Infineon: Driving IoT Security Through Open Standards
[Music] the connected consumer hi I'm Chris White and I am the host of The Parks Associates podcast the connected consumer this podcast is all about Parks Associates data-driven Market insights on emerging consumer technology products and services each episode features a member of our talented analyst team or industry leaders who are bringing new and Innovative products to Market and today we have one of those his name is Steve Hannah from Infineon and in addition to being a distinguished engineer at Infineon Technologies he's also the chair of the connectivity standard alliances product security working group he's going to share his experience and draw on his extensive background in cyber security and iot space as well as sharing in Finian's role in helping Smart Homes become more secure so I'd like to bring Steve in now and say hi Steve please tell us a little bit more about your background and your role with Infineon and the CSA well thanks Chris it's a pleasure to be here I've been working on iot cyber security for more than 20 years now and I've really seen things change um and it's a very exciting time to be working in this industry uh both at Infineon where we're making great strides forward in iot cyber security and also in the standards group connectivity standards Alliance we're the same is true as well so for the audience that that isn't as familiar with infinity on could you could you talk a little bit about what you guys do broadly and then zoom in a little bit about your sort of particular business unit or working group yes so at Infinity we're a semiconductor manufacturer we have uh Decades of experience making secure semiconductors the kind that you would find in your credit cards or passports or PCS mobile phones embedded systems uh really quite a wide variety of uh of microcontrollers and other secure products and in the connectivity standards Alliance uh we Infineon has played a leading role in advancing the state of the art of iot cyber security right so cyber security is in a way a buzzword but is also very important uh feature of the of the iot space so I was hoping you could um draw on your on your kind of experience and give us a little history lesson uh based on your career in the space what have you seen in terms of uh iot security Trends which includes some War Stories here for fun that'd be great so if we scroll back 10 years ago when the smart home was just getting started out I think a lot of people had a very naive view of iot and they thought you know this is just going to be great we're going to connect a bunch of things together and we're going to have Smart Homes and Smart Systems and uh what we learned pretty quickly or what they learned pretty quickly was that they are bad guys out there and those bad guys are going to take advantage of any in the armor any opportunity to undermine the security of the smart home we saw in those early days a lot of uh video cameras in the smart home being hacked baby monitors being hacked and this got a lot of press coverage and then in 2016 we saw the Mirai brotnet where millions of uh iot devices that had been compromised were formed together into a warm what's called a botnet of zombie devices and then used to attack different targets and each device might send just a single packet I mean you get millions of them simultaneously they're able to take down a substantial website or other key internet service such as DNS servers this got the attention of governments and they said look we need to have security not just for the protocols that are used to communicate between the devices but also for the devices themselves and over the last few years we have seen a lot of developments in both of those areas so now you mentioned that that the consumer space was very naive in terms of what this smart home home automation iot world was going to be like in terms of security where would you say people are now after there's been years of these news stories and there's different types of services available now to kind of protect your your home ecosystem can you talk a little bit about your from your perspective where the consumer base is right now it's like night and day uh consumers who 10 years ago were very naive about iot cyber security now we're very aware of it very concerned with it and in fact most consumers say that security is an important or very important part of their purchase decision when they're looking to buy an iot device 84 in a recent survey so I would say consumer awareness is much much higher than it was in the past and that's why we're seeing a real response from manufacturers and from government to address this key concern of consumers manufacturers have been boosting the level of capability of their devices and governments have been stepping forward with Baseline regulations and standards for what's needed in terms of iot cyber security okay so to some extent this is happening passively from a consumer perspective right so you mentioned government is is stepping in and making sure and then the oems are operating on their own but in terms of what the consumer can do can you talk a little bit about what um what options are available for consumers in terms of choosing secure versus less secure services that might help them things like that certainly so if we look at those two aspects of iot cyber security uh one is communication security or protocol security and the other is product security I like to use the metaphor that this is like trying to build a secure banking system we need to have secure Communications for the money and we also need to have secure places to store the money like Bank branches in the iot the analogy is we want to have our private data secure so we need to have secure Communications protocols so that the private data like that video camera feed that I was talking about can be securely communicated and then we need to have security built into the devices themselves so that the data is secure in those devices so what consumers should be looking for in this area is for communication security they might want to look for the matter standard and to see whether the matter standard is supported in the device that they're looking at matter is a new smart home standard was developed by the CSA the connectivity standards Alliance and introduced about a year ago it's widely supported and if you check up you can find pages on with lists of products that support that matter standard if you select one of those products you know that it's getting state-of-the-art security for the communications between that device and other devices or the cloud and then the other aspect of this is security of the devices themselves and here's where governments are coming into play and introducing new labels what they call Trust marks the U.S has one Singapore has one Europe is going to be adding these requirements and the UK as well and these trust markets it's a very new development now are coming to pass and becoming available I expect that we're going to see a good deal of educational uh in activity there where governments reach out to Consumers and educate them about these new trustmarks that they can look for to know oh this product has actually been tested say a webcam or a door lock you would want to look for that Mark when you're making your purchasing decision to know that it has a reasonable level of cyber security built into the device itself okay so you raised a couple of different marks like physically marks that people are should be looking for in packaging so I know I know matter has the three little triangles um that people should be looking for but beyond that I don't have a deep deep understanding of how the tech works so it would be helpful if you throw us up to speed with that and also talked about how Infineon technology is involved in that happy to do so great that's one of my favorite topics I spent three years of my life uh building strong security into the matter standards and uh we have 10 substantial security features included in matter that were not present in the smart home clearly I won't have time to cover all of those today but I'll touch on just a few of them every matter device comes with a unique identity in the form of a public private key pair and a certificate what this means is that when you go to bring a matter device into your home you have can have confidence that that matter device is authentic and not counterfeit it's a big issue when we buy things online we don't know whether we're getting The Real McCoy or whether we're getting a counterfeit instead and this provides that ability to know that you're getting an authentic certified matter device then on top of that all the communications all the messages that take place over the matter protocol are always secured so encrypted authenticated Integrity protected replay protected all that sort of stuff using uh commercial grade cryptography which hasn't always been the case and then I think the last thing I would mention there is that matter includes out of the box a secure method for updating the firmware the software if you will uh built into that device and that's very important you and I know that we're always getting firmware updates on our mobile phones right same thing needs to be true for your iot device and the reason why is because well nobody can build perfect software and so there are always vulnerabilities being found and new updates being pushed out and you want to get those on your iot device automatically installed so you don't have to be walking around your house and plugging in USB drives and trying to upgrade your light bulbs that just doesn't work so right so automating that is really important from a consumer perspective infinian Not only was involved in designing this security but also is making sure that in our products the chips that we provide to our customers that those same capabilities secure Communications uh unique identity and secure firmware update are supported so it makes it easy for our customers to build that secure door lock secure light bulb or whatever it is they're building they don't have to start from scratch they can take those capabilities built into our device and into pre-integrated with matter and know that that's going to be easy for them to build that uh that product that they're trying to build right we like to talk about how any sort of savings of developer money or r d money um can be therefore redirected to Consumer focused things like features that people enjoy Innovation like that so anytime there is advancements that make it easier for the manufacturers people up the value chain then the whole Space kind of Downstream can also benefit as you know new features will come to Market faster and uh advancements like that as well so um so that's all really good news another piece of the matter initiative is this idea of interoperability we haven't talked about that too much but I wanted to check on it because that's something that's another major benefit right to the consumer so people do care about privacy and security and that's a feature but also um since matter the big sort of the sexier piece of it from a consumer standpoint maybe is this ability to work with other devices so I wanted to give you a chance to kind of touch on that as well yes yes there were really four things that we built into matter which we considered a key calling card Simplicity reliability interoperability and security and uh if we talk about interoperability this is a huge win from a consumer perspective as well as from a device maker and even a retailer perspective before matter you had to go and look at each individual device and try to puzzle out is that going to work with my favorite kind of phone is that going to work with my smart speaker does it work with the particular vendor and you know there were separate logos for each of those with matter there's only a single matter logo you look for that and you know that it'll work with all of those things your smart speakers your smart TV your smartphone because all of the major ecosystems have adopted matter so it even has the ability to support multiple of these cloud-based systems at the same time in case say one spouse prefers one major Cloud vendor and the other one prefers another or maybe you have a smart speaker from a third they can all work together in that way and that's supported by having a single common standard which is the matter standard in a way it's sort of like the Internet Protocol IP um we don't worry so much anymore about our ability to uh browse a website or send an email or make a phone call based on oh are you using you know a Mac or a PC because we know there are standards there that enable that interoperability and we've sort of moved Beyond those early days of uh Communications where we had to worry about those details now we don't have to worry about that and people can focus on creating new uh applications new solutions that weren't possible before can you imagine ride sharing without having a common protocol a common way for all of these phones to work together would I have to make sure that the the a driver had the same kind of phone as I do it just wouldn't be practical I think we're going to see similar levels of innovation and creativity in developing new services on top of smart home now that we have a common standard for things like how do I control those bulbs and those thermostats and monitor those motion sensors right absolutely it's uh it's sort of like moving moving into new phase in terms of the home automation all the devices working together and having the ability to tap into the expertise in other cross Brands right so as you mentioned a lot of us have Home Smart Homes kind of Frankenstein together and it's because a lot of times we were happy with two products you know in two different categories that lived in an ecosystem and then when it time for the third one came in said well you know what that Smart Lock is ugly my wife won't let me put it on the door so now I'm now I'm introducing a new ecosystem and I'm just going to live with it and so the the ability to have additional choice and really choose Things based on their Merit on like a more consumer-centric level as opposed to being worried about functionality on a deeper level is going to be really attractive and beneficial to Consumers so that's the reason why we're we talk about matter so much and why you were willing to do so much work on this is that it's obviously very promising right absolutely it's a huge sea change in the industry and it helps retailers not have to stock different flavors of the same bulb and it helps uh manufacturers not have to make different versions of their product to work with different ecosystems so just one that works with all of those we have to get to a similar thing in terms of product security certification and that's I'm very excited about that as well okay so so yeah so you mentioned um the Trustmark and how the government was involved so let's talk about that piece as well can you tell us more about um what the process is like going on in terms of those being developed and what it's going to take for oems to get their stuff certified yes uh so this is what I've been working on the last year um so we see already many different governments all around the world we count more than 55 in a recent uh analyst survey created by uh the uh connectivity standards Alliance more than 55 different governments working on Cyber trust marks they call them different things but it's effectively the same thing now uh it's great that we have their attention I suppose but it could be quite a headache for everyone concerned for the consumer who has to figure out what's the difference between these 55 different marks and different programs and for the product manufacturer who then has to worry do I have to get my product certified for security 55 different times imagine how much time and money would have to go into that you're talking about you know a million dollars maybe just going into certifications and as you said earlier we really want that money going into making the product better making it more secure more featureful more inexpensive more timely that's where the money should be spent and so in CSA we are creating a a product security certification which is designed to bring together the requirements from all of those different National marks they're pretty similar things like secure Communications and secure key storage and unique identity bring them all together into one test regime and to say if a product is tested against the csas product security certification program and it's validated by an independent third party then it should be considered acceptable for all of these different government marks that's where we're heading for it'll be a One-Stop shop for product manufacturers to test once and then have their product certified in all those different jurisdictions so you mentioned you've been working on this for a year talk a little bit about the progress and Status here so how many of the 55 have you got what how how many more are left well some of the 55 haven't really decided what they need in terms of certifications and and and requirements but so far we've got three major ones that were focused on uh one is the U.S you probably saw the announcement from the U.S White House and then a big announcement over the summer for what they're calling the U.S cyber trust mark
this is based on a standard from nist the U.S National Institute for standards and Technologies and that standard for Consumer iot cyber security was developed over the last five years in consultation with a lot of different parties industry and consumer Advocates Security Experts and so by taking the requirements from that standard and now this will be put into this new U.S cyber Trustmark program overseen by the Federal Communications Commission this will give at least within the U.S a
common Baseline of what the requirements are and that's one of the things that we're making absolutely certain are CSA product security certification takes on board and encompass and the other two are Singapore which to be honest was one of the very first countries to come out with a cyber security certification and also a European Standard called Etsy en 303645 rather alphabet soup of numbers and letters but the important thing to know about that is that it's widely adopted across much of the world so even Singapore started with that and added a few other things but uh if you look at other countries around the world you see a lot of alignment on that same set of requirements so by bringing those three together at least in the first version of our product security certification that gives us a really solid base of requirements and of national and Regional governments that should be able to accept our certification and Grant their Mark to the certified products that's good to hear that um kind of a favorable report because I see the cynic and me sees any anytime the government's doing something with regards to technology the concern is that it's five years too slow or that they've chosen a particular perspective of a single player so the fact that you are speaking favorably of uh of the U.S cyber truck Mark is is good that's a comfort for me I didn't I didn't have much background on it other than just kind of knowing it existed so thank you for sharing all that um so also so we didn't necessarily touch on infinian's place you're so you're involved in the decision making but how do how the how does the tech the Infineon um Hardware kind of involved there as well well infinian as I mentioned earlier we have a variety of different products that support the matter standards and also are being certified under the product security certification uh if you go to our site www.infine.com matter and www.infine.com security you'll be able to see information about those products including our matter development kit and uh our uh specific security products that are designed to provide easy integration for matter compatible and product security certified uh devices for our consumers and our customers as well that's great well that's exciting that that you are working on this important uh task of of helping us all have secure Smart Homes um and also working with with larger groups the CSA is certainly doing a lot of important work right now so I appreciate everyone who's devoting their time to working with that organization um and I appreciate you for taking the time here um that I feel like that was a that was a great way to go out directing people to the website go learn more about everything we talked about here today uh also please keep an eye out for more episodes we have um additional episodes coming up with more Infinity on folk talking about uh work that they're doing so um we're not going to have Steve back just yet but we have more superstars from from uh his larger team they're going to come on and talk and we also will be covering other topics as I mentioned this podcast covers all the connected Home and Services piece so everyone please like And subscribe on the services that you're using look me up on Twitter at cyts insights follow Parts Associates on LinkedIn and you can find all sorts of good information there with regards to the research that we do and more content from the interactions that we have with super smart industry folks like Steve so thank you so much Steve for being here thank you for taking the time and thank you listeners thank you [Music]
2023-09-22 18:56