Navigating the New Era of IoT Security with Kudelski's Expert Insights
May 04, 2024
Evan Kirstel
Unlock the secrets of ironclad IoT security with Hardy Schmubauer of Kudelski IoT, who joins us to unravel why security is not just an add-on but the bedrock of smart device integrity. In our mind-opening discussion, Hardy illuminates the transformative shift towards embedding security from the ground up, highlighting how regulations and standards are redefining the landscape. We journey into the world of unique ID and certificate provisioning, dissecting how Kudelski IoT is spearheading partnerships with semiconductor and embedded system leaders to ensure that development kits and toolchains are fortified from conception to decommission.
Be at the forefront of IoT innovation as we recap the revelations from Embedded World and the surging IoT trends across the automotive and medical sectors. Hardy shares the spotlight on Kudelski's pioneering collaborations, like those with Microchip, that are setting new benchmarks in secure provisioning. Plus, we zoom in on their cutting-edge Recover solution, transforming the realms of inventory management and theft recovery. With a glimpse into Phoenix's evolution into a tech oasis and Kudelski's engagement with the World Economic Forum, this episode is a goldmine for anyone vested in the nexus of IoT and security.
Unlock the secrets of ironclad IoT security with Hardy Schmubauer of Kudelski IoT, who joins us to unravel why security is not just an add-on but the bedrock of smart device integrity. In our mind-opening discussion, Hardy illuminates the transformative shift towards embedding security from the ground up, highlighting how regulations and standards are redefining the landscape. We journey into the world of unique ID and certificate provisioning, dissecting how Kudelski IoT is spearheading partnerships with semiconductor and embedded system leaders to ensure that development kits and toolchains are fortified from conception to decommission.
Be at the forefront of IoT innovation as we recap the revelations from Embedded World and the surging IoT trends across the automotive and medical sectors. Hardy shares the spotlight on Kudelski's pioneering collaborations, like those with Microchip, that are setting new benchmarks in secure provisioning. Plus, we zoom in on their cutting-edge Recover solution, transforming the realms of inventory management and theft recovery. With a glimpse into Phoenix's evolution into a tech oasis and Kudelski's engagement with the World Economic Forum, this episode is a goldmine for anyone vested in the nexus of IoT and security.
More at https://linktr.ee/EvanKirstel
Speaker 1:
Hey everybody, fascinating topic here on Friday diving into the world of IoT security and connecting those billions of devices in a safe, secure way, with a true expert in the field at Kudelski Hardy. How are you, great, how are you? Thanks for having me on today. Thanks for having me on today. Well, thanks for being here. Really intriguing topic. For those who aren't in the industry, perhaps don't know of Kodelsky, maybe introduce yourself and the mission of your team.
Speaker 2:
Yeah, great, thank you. Yeah, I'm Hardy Schmubauer. I'm Senior Vice President of Kodelsky IoT and just to give a brief background on Kodelsky I joke, it's the biggest company that nobody's ever heard of, but it's a billion-dollar company that has a long history in security. Our digital TV business unit secures most of the digital television or major digital television providers today, so DISH is one of our largest customers here in the US. We also have a cybersecurity division, and then we have Ski Data or Secure Access Division, which provides secure access into ski resorts, stadiums and a lot of the major venues here in the US and worldwide, and airport parking as well.
Speaker 1:
Airport parking. Wow, you guys are in a lot of interesting segments, so I'm not even sure where to start with this topic. When you think about IoT security, where do you start, like from a foundational level? How do you define the problem these days?
Speaker 2:
Sure, I mean, I think security really starts with, you know, at a very basic level, of giving devices a unique ID, a certificate, which is then used as the basis for secure operations, for secure boot, for firmware signing. So that's really where a device has to start is getting that unique or secure identity. We call the process of assigning that unique identity or certificate to the device, we call that provisioning. And if you're gonna do that while the device is already deployed out into the field, we call that in-field provisioning. So if you don't kind of start with that process in your device design, in your device deployment, it's really tough to have security of the device over its security lifecycle and the deployment of the device in the field.
Speaker 1:
Yeah, well, talk about a challenge. I mean, I think it seems to me security is often an afterthought when it comes to these connected devices, or at least has been. So how are you hoping to change that? You know, what are companies up and down the value chain? What should they be doing to think differently about security and the way they deploy, manage, build, develop, devices?
Speaker 2:
Yeah, I mean, I think, as you said, and I think in the past, security was really an afterthought and I think you really don't have security if it was an afterthought in your design. You really need to start with security from the beginning. And I think if you look, you know, five years back, you know you ask a group of people who are designing the same type of product. You know what security is you're going to get. You know multiple different answers of what security is.
Speaker 2:
But I think you see, in the industry now you're starting to see a lot of regulations, a lot of standards which are really harmonizing the language around security and also harmonizing the different requirements and regulations and levels of security within devices, because I think there's no one size fits all for security.
Speaker 2:
You know a smart meter has a very different level of security than, say, a cat tracker. So you can. You also can't have security for everything which is the same, because it would not fit a lot of the use cases. So you really have to look at security based on your requirements, your security targets and what the application is Interesting. Yeah, please, but you're seeing a lot of regulation now which is happening in the market and that's really driving the security I would say industry forward when it comes to IoT. So the UK just put into place the PSTI Act that went into effect on April 29th and that requires a secure process and security guidelines to be followed for companies to be certified for that before they launch into the market. You're seeing very similar initiatives with NIST in the US and also in the EU with the Cyber Resiliency Act. So these acts and regulations are really harmonizing security, going forward and making IoT devices much safer in the future.
Speaker 1:
Yeah, fascinating. So compliance is one area. What about standards? There's a lot happening. You mentioned NIST. What's emerging or on the radar as far as standards are concerned?
Speaker 2:
Sure, I mean, I think you're seeing standards incorporate security into the definition of the standard. So if you look at Matter, for example, I think they've done a very good job of starting to incorporate security into the Matter standard and we are one of the certificate authorities for Matter as well, for matter as well. Dlms is another metering standard where you're also seeing where they're starting to put in place inside of the standard some of these basic security things such as provisioning and unique identities of the device, requirements for firmware updates over the air. Those type of parameters are now becoming part of the standard as well.
Speaker 1:
Fantastic progress. Now you actually start right at the foundation level, the silicon level, the embedded software, the foundational stack, to build in security. I mean, how does that work? How do you work with your partners on the semiconductor side and embedded system side to, you know, build in security.
Speaker 2:
Yeah, great question. You know, because developers start, you know, with, you know, a development kit from ST or microchip and that's really where you know the security journey needs to start right. It's at the beginning of your design. So we work with a lot of the major silicon manufacturers to incorporate either the security features into the design directly We've done that with Microchip or into their tool chains where it's an option for the developer to then use or not, and we've done that with ST and Silicon Labs as well.
Speaker 1:
Interesting. So what does that mean for getting those devices in the field you build in security? You still need to provision them and manage that and update them. What does that complexity look like?
Speaker 2:
Sure, I think once you really start to follow the process and work with companies like Kodelsky IoT, it really becomes a very seamless process to really design the unique IDs.
Speaker 2:
Seamless process to really design the unique IDs, be able to provision them, to be able to provision the devices into AWS or Azure kind of seamlessly to where those certificates can be used for the secure operations in the application. So it's very, I think, a seamless process if you utilize some of the tools that are available from Kodelsky IoT and the semiconductor companies to give that kind of the device its secure foundation so you can have a secure lifecycle within its lifetime. But I think if you take a step back, you know companies should really kind of start with, you know, a regulatory gap analysis of okay, what are we going to need to comply with for this application, and then they should also do a threat assessment and risk analysis of the solution to define the security targets that they need to achieve with the device. And then, of course, you know, I think after you complete your design to those requirements, you should always have a security assessment done by a third party to make sure that the device actually does meet those requirements that you defined at the beginning.
Speaker 1:
Fantastic. And so where do you come in to the picture at Kudelski typically, I mean, do you design products solutions? Is it the software, the system, lifecycle management? I mean, what you design products solutions, is it the software, the system, lifecycle management? I mean, what do you guys get involved with in a typical project?
Speaker 2:
So, to start with, we have a team of security experts that really helps companies do the gap analysis on the regulatory perspective and then to also do the TARA, or the Threat and Risk Assessment Analysis, to define the security targets for the device and the application.
Speaker 2:
So we help define and architect what the security should be for the application. And then we have our key stream solution, which is what we work with a lot of the semiconductor providers to be able to give that device its unique ID, manage those certificates, be able to provision it to where it needs to go, whether that's Azure, whether that's AWS and then to manage the lifecycle over the device, to do firmware updates over the air or secure boot so the device can have a security life cycle. And then we also have our security lab in Switzerland, which is, I think, one of the best labs out there for doing device assessments. So if you have a completed design, you want to make sure that that design is ready to be deployed in the field and be able to survive 20 years lifetime without getting hacked or without being at risk. We have a team of experts that can help determine if you reached your security targets by doing hacking or white hacking on the device to try to see where it has limits or where it can potentially be compromised.
Speaker 1:
Wow, that's fascinating. And, speaking of Europe, I understand you and the team were out at Embedded World. It looks like a fascinating event in Nuremberg in Germany. What were some of the takeaways or trends that you discovered there at Embedded World?
Speaker 2:
It was definitely back to, I would say, pre-covid time, so it was great to be back at Embedded World. We had a couple of, I think, really exciting announcements at Embedded World Prior to the show. We announced our partnership with Microchip. So we've been incorporated into the Microchip Trust Manager, so our secure provisioning and Keystream solution is incorporated into their products there. We're also announced that you know we're working across the semiconductor industry with many providers to be able to provide these services to.
Speaker 2:
You know many different chips that are utilized by developers and designers, because I think most designers are going to use multiple different semiconductor providers. They're not only going to use a microchip or they're not only going to use an ST. They probably have across their portfolio. They have multiple different semiconductor providers. So I think for us to be a value to the developer and the embedded engineers, we need to work across multiple semiconductor companies. So I think we've done a lot of that integration already across multiple different semi-providers. So it's very easy for developers to use us on, say, microchip and then also be able to use us in a design later for ST or Silicon Labs or for Infineon.
Speaker 1:
Interesting and so you're obviously riding the wave of IoT adoption. Are you seeing any markets getting a lot of traction these days? I mean, obviously industrial applications are on fire and obvious benefits. Automotive is really exciting. What else kind of kind of you?
Speaker 2:
I think, especially when it comes to security. I mean, I think you're really seeing a lot of regulation and drive in the automotive industry, so you're seeing a lot of new regulation which is really raising the bar within the automotive industry for security. Also, medical devices, I think, are following quickly behind that, but I think you're seeing it that's kind of percolating through the rest of the applications of IoT as well, but I think those are, for sure, the two that are leading the security charge within the industry.
Speaker 1:
Fantastic, and you're a part of Kudelski, which is a very much larger global concern Headquartered out of Switzerland. What else do you guys work on? Big picture wise?
Speaker 2:
Yeah, so within IoT, we are also developing some complete solutions as well. We have an asset tracking solution called Recover, where we utilize all of our key stream and services that we've been talking about so far from a security perspective, but that's been an extremely successful solution for us. We're providing inventory management and theft recovery to auto dealers in the US, and then they offer it to consumers as a theft recovery to auto dealers in the US, and then they offer it to consumers as a theft recovery solution for their vehicles, and then we're also starting to offer that to construction waste and agriculture. We're getting a ton of traction within those industries as well.
Speaker 1:
Exciting times. Well, it's fascinating to see this evolution of IoT happening in real time. What are you looking forward to over the next weeks, months, any additional events or roadmap items you care to share about? What's on your radar?
Speaker 2:
Yeah, I mean, I think we're really growing rapidly in.
Speaker 1:
Kodelsky IoT.
Speaker 2:
So really, you know, we tripled the revenue last year, so really look forward to continuing that growth this year. Attending the World Economic Forum at the end of June, which is also interesting, we're starting to look at the agriculture industry and I think there's a lot of interesting evolution within that industry as well, which is exciting for IoT.
Speaker 1:
When you're in Phoenix, which is becoming the chip boomtown in the US, perhaps in the world, with all the investment must be an exciting time to see all the new fabs and foundries and investment pouring in.
Speaker 2:
It is. I was previously in the Bay Area and had never really thought of Phoenix as a tech hub, but for sure, over the last few years it's really grown from a technology standpoint and I think a lot of the new fabs are really helping drive that. But it's impressive to see you know how quick the construction has gone up on some of those plants and it's going to be exciting and I think you know, make Phoenix a technology hub for years to come.
Speaker 1:
Exciting times. Thanks for sharing the insight and amazing opportunity you have and thanks everyone, everyone for watching Reach out to Kudelski. They put out some really great content on the social channels, so give them a follow. Thanks, artie, great. Thanks a lot. Have a good afternoon, take care Bye.