IoT security has been flagged as a huge issue. Data I/O have recently introduced a new system to help OEMs and manufacturers combat this growing problem, it’s called SentriX. Trevor Galbraith recently interviewed the Company President Anthony Ambrose about the system.
TG: There’s been a number of reports recently about security breaches in IoT devices. How big a problem is it?
AA: Trevor, it’s a big problem. And I think the latest public revelations are really the last in a long line of breaches that have been made public, then of course there are the ones we don’t even know about. I think the problem is that the enterprise people know how to deal with it on computers and routers and switches. But in IoT, I think the industry are behind quite a bit. Security cameras that are insecure don’t do anybody any good, as an example. And it’s understandable because up until now, it was challenging, especially for smaller manufacturers, to really understand how best to do security for their IoT platforms. It involved a lot of work. They had to pull things together from multiple different vendors. We’ve tried to solve those problems with SentriX here at Data I/O, and really our mantra for IoT security is we want to make it easy to simplify and scale. So for example, we can support OEMs of really any size, not just the big ones.
TG: So how exactly does the SentriX system work then?
AA: What it does, Trevor, is we’ve taken the secure black box if you will, a hardware security module otherwise known as an HSM, and we’ve integrated that into our Data I/O data programming equipment, at the hardware level. And at the software level we’ve also created a fabulous toolchain that allows us to take multiple inputs from OEM engineering, manufacturers, EMS providers, Silicon suppliers, certificate authorities, and integrate that into one job package, which allows our customers to provision all of the security information they need in one simple and easy manufacturing step.
One of the things we found out was for smaller companies that didn’t have a big in-house security staff, to do security properly you need to integrate all of these different elements. Again, as I mentioned, certificate authorities from OEM engineering, “how do you want to manage certificates?” “how do you want to manage key?” “how do you want to manage serial numbers?” “how do you want to onboard to the cloud?” And so we created this SentriX product trader tool that pulls all that together in one easy package, that can be sent securely and in an encrypted manner to wherever you want to manufacture your products, either at a programming center, or an EMS, or your own factory.
TG: How will that integrate with the forthcoming IPC-1792 cyber security standard? I guess that’s just another certificate. Is it?
AA: Yeah. What we’re doing is we’re working with a number of organizations, standards, bodies, and security companies that are interested in simplifying the whole process. So what we’re doing with SentriX integrates into these standards bodies very simply. We’re doing the certificates the same way that the semiconductor companies are doing it for their large customers with their own internal processes. So when you look at the chip, whether it’s done internal to a big semi OEM or done with Data I/O SentriX, it looks the same. We’re working also with the Global Semiconductor Alliance, IPC, and other standards bodies to make it as easy as possible for customers to integrate, not only for provisioning certificates and keys, but also then onboarding to the cloud and managing devices downstream.
TG: You have a couple of different types, you have SentriX custom support provisioning for each Silicon device. Tell me, how does that work?
AA: That’s a great question. One of the things we learned, Trevor, early on in SentriX was some customers had a fairly complex flow and they wanted it done their way, but many customers wanted to do one thing. They wanted to get onboard in the cloud, they wanted to establish a strong identity in hardware, they wanted to authenticate a device. And so what we’ve done is we’ve taken the use cases, about a half dozen of them, and for the most common use cases, we’ve created a predetermined flow, which we talked about simplifying the process earlier. This simplifies it to the greatest extent possible. So if someone wants to go onboard to the cloud, for example, they can give us a couple of parameters, we can get them a piece of Silicon back in a day.
TG: Do you program that into that piece of Silicon, is that how you’re doing it?
TG: And then how do you make that secure between the journey from the place where it’s programmed to the final assembly?
AA: Well, once you provision the security content, the information is provisioned into a secure location on the chip, and then it’s locked down. So it cannot be tampered with or altered in any manner. In actuality, it’s much more secure than, for example, waiting till the end of an SMT line to install security credentials. Because you have the whole SMT process that’s exposed before the security credentials are locked down. And as you know, in a secure SMT line not everything is a 100% yield, there’s always some, some rejects and things like that. Those rejects would have parts that would have potentially firmware in the clear or other credentials in the clear. With SentriX you never have to worry about that. Because the chips that actually go onto the SMT process have already got all the security information, and even if you have rejects or rework, those chips are secured and can’t be tampered with.
TG: I noticed that you’re also offering “security as a service”. Is this performed locally in each region or do they have to ship it to you in Washington?
AA: No, they don’t have to ship it to us. When we say security as a service, this is something we’re offering with in conjunction with our ecosystem partners. So for example, we’ve partnered with Arrow, with Avnet, with Elsil, and they have programming centers in Europe, United States, and very soon in Asia. And so this will allow customers to choose the facility that’s most convenient for them. It’s the same process, the same security, the same capability with a supply chain logistics that are most favorable for the end customer.
TG: Well, it sounds a great system, Anthony. What about your existing customers, is it upgradable to the systems you’ve got in the field at the moment?
AA: Yeah, that’s a great question, Trevor. As you know, Data I/O, we have over 330 of our PSV family systems deployed worldwide, in Asia, Africa, Europe, North and South America. And what we have now with SentriX is the ability to turn any one of those in a few hours into a SentriX ready system. So we have the partners I mentioned earlier in franchise to distribution all over the world. They’re working with customers and it’s a great facility for those customers that need a partner. But if you already have Data I/O equipment in your facility and you suddenly find the need to do a secure device, for example, and we anticipate this not only at our EMS customers, but also in our automotive customer base. So the idea is in a few hours, you can have a system that’s now upgradable to SentriX and run all the security items that I described earlier, secure elements, secure micros, on your existing production firmware system.
TG: Well, that leads into my next question. What type of customers are you targeting? I guess automotive is an obvious one, but we know they’re high volume. Who else do you see being typical customers for this?
AA: That’s a great question. When we analyzed the market, we saw really the market broke down into two types of customers. You had the people that build, let’s say, hundreds of millions of devices a year, and they were pretty well served by the semiconductor companies. We all know who they are, if you build a hundred million phones, you’re buying 2 million parts a week, approximately. And you’re going to get all the attention you need from a semiconductor supplier. But it turns out in IoT, as you know, IoT is really not one market it’s maybe 20 or 30 different markets. And then each one of those may have four or five different sub markets. And there not really a lot of hundred million unit applications there. Even in automotive, the overall automotive market’s a hundred million units, but when you break it down by name plate, and then tier one electronics and things like that, you have things that are on the order of a half a million units a year or a hundred thousand units a year. That’s really the sweet spot for us.
If you think about it, a hundred thousand units a year is 2000 parts a week, or 400 parts a day on a five day shift. That’s really not great dynamics for a very large semiconductor company. And for us, it’s perfect. Our machines run up to 2000 parts an hour. So 2000 parts a week, 10,000 parts a week. It’s very easy for us to do that in a way that’s very comfortable for the logistics, the operations, et cetera. And so the beauty of our system is from 8:00 to 10:00 in the morning, you could support a customer that’s building let’s say a smart meter, and then in about 10 minutes, reconfigure the system to support another customer that’s doing let’s say a charging station, or another customer that’s doing a fleet management application, or another customer that’s doing a security bracelet. So the very nature of our system lends itself to being a very flexible tool to support the customers in this let’s say a hundred to 500,000 unit a year opportunity.
And then you combine that with our tools. We make it really easy for them to do what they need to do without hiring expensive and very difficult to find security talent. We’re really trying to come up with a total solution and offer for these customers to help them in engineering, help them in manufacturing, and help them get to market quickly and easily.
TG: So who are currently your customers in the SentriX ecosystem?
AA: We’re working closely with companies that are offering programming services. I mentioned earlier, so this will be Arrow, Avnet, and Elsil. We’re working also with leading Silicon suppliers. So for example, Infineon, traditional Infineon as well as Cyprus which they acquired last year, Renesas, NXP, and others. And we’re also working with certificate authorities, people like DigiCert, we’re working with ARM, people that set the standards. And of course, the IPCs, the Global Semiconductor Alliance folks as well. So we’re really trying to get the people that can provision the parts, people that can work with us on the semiconductor side, and then also the relevant standards bodies and industry leaders.
TG: Anthony, you’re certainly at the heart of a very important area at the moment. Cybersecurity is a huge issue in the industry. And I want to congratulate you and thank you for talking to us about SentriX, today.
AA: Thank you.