feature article
Subscribe Now

Security As a Business Enabler

Stopping Malware for Fun and Profit

“A sect or party is an elegant incognito devised to save a man from the vexation of thinking.” – Ralph Waldo Emerson

Hey, buddy, you want a good deal on a gearbox for a city bus? Hardly used, works great. I’ll give you a good deal. Take your pick; I got thousands of ’em.

In fact, I’ll rent ’em to you if you don’t have the cash to buy. Low monthly rates. My associate here will help you install ’em. I’ll even throw in regular maintenance; first oil change is on me. You can’t lose!

That was essentially the deal offered to the burghers of a certain German city. Rather than own its entire fleet of 14,000 buses, the town would rent some of the major hardware components – like the massive manual transmissions – from a gearbox manufacturer. In return, the gearbox vendor would cover maintenance and upgrades.

But the real clincher was the gamification. Let’s challenge the city’s bus drivers to see who can drive the most efficiently and save the most fuel. We’ll post a leaderboard every month, and the driver with the best fuel economy gets a prize and eternal glory. By making it a competition, the drivers participated wholeheartedly – and citywide fuel consumption dropped 20%. Everybody wins.

The enabling technology in this unusual municipal business arrangement was an array of sensors on the gearboxes that monitored each bus driver’s speed and shifting patterns. By streaming that data to the gearbox manufacturer for analysis, the company could recommend ways to increase mechanical longevity, improve fuel economy, and reduce costs.

And the enabling technology for that was increased data security. The data from those 14,000 buses was extremely valuable, both to the hardware manufacturer and to the city operating the buses. (And to the drivers competing.) Securing it is what allowed the gearbox manufacturer to instrument its products, which in turn allowed the city government to trial the program. Seemingly the least important link in the chain is what enabled the whole business model.  

“Security is an enabler,” says Christopher Schouten, Security-by-Design Evangelist (it says so on his business card) at Nagra/Kudelski. He sees security as a feature, not an irritation – as something you want to add to your product, not something you paste on later because your boss told you to.

He cites the OBD-II port found on nearly all modern cars. It’s a hidden connector, usually somewhere under the steering wheel, that allows mechanics to plug in diagnostic machines and troubleshoot electrical gremlins. Think JTAG for vehicles. But Schouten says that diagnostic port is also a business opportunity, especially for insurance companies. Every car’s onboard computer records things like top speed, brake pressure, and other data intended for diagnostic purposes, but which could also be used to gauge a driver’s behavior, driving patterns, or aggressiveness behind the wheel. If you’re willing to share that data with your insurance company, they may offer you lower rates. (Or maybe raise them, if you drive like Max Verstappen.) But securing that data would be vital for privacy, as well as commercial, reasons.

In short, security isn’t always for prophylactic purposes. Sometimes it’s profitable. It’s not always about stopping the bad guys, but sometimes about empowering the good guys.

Nagra/Kudelski is another one of those “20-year overnight success” stories. The Swiss company is actually closer to 65 years old and started out making tape recorders. To a certain class of old-school journalists, “Nagra” is synonymous with “tape recorder,” like Xerox and photocopier. Nowadays, the company has almost 4000 employees and has branched out considerably beyond its reel-to-reel roots.

The company’s security nous grew out of its work with Dish Network and satellite set-top boxes. Pay TV is notoriously prone to piracy and content theft. It’s a cat-and-mouse game between the content providers and the hackers who’d pirate that content. That gave Kudelski Group (as the company prefers to be known) decades of experience thwarting outside attacks from a global and ever-changing collection of motivated hackers. Three years ago, Kudelski separated the security group into its own division with over 100 employees.

Kudelski prefers to take a “cradle to grave” approach to security, getting involved in customer designs as early as possible. That starts with early brainstorming and consulting, all the way through to EOL product retirement, and every stage in between. Industrial customers, for example, may have products in the field for decades, and Kudelski basically owns and manages the product’s security for that entire time.

Schouten uses the example of an industrial turbine. It works fine for years before there are hints of malfeasance. Perhaps there’s a disgruntled employee; maybe it’s coming from a well-funded government-sponsored malware lab. Either way, Kudelski is able to update the machine’s security, change out keys, apply countermeasures, receive security telemetry that’s firewalled off from customer data, send secure commands, revoke permissions, etc. “You don’t want to just launch [a product] secure, you need to keep it secure,” he says.

Industrial customers tend to have more tolerance – and budget – for premium-grade security like what Kudelski offers. Consumer products, on the other hand, have tighter design cycles and smaller budgets. They also have less to lose, as a rule. A hacked music player is an embarrassment, but a hacked power station is a national emergency.

That’s not to say that Kudelski works only with massive conglomerates and heavy metal. On the contrary, the company’s recent efforts have focused on small IoT devices and on ways to streamline their security requirements in resource-constrained environments. Security keys are exchanged using a proprietary algorithm that uses about one-quarter the bandwidth of a typical PKI exchange, according to the company. That conserves bandwidth and helps sleeping devices stay asleep.

The company also manages its own cloud platform, for customers’ benefit, and staffs it with 24/7 security experts. Threats are monitored, triaged, and escalated when necessary. Patches can be applied remotely, keys changed, APIs disabled, users locked out, or whatever else the team feels is appropriate. “We own the end-to-end chain, so we have more skin in the game,” says Schouten.

Kudelski’s pricing can even be based on performance. They keep your system safe from threats, or you don’t pay until the breach is resolved. If something doesn’t work, customers “get a vacation from paying the bill until the bug is fixed.”

Picking a security provider is like picking a dentist: it’s impossible for an outsider to evaluate their competence or quality. You can look at the diplomas (or patents) on the wall, but there’s no good way to tell a good one from a bad one. Kudelski feels that its history and its headcount are good proxies for quality. “We’re the oldest startup in the IoT space,” says Schouten. Employee retention is good, and they’re active in standards bodies and in academic research.

Security is also like insurance: it should be boring. If all goes well, your monthly payments are wasted. You don’t really want to see any activity. Kudelski would like to shake off the boring part and make security more interesting, even profitable. Just ask your bus driver.

Leave a Reply

featured blogs
Dec 2, 2024
The Wi-SUN Smart City Living Lab Challenge names the winners with Farmer's Voice, a voice command app for agriculture use, taking first place. Read the blog....
Dec 3, 2024
I've just seen something that is totally droolworthy, which may explain why I'm currently drooling all over my keyboard....

Libby's Lab

Libby's Lab - Scopes Out Silicon Labs EFRxG22 Development Tools

Sponsored by Mouser Electronics and Silicon Labs

Join Libby in this episode of “Libby’s Lab” as she explores the Silicon Labs EFR32xG22 Development Tools, available at Mouser.com! These versatile tools are perfect for engineers developing wireless applications with Bluetooth®, Zigbee®, or proprietary protocols. Designed for energy efficiency and ease of use, the starter kit simplifies development for IoT, smart home, and industrial devices. From low-power IoT projects to fitness trackers and medical devices, these tools offer multi-protocol support, reliable performance, and hassle-free setup. Watch as Libby and Demo dive into how these tools can bring wireless projects to life. Keep your circuits charged and your ideas sparking!

Click here for more information about Silicon Labs xG22 Development Tools

featured paper

Quantized Neural Networks for FPGA Inference

Sponsored by Intel

Implementing a low precision network in FPGA hardware for efficient inferencing provides numerous advantages when it comes to meeting demanding specifications. The increased flexibility allows optimization of throughput, overall power consumption, resource usage, device size, TOPs/watt, and deterministic latency. These are important benefits where scaling and efficiency are inherent requirements of the application.

Click to read more

featured chalk talk

Ultra-low Power Fuel Gauging for Rechargeable Embedded Devices
Fuel gauging is a critical component of today’s rechargeable embedded devices. In this episode of Chalk Talk, Amelia Dalton and Robin Saltnes of Nordic Semiconductor explore the variety of benefits that Nordic Semiconductor’s nPM1300 PMIC brings to rechargeable embedded devices, the details of the fuel gauge system at the heart of this solution, and the five easy steps that you can take to implement this solution into your next embedded design.
May 8, 2024
39,101 views