In today’s world, hackers, computer viruses and cyber-terrorists are making headlines almost daily. Security has become a priority in all aspects of life, and most importantly, of our businesses.
Recently hackers have been targeting the heart of our most complex systems, the Application Specific ICs (ASICs) and Systems on Chips (SoCs) that run them. The risk associated with these devices is ever-increasing. The range of hardware architectures, processors, drivers, operating systems and application software that they run, is becoming exponentially more complex. Due to growing security concerns and real hardware vulnerabilities in the IoT, Automotive, Datacenter, and Aerospace/Defense markets, the defensive security stack must now include the hardware. To reduce risk, the system’s security must be architected starting with the ASIC or SoC and then measured at all levels of the stack.
Unfortunately, for several major industry giants, hardware security vulnerabilities are on the rise. And these giants are not alone. The MITRE Corporation and the National Vulnerability Database reported about a 40% CAGR in hardware vulnerabilities between 2016 and 2019. This is because:
- Hardware is increasingly becoming more complex.
- The ROI associated with a hardware attack is very high with consequences up the computing stack. The industry certainly witnessed this reality with Meltdown and Spectre.
- The push to add more security features into hardware (specifically roots of trust) are heavily prone to mistakes that introduce vulnerabilities due to exponential growth in system complexity.
Cybersecurity is about reducing risk
Most of the industry recognizes that security is important, but how much is enough? How does a business know when its security level is reasonable? Most importantly, how much money and time should be invested? The good news is many hardware vulnerabilities can be avoided if design teams architect and implement with security best practices in mind. Identification and verification of vulnerabilities as the hardware is being developed is paramount to risk reduction.
To help, in Feb. 2020, the MITRE Corporation released version 4.0 of their Common Weakness Enumerations (CWE) list. The new version now includes hardware, which provides a valuable list of common hardware weaknesses that are the root causes of many vulnerabilities. The list is categorized into major themes such as Security Flow Issues, Debug and Test Problems, Memory and Storage Issues, General Circuit and Logic Design Concerns, and so on. The CWE list helps teams as they quantify risk exposure and provides a valuable guide for threat modeling and secure design. By identifying potential issues early, the projected cost of a security incident can be significantly lowered.
The return on investment for security is all about reducing risk. When investing in security prevention or reducing risk, teams should view their ROI as a measurable reduction in risk. This ROI for risk reduction is often calculated by the cybersecurity community using a Return of Security Investment or ROSI.
A hardware ROSI is defined as follows:
|ROSI =||(ALE * mitigation ratio) – Cost of solution|
|Cost of solution|
- Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) * Annual Rate of Occurrence (ARO)
- Mitigation ratio = the percentage of hardware threats deterred by the cybersecurity solution
Using secure design practices and effective tools greatly mitigates vulnerabilities. This provides measurable improvements to the mitigation ratio and provides a significantly higher ROSI.
It is worth noting that reducing risk is much different than being compliant with a security standard. Standards focus on establishing a baseline of protections and processes for a specific market segment. In most cases, teams focus on meeting the base requirements of the standard, without a specific regard for risk.
Stated differently, you can be compliant with a standard but still be at high security risk. Ensuring a high mitigation ratio, as shown above, is critical to risk reduction.
Calculating Your ROSI
Today, there are well established processes and methods in the design of ASICs and SoC to ensure that they operate correctly. They are used to validate the expected behavior of a device in specific operating conditions. Typically, this involves verification teams creating environments using formal verification, directed testing with automated test benches, and full system emulation. These techniques have historically been very effective at producing properly functioning silicon. However, these environments are not designed to find unknown security vulnerabilities to reduce risk without an enormous increase in both time and money.
As an example, Tortuga Logic estimates that only about 12% of MITRE’s hardware CWEs can be identified trivially with existing verification environments. Assuming an annual loss expectancy of $5M for a security vulnerability in a modern SoC (very reasonable considering the costs of latest technology node mask sets alone), with such a low mitigation ratio the return on security investment is very often negative. This is further compounded by the spend on existing manual solutions which cost a significant amount of time and money.
However, Tortuga Logic’s Radix covers about 80% of the hardware CWE list. Suppose one fixes the cost of solution to be the same as above, the ROSI is always better and this improvement becomes even more significant as the cost of solution is reduced, which is typically the case when trading off Tortuga Logic’s security products with existing approaches. To reduce hardware security risk, you must have the technical solutions to provide this measurable reduction.