Embed Size (px)
Citation preview
GSA - McKinsey collaboration
Security in the Internet of Things
Christian Knochenhauer, McKinsey & Company
The IoT is considered to be a key growth driver for the semiconductor industry in the coming years – and security is the key challenge to overcome
SOURCE: McKinsey and GSA IoT survey (n=229; VP-level+ executives from semiconductor companies); iSuppli; Gartner; IDC; expert interviews; McKinsey Global Institute; GSA and McKinsey & Company “IoT collaboration”
What are key challenges to overcome for success in IoT?
Survey results from 2015 GSA-McKinsey IoT Industry perspective
Key challenges in the IoT for the semiconductor industry
2000 - 2007
2007 - 20152015 – 2020+
3% p.a. 4% p.a.
Average industry revenue growth
3 - 5% p.a.
Key growth drivers
Personal com-puting/internet
Wireless com-munications Internet of Things
Current trends
… and IoT is likely to pick up• Considered most important growth
driver by many executives
• IoT installed base to grow by 15-20% p.a. to 26-30bn devices in 2020
• Economic impact > USD 2 tr in 2025
Wireless as key growth driver will slow down…
▪ Security issues#1
▪ Low customer demand / lack of “lighthouse applications”
#2
▪ Lack of common standards#3
• PCs
• Laptops
• Servers
• Smartphones
• Network infrastructure
• Smart home
• Wearables
• Healthcare
• Industrial
• Connected car
• Cloud/big data
• 16% growth p.a. 2009 - 13
• Market maturity expected to slow growth down to 3% p.a. 2014 - 18
McKinsey and the Global Semiconductor Alliance have jointly assessed challenges and opportunities from “Security in the Internet of Things”
1 Daniel Artusi, VP & GM Connected Home Division, Intel Corporation; Vivek Bhan, SVP Engineering, Dialog Semiconductor; Stan Boland, CEO, FiveAI; Graham Budd, COO, ARM; Guillaume D’Eyssautier, Executive Chairman, sureCore; Thomas Fitzek, VP Chip Card & Security Division, Infineon; Dr. Udo-Martin Gómez, CTO, Bosch Sensortec; Dr. Georges Karam, President and CEO, Sequans Communications; Dr. Maria Marced, President, TSMC Europe (GSA EMEA Leadership Council Chairwoman); Sami Nassar, VP Cybersecurity Solutions, NXP Semiconductors; Svein-Egil Nielsen, CTO, Nordic Semiconductor; Dr. Yannick Levy , VP Corp. Business Development at Parrot, was a member of the Steering Committee until his death in January 2017
Collaboration between GSA and McKinsey to develop a perspective on the implications of IoT for the semiconductor industry
Interviews with 30 C-level executives from broader IoT ecosystem, complemented by surveyof semiconductor executives
2016 deep-dive on IoT Security 2015 GSA/McKinsey collaboration on IoT
Final report published jointly in report and in MoSC, extensive material available
Numerous industry presentations and discussions e.g., GSA EMEA Executive Forum, IMEC, ARM Conference Korea, and many more…
• Continued collaboration between GSA and McKinsey on "Security in the IoT"
– Assessment of security-related challengesfor semiconductor companies
– Identification of opportunities for monetarization on security features
– Focus on 3 industry verticals: Automotive, Industrial, and Smart Buildings
• Monthly GSA Steering Committee with 10 C-level executives from major semi players1
• 30+ C-level executive interviews and survey with > 100 industry experts
• Industry conference on “Security in the IoT” with 70+ industry executives on Nov. 8 in Munich
• Semiconductor challenges with security in the IoT
• Vertical-specific challenges – short teaser on automotive
• How to focus as a semiconductor company: Value creation opportunities
Topics for today
According to our research, the challenges in IoT security liealong 4 dimensions for semiconductor players
Gap in technical sophistication
Immature security standard landscape
1
2
$ 4 Challenging monetization of security by semiconductor players
?
3 Strong demand for security, but missing transparency on value add
Challenges are similar across verticals, but root causes differScale1: 0 = Not challenging/irrelevant; 3 = most challenging/relevant
Automotive
Industrial
Smart Buildings
1 Center scaled to 1 in graphic
Gap in technical sophistication
Sophistication of currently available technology is insufficient
End-2-end security of system solutions insufficient due to wide technical variety and legacy components
1a
1b
Immature security standard landscape
Competing large players are fighting to establish proprietary ecosystems
Existing standard setting bodies' roadmaps far behind pace of technological advancement
There is uncertainty about howstandards/regulations are going to be set and by who
2a
2b
2c
1 2
1a
4a 3a
2a
2c
1b
2b
3b4b
$Customer's willingness to pay for enhanced security
4a
Players owning control points up the stack exert commoditization pressure
4b
4 Challenging monetization of security by semiconductor players
Customers of semiconductorplayers do not value security enough
3a
End users do not value security enough
3b
?3 Strong demand for security, but missing transparency on value add
End-2-end solution security currently insufficient due to challenges in securing complex systems of individual components
3. OEMs/component players have little leverage on overall system security• OEMs often do not consider security as
differentiating factor• Focus on own product / individual
component limits ability to solve security for the entire complex system
2. System operators / integrators have limited resources and expertise• Weakest link in system determines its
overall security• Defenders need to secure own system
against all different attack vectors• Usually can’t match expertise of
attackers across every single threat and individual components
1. Attackers are highly specialized• Highly specialized on
one specific attack vector that they exploit across all potential targets
• Focus on the weakest link that can be attacked at the lowest effort/cost
1CHALLENGES - GAP IN TECHNICAL SOPHISTICATION
Attackers usually choose the cheapest of several possible attacks –Single component view may lead to wrong conclusions on end-2-end security
60
500
40
30
20
10
0
50
70
5-10
Password guessing
5-10
EMA attacks
5-15
Evil network/ rerouting
Smartcard hacking
80-500
Password snooping/ fingerprint cloning
Malicious mobileapp
5-15
Phishing
1-5
SS7 intercept/ tracking
5-15
10-40
5-15
E-mail virus
20-50
Web drive-by
Remote attack vectors Attacks from local network
Local attacks (non-intrusive)
Local attacks (intrusive)
Attack effort
Thousand EUR, consumer examples
SOURCE: Expert interviews
1CHALLENGES - GAP IN TECHNICAL SOPHISTICATION
SW infrastructure/ framework1
Application layer
SW infrastructure and apps
IndustrialAutomotive Smart Buildings
Apple Homekit
MQTT7
(e.g. EVRYTHNG)
GE Predix
Wireless HART
CCC2
Mirror Link
AndroidAuto3
Zigbee
Thread5
Siemens Mind-Sphere
Industrial Internet Consortium (IIC)
Samsung Smart-Things
IEEE IoT Architecture Framework (P2413)
Open Connectivity Foundation (OCF)4IP500
Bluetooth, WLAN, IPv6, RFID, NFC, low-power wide-area (SIGFOX, LORA, RPMA), cellular8 (LTE CAT-M1, CAT-NB1, 3GPP Release 13) …
ConnectivityPhysical connection standard
Comm. Protocol
Standardization efforts are ongoing, but the landscape is still crowded with industry players competing for ecosystem controlIoT standardization efforts (examples)
SOURCE: Press clippings; company websites; GSA and McKinsey & Company “IoT collaboration”
1 Defined set of software functions that facilitate development of applications and interoperability of hardware; 2 Connected Car Consortium; 3 Part of the Open Automotive Alliance; 4 Merged with Allseen Alliance in 20165 Lead by Google, Samsung, Qualcomm, ARM, NXP; 6 Lead by AT&T, Cisco, IBM, GE, and Intel; 7 ISO messaging protocol for networks with limited bandwidth; 8 Cellular also provides middleware/infrastructure, e.g. authentication
NOT EXHAUSTIVE
Interest group
Open standard initiative
Industry player
2CHALLENGES - IMMATURE SECURITY STANDARD LANDSCAPE
Customers of semiconductor players with high security level requirements, but mostly not willing to pay a security premium
10th percentile
90th percentileAverage
Automotive Smart Buildings
Industrial “What premium are your customers willing to pay for the next tier of enhanced chip security?”
Higher than 20%
0% or even yearly ASP decline expected
10-20%
>0 - 10%
42%
15%
28%
15%
Break-ins need to be avoided at all cost
Occasional security breaks are acceptable
Technology needs to capture 98% of risks
Technology needs to avoid most common breaks (>90% of volume)
31%
7%
38%
23%
“What is the risk acceptance of your customers for the most common use cases?”
SOURCE: GSA industry survey, team analysis
3CHALLENGES - MISSING TRANSPARENCY ON VALUE ADD
Majority of security solutions are concentrated in software layers of the stack
Percentage of total response options (N=219)
Security is commonly seen as a “software problem”
“Companies think of software solutions only. There’s no perception that security needs to be embedded”
“Fingerprinting and hardware encryption are the only two value-add security products I see semi players offering”
“Security is a software-level problem. It always has been”
“Everyone has a role to play in the security value chain except semi”
Semiconductor players are not perceived as partner of choice to solve security by most market participants
100%
Connectivity companies
Suppliers of components (e.g., Tier 1)
Semiconductor companies
Security solutions providers
Independent consultants
25%
18%
18%
17%
22%
4
SOURCE: Expert interviews, GSA industry survey
CHALLENGES - MONETIZATION OF SECURITY BY SEMICONDUCTOR PLAYERS
• Semiconductor challenges with security in the IoT
• Vertical-specific challenges – short teaser on automotive
• How to focus as a semiconductor company: Value creation opportunities
Topics for today
High security of connected cars is required, while attackers have an inherent advantage by targeting the most vulnerable entry pointConnected car: potential threat vectors
Attackers can target multiple entry points
Key Store
Private Data
ECU
ECU
ECU
ECUAttack on Vehicle Bus (Injection/capture)
Malicious Firmware update
Malware Delivery ThruSpecial Encoding in music
HU
Exploiting Open SourceSoftware Vulnerabilities
Attack from Apps in mobile Device
Attack on Key/Certificate Stores
Compromised ECU Controlled by Virtual SW
CAN
I
II
III
▪ Malicious Firmware update: can be done OTA or directly via the car’s physical OBD port
▪ Attack from Apps in mobile Device: Apps with malicious code can access the infotainment system through a connectivity bridge (e.g. in-car WiFi, BT)
▪ Compromised Actuator Controlled by Virtual SW: Hacking into OEM server to negatively alter vehicle control software to the extent of taking control of critical ECUs
I
II
III
Threat scenarios
SOURCE: Harman, ABI research, expert interviews
AUTOMOTIVE VERTICAL DEEP-DIVE
It is currently unclear how a "security standard" should look like - A common pool of traffic situations is a possible solution
Automotive security standardization: unbound-condition standard
• “Security against a undefined set of harmful scenarios in a non-bounded environment”
• Currently unclear how to formulate or test • Would include setting a “minimum security
requirement” by authorities or common agreement
Threat vectors
Current automotive standardization: Fixed-condition measurements
• Based on meeting performance criterial in a defined test environment
• E.g., fuel consumption/emissions in test driving cycle on test station
Measurements
Possible Solution: industry agreement on a "common pool of traffic situations"• Pool defines a set of traffic situations tthat all autonomous vehicles need to cope with • Pool is regularly updated, OEMs guarantee compliance against pool • Solves liability challenge of OEMS, but needs social acceptance of "incomplete" security
AUTOMOTIVE VERTICAL DEEP-DIVE
• Are actively entering autonomous driving market from different starting point in value chain
• Have advantages in time-to-market and software capabilities
New entrants/digital attackers
Autonomous driving leading OEMs
• Have decided to offer leading edge ADAS/autonomous driving systems and are actively pushing technology development
Fast follower OEMs
Automotive OEMs are likely to play different roles in shaping the security standards of autonomous cars
• Are expected to adopt technology when proven and cost-efficient
• Focusing on specific features for their customer segment
… leading to two most likely scenarios
• Major players continue pushing own standards, leading to a fragmentedtechnical solution space
• Industry standard consortium define common standards
• Standards are potentially co-developed with group of selected OEMs
• Ad Hoc consortiae of few OEMs are formed (e.g. mapping company HERE)
• Likely followed by standard setting by industry consortium/ legislator through co-development
• Other, e.g. new entrants define standards first and develop sufficient scale quickly enough
Different scenarios are possible on who will define the technical and security standards for autonomous driving
SOURCE: expert interviews, GSA industry survey
20
14
32
34Dominantplayers
Industrystandardsconsortium
Group ofselectedplayers
Other1
1 Including government, new entrants
Scenario likelihood, percent
AUTOMOTIVE VERTICAL DEEP-DIVE
Security in itself has no "value" and is hard to monetize, unless positioned as enabler of optional features
Security: 0 €
ADAS/autonomous driving : 3000-5000 €
Value of option for a new premium car
• Security of a car is hygiene factor for end customers
– “Must have”, not a distinguishing factor
– Zero willingness to pay
• OEMs apply “net zero” logic on all costs
– Material costs for any car model are fixed and cannot increase for new versions
– For any new generation, components need to either have decreasing cost or new features
– Any new component’s cost needs to be saved somewhere else in the car
• Price added for driver assistance systems currently is 3,000-5,000 EUR/car(over lifetime), to be expected constant for autonomous vehicles
• Cybersecurity is one recognized cost element enabling these features
– OEMs have recognized need to attribute cost to this new element
– 50-150 EUR/vehicle (over lifetime) depending on features currently estimated realistic “cybersecurity cost”
AUTOMOTIVE VERTICAL DEEP-DIVE
• Semiconductor challenges with security in the IoT
• Vertical-specific challenges – short teaser on automotive
• How to focus as a semiconductor company: Value creation opportunities
Topics for today
Semiconductor players can monetize on IoT security through innovation, expansion beyond the core business models and a sharpened value propositionImplications/themes from GSA industry survey and expert interviews
Formulate the value proposition sharperDevelop tailored security technology
Core technology business
Expand into adjacent business areas and new business models
• Close the gap to hackers for high-security use cases
• Develop “good enough” technology hitting price point and requirements for standard applications
• Convince customer of value created rather than try to find requirements and deliver against those
• Find tangible measures to create awareness with customers
• Address issues currently unresolved in the stack e.g., leveraging partners
• Enhance the addressed value pool beyond the value of devices
Increase willingness to pay by creating greater transparency on security level?
▪ Est. 1997 as a voluntary vehicle safety rating system today seen as the “quasi standard”
▪ Publishes reports on new cars and awards “stars ratings” based on performance in a variety of crash tests
▪ Supported by EU Commission and various EU governments
▪ Energy consumption labeling scheme est. by EU Directive for e.g., white goods and light bulbs
▪ Energy efficiency of appliance rated in classes ranging from A+++ to D
▪ Needs to be shown on sale display alongside the products price
Classification for features not directly observable by end users common in other industries
IEEE IoT Security Rating
Basic security
▪ Great demand for high security as confirmed in survey
▪ Willingness to pay increases with higher transparency on security
▪ Would it be possible to capture value with an IoT security seal?
Value creation potential through application to IoT
Thank you for your attention!
There is much more content in our report –don't forget to take your personal copy!
