Security in ST : From Company to Products July 2015 Thierry FENSCH Innovation, Collaboration and Efficiency Director Grenoble Site
A global semiconductor leader 2014 revenues of $7.40B Who we are 2 Approximately 43,600 employees worldwide Approximately 8,700 people working in R&D 11 manufacturing sites Listed on New York Stock Exchange, Euronext Paris and Borsa Italiana, Milano
Where you find us 3 Our MEMS & Sensors are augmenting the consumer experience Our digital consumer products are powering the augmented digital lifestyle Our automotive products are making driving safer, greener and more entertaining Our Microcontrollers are everywhere making everything smarter and more secure Copyright STMicroelectronics Unauthorized reproduction and communication strictly prohibited Our smart power products are allowing our mobile products to operate longer and making more of our energy resources
DANGEROUS IoT allows remote attackers to do a lot of damage The Smart World of IoT Internet of Things Smart Home 4 Smart City UBIQUITOUS Critical infrastructure can t avoid IoT even if they try Security Smart Grid Smart Me Smart Car UNPREDICTABLE We don t know what new attack vectors IoT will create
From large scale Cyber attacks. 5
to consumer IoT security 6 Copyright STMicroelectronics Unauthorized reproduction and communication strictly prohibited
Company level : Countermeasures 55% of French Companies experienced cyber attack in 2014 7 Technical solutions implemented to insure ICT security with constant adaptation to the threats : Servers/network management : intrusion detection and trace, honey pots Security Protocols : proxies, firewalls, VPN, SED (Self Encrypted Drives) PC Hards Disks Cryptography Security tools, proactive threats management (anti-viruses, anti-malware ) Protected internal e-mail (Potentially malicious e-mail from internet are blocked) Reduced number of users with PC administrative rights Mobile security solutions (IPhone, IPad, Android). Backups Employees Communications and trainings! 80% of successful Hacking due to the Human factor,.the wrong Click! Communications on Phishing & Vishing risks. E-learning on security and continuous deployment.
Threats in IoT 8 Eavesdropper Servers tampering Commercial & cyber crime usage Disruption of administration system Commercial & cyber crime usage Identifying empty houses, etc Invoice Fraud Manipulating meter readings Misuse of private customer data Data Corruption Network Concentrator / Gateway Connected Object Data Center Fake service Fake Device Data Corruption Supply shut down Disruption of service Spread of wrong information (e.g. invoices) Distributed denial-of-service Malicious code Commercial & cyber crime usage Entry point for administration system Fraud Supply shut down Identifing empty houses,etc Invoices fraud Manipulating meter readings Misuse of private customer data
Attacks & Vulnerabilities Identification 9 Non Invasive Logical attacks Side channel attacks Semi Invasive Uncontrolled state device Fault Injection Invasive Probing Reverse Engineering Heart bleed bug key identification with Crypto Consumption analysis Glitch on power & clock for code dump Extraction of key Attacks Materials Cost & Expertize
2015 Security into ST products 10 Crypto-Keys and certificates management Authentication Hashing Integrity Confidentiality Cryptography Availability Major impacts on Hardware and software architectures and design
Countermeasures Company level security : Countermeasures Designs Designing Secure Systems in a secured environment IT architecture, backups, infrastructure redundancy Intrusion detection Firewalls Employees training Audits and certification (ISO27001) NDAs for third parties PC usage, communication tools usage, encryption High security zones Confidential data life cycle (up to destruction) Trusted Components and Software Secured devices Secured architecture Partitioning secure SW and application SW Secured development and production flows Secure development methodology Supply chain Subcos/partners management Trained personnels, roles clarified 11
Encryption Algorithms 12 Public Private Cryptography algorithms (DES, AES,ECC, RSA) are public Security level depends on the crypto keys protection level The most effective encryption keys are embedded in Hardware. Manufacturing technologies like 28nm FDSOI : minute security keys in a very small die-size, extremely difficult to detect in Side Channel Attack (Very low power consumption)
Security in Set-top boxes 13 Medium Screen Clients Small Screen Clients Broadcast Set-Top Box Home Cloud Home Automation Clients Over-The-Top Services (directly from internet) Big Screens Personal Clients On the Move Operator Managed Network & Services Home gateway Connected Client & Server
Security on all accesses Crypto keys on HDMI links, HD interface, Ram interface, debug interface, Service access card interface RAM source code is obfuscated : rendered not understandable The boot sequence is crypted Proprietary information management : Trust zones : separated CPU for Media data (video operator) from applications zone. Watermarking Security in a set-top box CPU 14
Security eco-system at all levels 15 Conditionnal Acces Suppliers Digital Rights Management Media Services Operators (Content Providers) New Crypto Technologies Links protect Robustness Watermarking ST Leadership in security #3 WW security solution provider and leader in PAY-TV SIM card Inventor of Keccak algorithm adopted by US NIS for new SHA-3 hash standard
GP & Secure MCUs for IoT 16 Highly Sophisticated Attacks Payment Identification Protection of critical assets Strong security for private data Medium Healthcare Smart Grid, Industrial Gateways Resistance to attacks for connected devices Smart meterappliances Smart home Devices require different levels of Security, from General Purpose MCU to Secure MCU Basic Wearables
Secure Transaction & Wearable 17 Wearable applications embedding Secure Transactions capabilities : mainly smartwatches BTLE ST SOLUTION Ultra low power 32-bit MCU : sensor Hub, application Processor : STM32L series STM32 LP e - SE Connectivity : Bluetooth Low Energy NFC controller NFC CTRL Security : Secure Element
Secure element A secure element (SE) is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications and their confidential and cryptographic data (e.g. key management) in accordance with the rules and security requirements from wellidentified trusted authorities 18 A SE needs to be inviolable against : Software attacks (non invasive) External tentative to read the data and keys (through supplies, external magnetic field, or any misuse operation (semi-invasive) Reverse engineering technics (invasive)
3500 3000 2500 2000 Mu 1500 1000 500 Fast growing secure CPU market WW volume TAM CAGR 18,9% WW volume TAM WW volume TAM 250 1200 CAGR 19% CAGR 54% 200 1000 800 150 Mu Mu 600 100 400 200 50 0 0 2014 2015e2016e2017e 19 0 2014 2015e 2016e 2017e Banking ID Secure Mobile Smartmeter Banking and IDs Secure Mobile Transactions Smart Metering ST31 series of highly secure 32-bit MCU - contact/contactless flash-based platform embedding advanced software ST, complete solution provider ST33 family : Best in Class Secure Element (SIM form factor or Embbeded) ST #1 WW Supplier ST21NFC Controllers ST31 & ST33 Embedded security solution Secure element for safety and security
Security Implementation : teams of specialists Security implicates many professional actors in a company like ST : 20 IT Engineers System architects Business and customers contacts Software developpers Soc designers Analog Designers Devices specialists Quality engineers Product engineers Security specialists ( High security zones)..
The essential 21 Security is an essential requirement to consider the earliest in IoT product design, involving software and hardware down to the lowest level. Full control of silicon manufacturing with deep expertise in the only way to master the security needs of our connected world. Otherwise who will know if there is not a back-door in his system if we have no means to investigate, or are dependent on products from unreliable sources? There is very high value in teaching Cybersecurity, It will impact all engineers and other functions
22