways, Comms, Network ServicesFog | Edge Analytics| Mobile | Wireless | WAN/LAN

Sensors, Actuators, Edge Devices, ProcessingHW | Embedded SW| Protocols| Agents | Local Apps

System, Protocol+

Data Integration+

Security Services

• Growing Attack Surface in Systems

• Breaches Impact All Parts of the Stack

• Costly to Identify Root Causes

• Limited Knowledge Base on Attacks

• Untraceable Chain of Liability

• Critical Infrastructure Threatened

Security & Trust Issues - Fragmented IoT Supply Chain

Complex supply chain makes it hard to trace & trust every component in a system*Sources: Goldman Sachs, McKinsey, and others

Device OS+AppsApple, Google,

Microsoft

Enterprise Integ IBM, HP, Cisco,Accenture, PwC

IoT PlatformsSiemens, GE,

ARM, Windriver

ConnectivityAT&T, Verizon,

Vodafone

Vertical Sol.ADT, ComcastP&E, DIRECTV

Applications & Services

Embedded SystemsThales, Telit, Sierra Wireless

Smart IndustrialSchneider, GE, Siemens,

Connected CarsBosch, Delphi, Denso, Yazaki

Vertically Specialized Systems

Wearables, Homes, Cities, Industrial, Automotive, Transportation, Health Care

Connected Things

Comm ICsQualcomm, Broadcom

ProcessorsIntel, ARM, Qualcomm

MCUs & AnalogRenesas, STM, Microchip, NXP

SensorsInvenSense, TI, Maxim

StorageMicron, WD,

Marvel, Hynix

Semiconductors & Components

Backbone (Routing/Optical)Cisco, Juniper, Alcatel, Google

Access (Cellular/Wi-FiCisco, Ericsson, Nokia, Netgear

Security (Network, Edge)Equinix, Argus, Duo, …

Networking Infrastructure

• Multiple Verticals, Varied Profiles

• Several Actors in the Value Chain

• Disparate Rules Among Suppliers

• Untrusted Device Vulnerabilities

• Rebranded Low Cost Hardware

• No Economic Incentive for Security

Trust in Complex IoT Systems & Supply Chains

Requirements Design Development Commissioning Operating Decommissioning

Trusted Lifecycle - Each part of the system and value chain must be monitored to preserve trustworthiness

Operational User

System Builder

ComponentBuilders

TRUST

Hardware | Software | IP | Service Suppliers

Components

Integrated System

Operational System

OEM (In House) | 3rd Party | Solution Provider

System Owner | Operator | Service Provider

Requirements

Deployment

Trust Flow - Starts top-down, evolves bottom-up

*Source: www.iiconsortium.org Internet of Things Volume G4: Security Framework

Permeation of Trust - Assurance & CredentialsOperational

UserSystem Builders

ComponentBuilders

SpecSpec

Part System

TRUST in SystemTRUST in Component

Standards Regulations

ECU

• The electronics value chain is sequential. Value creation is incremental to cover cost and failures• Failures due to vulnerabilities* that are discovered after deployment multiply costs and risks• Economic value for IoT Services realized at the end-application requires a “shift left” mentality

• Start from defining end-application use cases to drive a “secure-by-design” systems and apps

Value Creation in the Electronics Supply Chain

*Reimagining Fabs – Advanced Analytics in Semiconductor Manufacturing, McKinsey & Company 2017

Product Delivery Cost

Cost & Risk of Failure

IC Design NPI Ramp Manufacturing System Test Field Use Recycling Assembly & Test

50% Increase in test and verification

12-18 months of interactive debugging

85-95% yield and 80-90%utilization

30% of capital costs relate to testing

No end-to-endtraceability at the device level

No feedback loop at end of life

Functional Safety and Security

Ecosystem IQ from chip-to-cloud barriers to adoption and drives higher value* Quality and Security vulnerabilities should be considered up-front during chip design

Principles of Evolving Complex Ecosystems

IoT SolutionEcosystem

*Source: IDC European IoT Security Why the IoT Supply Chain of Trust Matters*Source: IBM Institute of Business Value -The new age of ecosystems

Built-in Security

Partner Trust

Cost vs. Value

Requires

Who pays for end-to-end solutions and how can participants share the gain?

Trusted IoT Ecosystem Security Vision

GSA TIES Strawman Proposal Highlights*• Motivation: Promote secure solutions to accelerate adoption of IoT

• Focus: Collaborate on use cases to be monetized by end applications

• Objective: Define end-to-end solutions from diverse domain experts

• Benefits: Develop and share new ideas to capture higher ecosystem value

• Consortia: Provide new use cases resulting in best practices contributions

• Openness: Allow parties to participate and add value in a consistent way

• Interactions: Multiply value-add through ecosystem network effects

• Governance: Minimize conflicts while promoting growth of Ecosystem IQ

*Refer to Exhibit A Subject Matter Proposal which outlines the operating plan

Business Interests

ScalablePlatform

Evolving a Scalable Operating ModelContent Categories

Hardware Design & Product

Trusted Supply Chain

Vulnerability & Trust Metrics

Embedded System Security

Security Infrastructure

Edge, ML/AI Applications

Trusted Digital Twins

New XaaS Business Models

Content Type

White Paper

Presentation

Webinars

PoC Demonstrator

Use Case Examples

Solution Advertorials

Best Practices Guides

Industry Guidelines

• GSA Bylaws• TIES Governance• SWG* Process• Platform Concept

*SWG – Sub Working Group focusing on an specific solution topic

Proposal Outline

Executive Summary

Industry Problem

Use Case Examples

Proposed Solution

Beneficiaries

Value Proposition

Industry Guidelines

Recommended Team

Platform Concept - How Ecosystem IQ GrowsBusiness Organizations

• SWGs define use cases and promote solutions

• Published content is open to add-on components

• New members can broaden scope of solution

Industry & Business Views

Add SolutionComponents& Members

Liaison Organization Views

Liaison Organizations

• SWGs define business use case requirements

• Liaison parties develop standards & best practices

• Best practices are fed back to enhance solutions

*Example of standards organizations involved in end-to-end security & supply chain traceability

Standards and Best Practices

Define End-to-End Use Case

List Participants & Offerings

Describe Solution & Value

Promote Solution & Results

The GSA TIES Value PropositionEconomic Value

Chip suppliers OEMs/ODMs App/Service Providers

• Reduce SKU & Production Cost

• Track/Provision SKUs in Field

• Prevent IP Theft and Clones

Enroll - Track - Provision• Enable RoT Based Services/Apps

• Authenticate Device, not User

• Secure Content and Payments

Protect Users, Apps, & Data

• Automate Device Onboarding

• Track/Update Devices in Field

• Enable Remote Debug & PLM

Track - Provision - Certify

Services & Apps

Enablement Increase End-to-end Solution ValueTraceability Reduce Barriers & Risk of Failures Ecosystem IQ

$$$$