Skip to main content

Integral Security Trust Element for the Internet of Things

Periodic Reporting for period 1 - INSTET (Integral Security Trust Element for the Internet of Things)

Reporting period: 2016-10-01 to 2017-03-31

The problem being addressed

The Internet of Things promises to bring everything from microwaves to pacemakers and shipping fleets online, leverage enormous amounts of new data, and ultimately, make our world smarter, easier, and more efficient. Yet, as millions on new IoT devices come online every year, their security remains a number one problem.
In order to be useful, IoT devices must make real-time bi-directional connections to the internet, and that type of communication is challenging to secure. Components of IoT devices are frequently not secure either, and are vulnerable to different kinds of attacks. Component electronics in IoT is based on low-end chips, which are small, inexpensive, and thus have limited memory and processing powers. Only high-end chips are protected sufficiently, because they can support existing heavy-weight security solutions.
There are existing solutions in chip security, but they are incomplete and very specific. They mostly target high-end, expensive chips. Low-end chips (such as the ones used in IoT devices) often lack security, and are vulnerable to attacks. Widespread usage of IoT devices will bring this problem to a new level, because security of a large distributed IoT system is only as good as security of its weakest points. No reliable distributed IoT service can be deployed successfully when its components cannot trust each other to be secure.

Why is it important for society?

Emerging technology Internet of Things (IoT) is promoting exciting new products and making life easier. As the number of interconnected remote embedded devices on IoT infrastructures continues to grow, security concerns and new attack vectors are raising. IoT remote embedded devices are targeting to become more pervasive in our lives and will have access to the most sensitive personal data such as social security numbers and banking information. IoT remote embedded devices are increasingly deployed in exposed environments (e.g. outside of a building, along a pipeline) with physical access and they are used in critical cyber-physical systems, thus a sensor that sends the wrong data to a cyber-physical system can trigger actions with disastrous consequences (e.g. emergency shutdown of a power plant, flooding in automated water management systems, unnecessary and dangerous evasive maneuver in a car). According to Hewlett Packard IoT Research study, IoT remote devices fail to comply with basic security best practices, such as authentication and authorization, wireless link encryption, secure software and firmware and around 70 percent of devices are using unencrypted network services. According to the recent reports, IoT technologies are in “survival and growth phase today” and new developments in security is the key to their success. Moreover, it is stated that software for IoT have hit the growth phase, but security lags.

What are the objectives?

Several building blocks of the INSTET solution are already completed. We have tested these blocks with our existing customers in semiconductor industry and OEMs. But in order to develop INSTET and bring it to the market, we need to ensure a clear product/market fit.
In SME Phase 1 we indicated three vertical markets, wearables, medical and automotive as the first markets to validate. During the project execution, we validate these markets. The results were very positive for wearables and medical markets. On the other hand, we have seen less interest on automotive compared to the markets of wearables and medical. The main obstacle is that automotive is highly regulated and conservative market. On the other hand, during the development of market analysis and by discussing with potential customers we found interest on critical infrastructures market. Some of the discussions probably will reach on new business opportunities and commercial projects. Then we decide to look the critical infrastructures market.
The objectives are:
Commercial/market feasibility
 Validate INSTET’s product/market fit in wearables, medical electronics, automotive verticals, critical infrastructure market;
 Prepare a detailed go-to-market strategy.
Economic/financial feasibility
 Determine INSTET’s business model;
 Determine costs, resources and timelines for successful commercialization.
1)We identify the following verticals and we focus in the following categories:
• Wearables: Wearables fitness, wearables with strong security requirements for electronic payments
• Medical: medical devices and mobile healthcare
• Critical infrastructures: Lightweight MCU and sensors for critical infrastructures.
The market numbers justify our interest.

2)We define room for improvement and our unique value propositions by using:
• Requirements by previous projects delivered to our customers, reverse engineering of products like fitness.
• Actively participating to worldwide leading-edge exhibitions, workshops and hosting security summits. As a result, we receive rich market insights and try to fit our value proposition to the market requirements.
• Interaction with the top representatives of SMs and OEMs and leveraging our previous experience on delivering security solutions in hardware. Meetings with them and with OEMs.
• Develop 9 demos over the last months together with top industrial players on core functionality that we will use to develop our IoT security technology.
• Explore R&D challenges via research programs and getting familiar with the requirements.
3) Our business model and the economic feasibility are presented and the forecast of revenue for the coming years.
4) The cost for commercialization and the corresponding working packages for commercialization are presented.

More details can be found on the attached pdf report.
INSTET project is targeting security services for IoT markets such as Wearables/Healthcare, Medical and Critical Infrastructures. INSTET addresses the problem of incomplete security solutions for low -end chips. Low-end chips (such as the ones used in IoT devices) often lack security, and are vulnerable to attacks. Widespread usage of IoT devices will bring this problem to a new level, because security of a large distributed IoT system is only as good as security of its weakest points. No reliable distributed IoT service can be deployed successfully when its components cannot trust each other to be secure.

Our project innovative components are the following:
Simplicity:
 Ubiquity, based on SRAM presence in almost all chips;
 Simple, integrated digital solution (standard tools & components);
 Software solution that allows retrofit to existing devices.
Scalability
 Low silicon footprint; Low software resources
 No dependencies on 3rd party products, no licensing issues;
 High reliability under extreme conditions (temperature, age);
 Multiple secure and scalable key provisioning options;
 Cost savings for all stakeholders.
Security
 No key-related material can be extracted from the INSTET-protected chip when the device is off;
 Truly independent and secure Root of Trust;
 High quality and independent true entropy source;
 Based on thoroughly peer-reviewed PUF and cryptography principles.

Expected potential impact

Our target market in the semiconductor industry for IoT can be split into two user groups:
 semiconductor chip vendors—manufacture chips and supply them to the device OEMs;
 device OEMs—integrate chips into end-user products across different verticals.
Although we predominantly sell into the first group, the needs of the second group define the demand for INSTET.
During the Phase 1 feasibility study we identified three most promising IoT market verticals that are served by the semiconductor industry:
 wearables (wearables for fitness and wearables with strong security requirements such as wearables for electronic payment, tracking, biometric recognition, emergency services);
 medical electronics (implantable cardiac pacemakers/external cardiac pacemaker, insulin pumps, hearing aids, neuro-stimulators);
 critical infrastructure.
While the devices built by OEMs in each of three verticals are diverse, many similarities can be found in the chips created for them—ultimately each IoT device collects some sensitive data via its sensors and communicates it elsewhere.
Most of IoT remote devices fail to comply with basic security best practices—70% of devices are using unencrypted network services . According to the recent reports, IoT technologies are in “survival and growth phase today” and new developments in security is the key to their success. Ensuring authenticity of the IoT device and securing its communication with others are two pressing needs for devices in each vertical. Inadequate security and privacy protection for user data remains the most urgent unsolved problem for IoT device OEMs .

EU & Global challenges
Both Europe and the rest of the world needs high-quality, affordable and interoperable cybersecurity products and solutions—successful cyberattacks in 2016 and 2017 showed that no country is immune to threats to its infrastructure and no citizen is enjoying absolute protection. IoT remote embedded devices are increasingly deployed in exposed environments (e.g. outside of a building, along a pipeline) with physical access and they are used in critical cyber-physical systems, thus a sensor that sends the wrong data to a cyber-physical system can trigger actions with disastrous consequences (e.g. emergency shutdown of a power plant, flooding in automated water management systems, unnecessary and dangerous evasive maneuver in a car).
But the supply of ICT security products and services within the EU single market remains geographically very fragmented, which makes it difficult for European companies to compete on all levels—national, European and global. There is a need for universally deployable technologies to protect both citizens and enterprises.
In order to deliver the EU cybersecurity strategy and the Digital Single Market strategy, the European Commission announced in July 2016 the launch of a public-private partnership on cybersecurity and additional market-oriented policy measures to boost industrial capabilities in Europe. This new partnership will support the Secure Societies Challenge to provide enhanced cyber-security, ranging from secure information sharing to new assurance models. New assurance models—in other words, new foundations of trust—are essential for facilitating the growing amount of electronic transactions, since most of them now take place between machines in all aspects of life (healthcare, transport, environment, etc.)
One the one hand, with INSTET we address this challenge by providing a Root of Trust—a necessary trust foundation for the IoT devices and distributed systems used in EU and globally. On the other hand, by providing a cost-efficient security solution for IoT chips we help EU semiconductor manufacturers to implement a competitive advantage.