When I think about the state of semiconductor security today compared to when I joined Cycuity in 2020, I can safely say that chip security conversations are now taking place with greater frequency and urgency. Over the past year, I observed three trends that I expect will continue and accelerate in 2024:
- Continued occurrence of new and increasingly sophisticated cyber incidents
- Emergence of new and broader cybersecurity standards, policies, and regulations
- Maturation of security methodologies, processes, and tools for chip development
Given the high stakes involved, it’s promising to see that the semiconductor industry is responding with greater urgency to the need for increased investments, accountability, and transparency. As a result, we can expect security to become further ingrained in the design process, with more focus on implementing a comprehensive security design lifecycle.
Cyber incidents will continue to emerge and AI will accelerate their sophistication
Earlier this year, researchers identified a vulnerability in several GPUs, including those made by Apple, AMD, and Qualcomm, that could expose large quantities of data. This discovery comes following the disclosure of flaws like Downfall, Zenbleed, and SLAM in 2023. Samsung, Intel, and Arm also acknowledged over the past 12 months that weaknesses exist in their semiconductors.
Late last year, the Triangulation Attack used a sophisticated chaining of multiple system vulnerabilities, including undocumented hardware features, to attack iPhones. Constructing such complex attacks is like threading multiple needles at the same time — it is highly sophisticated and labor intense. We can expect that the power of AI will dramatically accelerate the occurrences of complex cyber attacks, making it critically important that every system component is as secure as possible, including hardware and software.
For semiconductor development, establishing a proactive security program is relatively new but these examples underscore the critical need. Early detection of underlying hardware vulnerabilities before manufacturing is vital but finding them is a challenging process that demands product development, functional testing, and security testing to be closely integrated and operate in synchronization to address issues at the earliest stage possible.
Regulations will raise the stakes
Significant strides have been made by industry bodies and governments in recent years to enhance the security of electronic products, encompassing both software and hardware. The EU introduced the Cyber Resilience Act (CRA), while the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a voluntary framework for a hardware bill of materials (HBOM) in September, both centered on mitigating manufacturing-related risks.
With the CRA poised to elevate standards globally, security is becoming a greater part of software and hardware development processes. In some ways, the CRA is similar to the EU’s General Data Protection Regulation (GDPR) act, which significantly elevated standards for data privacy. It bakes secure methodologies into chip design and software development and covers the entire product lifecycle. And it’s already having an impact, as Porsche recently announced it will cease sales of its best-selling Macan SUV in Europe this spring. The decade-old vehicle can’t be adapted to comply with security requirements without prohibitively complex and costly updates.
The automaker’s plight highlights how regulatory pressure around semiconductor security will increasingly impact every industry in 2024. Porsche won’t be the only business that will have to make decisions to fall in line with the CRA. Penalties for noncompliance will be stiff — up to €15 million or 2.5% of global turnover — so companies will have no choice but to adjust.
In addition to the CRA and CISA HBOM, other regulations and guidelines were introduced in 2023. Notably, they include:
- The U.S. Food and Drug Administration (FDA)’s guidelines, also released in September, which ensure medical devices “are sufficiently resilient to cybersecurity threats.”
- The International Society of Automation (ISA)’s adoption of ISA/IEC 62443 standards for infrastructure cybersecurity, which are similar to the ISO 21434 standard and UN Regulation No. 155 that have already been implemented in the automotive industry.
- The National Defense Authorization Act for Fiscal Year 2024, signed into law in December, which aims to improve security across the semiconductor supply chain.
The possibility of additional product security legislation in 2024 remains unknown, but the developments observed in 2023 suggest that such measures are probable. These legislative advancements are steps in the right direction toward heightening awareness and consideration of semiconductor vulnerabilities.
The security development lifecycle will mature
In the last few years, semiconductor security went from something that’s nice to have to a must-have. Creating secure products requires aligning business priorities and security objectives across all stakeholders and implementing meaningful metrics to evaluate and address risk. For chip development, effective collaboration among security, design, and verification teams is crucial to ensuring a “secure by design” approach. As organizations strengthen their security programs in response to emerging cyberthreats and compliance requirements, higher priority will be given to establishing a security methodology that encompasses verifiable security requirements, comprehensive security verification, and documented proof of security signoff.
Ensuring security of the actual chip design needs to expand to the design supply chain, including third-party intellectual property (3PIP). Here, increased documentation, transparency, and accountability of the security of IP components are needed before they can be safely integrated into larger systems.
While cyberthreats are there to stay, at least for a while, we can effectively address them by building solid product security programs ranging from component development to product usage. Emerging standards and regulations help foster progress and alignment across industries and supply chains — making addressing security a “must-have” for all parts, including chip development.