Q. Now with Industry 4.0 making rapid strides, would the risk of hardware trojans increase, if yes, and how should these be mitigated?
A. In Industry 4.0, there is a need for four-layered security design (hardware, firmware network and application). HT belongs to first two layers: – hardware and firmware level. Mitigation of issues should start from the level of choosing the right micro-controllers/devices. Identification and authentication should be critically adhered to in the case of IoT-specific devices.
Understanding a supply chain is very important. It is required for system developer to know where devices are designed, manufactured and tested. And also, chip makers should demonstrate to their customers, what are all security measures against HT or IoT security measures they have taken, so that they can market their products better.
Now, as far as the exact threats in Industry 4.0 are concerned, it is undoubtedly the denial of service (DoS) is a major threat. A solid defense mechanism should be put in place to take damage control when HT becomes active.
For example: DoS HT can change the value of program counter in microcontroller suddenly which may lead to system crash. Detection of HT discussed above is important and at the same time, HT defence is very important. Even with very good security verification mechanisms during design phase, few malicious inclusions may escape security verification procedures and sneak into chips.
As a last rescue, HT defence mechanism will save the end user from catastrophes. So system developers in IoT space, should choose right microcontroller not only fits their targeted application but also support their security requirements.
chip makers or System on Chip makers should incorporate dedicated security IP or block to support the security requirements of IoT systems (addressing the security at hardware level). It is always better to have root of trust from hardware.
IoT engineers and solution providers should properly analyse the existing defence mechanism with respect to microcontrollers. Also, potential side-channel attacks should be predicted and appropriate security software should be put in place.
Q. Finally, your advice to industries to combat hardware trojans.
A. I would like to advice industries to follow the components procurement mechanism that is currently adapted by the military and defence establishments. This requires time and effort to adapt into commercial practice, but when done, the security gains are long term.
Even governments can take cue from Defence with respect to components procurement and create separate policies for IoT-specific procurement to ensure maximum security at both hardware as well as firmware levels. All the issues discussed with respect to chips (microcontrollers and System on chips) is equally applicable to FPGA’s also.
Industry (Chip makers, Semiconductor IP vendors, Service providers from IC design to post silicon test, system developers) should come together to create a security certification agency or a consortium to ensure security through establishing security standards for chip makers, IP vendors and service providers.
Success of Industry 4.0 depends upon how holistically security is addressed from hardware layer to application layer.