With systems only growing more sophisticated, the potential for new semiconductor vulnerabilities continues to rise. Consumers and hardware partners are counting on organizations meeting their due diligence obligations to ensure security sensitive design assets are secure when products are shipped. This is an iterative process, so a security maturity model is a critical element in getting it right.
Businesses have historically centered their focus and their investment on securing the software used in their devices — not on the underlying hardware. But failing to build a comprehensive approach that addresses the hardware vulnerabilities early on means there’s no in-process mitigation of hardware security weaknesses. This shortfall can leave organizations susceptible to costly hardware security vulnerabilities after production or even in the later stages of system integration and development.
However, building a mature and comprehensive hardware security program takes time and is a process that goes beyond a single product design lifecycle. It’s a journey.
Knowing where to start and what goals to set can also be challenging. To make it easier, the Cycuity team has identified and defined four levels you can use to assess your current capabilities and take gradual steps towards an end-to-end hardware security verification program.
Level 01 – Foundational
The first level starts with creating security requirements and implementing specific features to address them. Then, organizations should ensure they correctly integrate configure and verify those security features, including third-party and internal security IP.
Level 01 – Checklist:
- Establish and document security feature requirements
- Implement hardware security features to meet requirements
- Apply functional verification to validate hardware security features are working
Ultimately at this stage, security feature requirements should be clearly defined, allowing stakeholders to align on the protection needs of the end product and then functionally verify their implementation.
Level 02 – Basic
During the next phase, it’s time to begin proactively performing the basic development and validation of security verification requirements. Organizations will also further the maturity of their security documentation at this level by documenting threat models and security verification requirements.
Level 02 – Checklist:
- Establish and document security verification requirements and threat model
- Identify and implement hardware protection mechanisms to counter potential threats
- Apply ad hoc, best effort security validation for a portion of requirements
Enumerating all of the security verification requirements of this level will allow organizations to proactively identify security vulnerabilities earlier in the design process before they can become serious ‘security surprises’ that lead to costly respins and missed deadlines.
Level 03 – Advanced
SoC Integration, and configuration can introduce security weakness during the design lifecycle. At this point, it’s essential to begin becoming more systematic during hardware security verification. Ensuring there are no unmitigated security weaknesses during security feature implementation reduces risk. Still, security weaknesses do manifest in interactions between components, so verification efforts need to scale the entire system and be periodically performed.
Level 03 – Checklist:
- Develop and implement a security verification plan that encompasses all security verification requirements that have been established and documented
- Regularly and systematically apply security verification during the design lifecycle
- Document the results of the security verification process before tape-out
A fully integrated security verification program will help during tape-out, too. It allows teams and organizations to confidently demonstrate that they’ve made an effort to detect and remediate the broadest set of potential hardware weaknesses before signing off and that all hardware security requirements have been met.
Level 04 – Comprehensive
The last key area, and one more challenging to address, is introducing a metric-driven approach that transforms the program into one that ensures and demonstrates holistic governance end-to-end.
Level 03 – Checklist:
- Establish, track and report on security metrics around verification — including coverage of industry standards such:
- Ensure security governance extends from requirements to tape-out for manufacturing Mandate full compliance with all security verification requirements by requiring a security signoff
Introducing metrics is highly effective for measuring the status of a security program and tracking progress towards a well-defined tape out. However, the benefits of this process extend beyond one team or organization. With external stakeholders, such as partners or certification services concerned more than ever about device security, this approach provides a foundation to demonstrate that an organization is developing semiconductor chips with a framework and processes that solidly verify their security.
Advancing Hardware Security Maturity with Help from Cycuity
Cycuity has solutions and best-practice services to help customers during any stage of their hardware security maturity journey, helping them:
- Define comprehensive and verifiable security requirements.
- Automate security verification during all phases of chip development.
- Make data-driven sign-off decisions backed by complete traceability.
By sufficiently maturing a hardware security program with Cycuity as a partner, organizations can discover and mitigate issues pre-silicon and demonstrate their commitment to developing trustworthy electronic products for external partners and consumers.
Learn more about Advancing the Maturity of Your Hardware Security Program.