feature article
Subscribe Now

Security As a Business Enabler

Stopping Malware for Fun and Profit

“A sect or party is an elegant incognito devised to save a man from the vexation of thinking.” – Ralph Waldo Emerson

Hey, buddy, you want a good deal on a gearbox for a city bus? Hardly used, works great. I’ll give you a good deal. Take your pick; I got thousands of ’em.

In fact, I’ll rent ’em to you if you don’t have the cash to buy. Low monthly rates. My associate here will help you install ’em. I’ll even throw in regular maintenance; first oil change is on me. You can’t lose!

That was essentially the deal offered to the burghers of a certain German city. Rather than own its entire fleet of 14,000 buses, the town would rent some of the major hardware components – like the massive manual transmissions – from a gearbox manufacturer. In return, the gearbox vendor would cover maintenance and upgrades.

But the real clincher was the gamification. Let’s challenge the city’s bus drivers to see who can drive the most efficiently and save the most fuel. We’ll post a leaderboard every month, and the driver with the best fuel economy gets a prize and eternal glory. By making it a competition, the drivers participated wholeheartedly – and citywide fuel consumption dropped 20%. Everybody wins.

The enabling technology in this unusual municipal business arrangement was an array of sensors on the gearboxes that monitored each bus driver’s speed and shifting patterns. By streaming that data to the gearbox manufacturer for analysis, the company could recommend ways to increase mechanical longevity, improve fuel economy, and reduce costs.

And the enabling technology for that was increased data security. The data from those 14,000 buses was extremely valuable, both to the hardware manufacturer and to the city operating the buses. (And to the drivers competing.) Securing it is what allowed the gearbox manufacturer to instrument its products, which in turn allowed the city government to trial the program. Seemingly the least important link in the chain is what enabled the whole business model.  

“Security is an enabler,” says Christopher Schouten, Security-by-Design Evangelist (it says so on his business card) at Nagra/Kudelski. He sees security as a feature, not an irritation – as something you want to add to your product, not something you paste on later because your boss told you to.

He cites the OBD-II port found on nearly all modern cars. It’s a hidden connector, usually somewhere under the steering wheel, that allows mechanics to plug in diagnostic machines and troubleshoot electrical gremlins. Think JTAG for vehicles. But Schouten says that diagnostic port is also a business opportunity, especially for insurance companies. Every car’s onboard computer records things like top speed, brake pressure, and other data intended for diagnostic purposes, but which could also be used to gauge a driver’s behavior, driving patterns, or aggressiveness behind the wheel. If you’re willing to share that data with your insurance company, they may offer you lower rates. (Or maybe raise them, if you drive like Max Verstappen.) But securing that data would be vital for privacy, as well as commercial, reasons.

In short, security isn’t always for prophylactic purposes. Sometimes it’s profitable. It’s not always about stopping the bad guys, but sometimes about empowering the good guys.

Nagra/Kudelski is another one of those “20-year overnight success” stories. The Swiss company is actually closer to 65 years old and started out making tape recorders. To a certain class of old-school journalists, “Nagra” is synonymous with “tape recorder,” like Xerox and photocopier. Nowadays, the company has almost 4000 employees and has branched out considerably beyond its reel-to-reel roots.

The company’s security nous grew out of its work with Dish Network and satellite set-top boxes. Pay TV is notoriously prone to piracy and content theft. It’s a cat-and-mouse game between the content providers and the hackers who’d pirate that content. That gave Kudelski Group (as the company prefers to be known) decades of experience thwarting outside attacks from a global and ever-changing collection of motivated hackers. Three years ago, Kudelski separated the security group into its own division with over 100 employees.

Kudelski prefers to take a “cradle to grave” approach to security, getting involved in customer designs as early as possible. That starts with early brainstorming and consulting, all the way through to EOL product retirement, and every stage in between. Industrial customers, for example, may have products in the field for decades, and Kudelski basically owns and manages the product’s security for that entire time.

Schouten uses the example of an industrial turbine. It works fine for years before there are hints of malfeasance. Perhaps there’s a disgruntled employee; maybe it’s coming from a well-funded government-sponsored malware lab. Either way, Kudelski is able to update the machine’s security, change out keys, apply countermeasures, receive security telemetry that’s firewalled off from customer data, send secure commands, revoke permissions, etc. “You don’t want to just launch [a product] secure, you need to keep it secure,” he says.

Industrial customers tend to have more tolerance – and budget – for premium-grade security like what Kudelski offers. Consumer products, on the other hand, have tighter design cycles and smaller budgets. They also have less to lose, as a rule. A hacked music player is an embarrassment, but a hacked power station is a national emergency.

That’s not to say that Kudelski works only with massive conglomerates and heavy metal. On the contrary, the company’s recent efforts have focused on small IoT devices and on ways to streamline their security requirements in resource-constrained environments. Security keys are exchanged using a proprietary algorithm that uses about one-quarter the bandwidth of a typical PKI exchange, according to the company. That conserves bandwidth and helps sleeping devices stay asleep.

The company also manages its own cloud platform, for customers’ benefit, and staffs it with 24/7 security experts. Threats are monitored, triaged, and escalated when necessary. Patches can be applied remotely, keys changed, APIs disabled, users locked out, or whatever else the team feels is appropriate. “We own the end-to-end chain, so we have more skin in the game,” says Schouten.

Kudelski’s pricing can even be based on performance. They keep your system safe from threats, or you don’t pay until the breach is resolved. If something doesn’t work, customers “get a vacation from paying the bill until the bug is fixed.”

Picking a security provider is like picking a dentist: it’s impossible for an outsider to evaluate their competence or quality. You can look at the diplomas (or patents) on the wall, but there’s no good way to tell a good one from a bad one. Kudelski feels that its history and its headcount are good proxies for quality. “We’re the oldest startup in the IoT space,” says Schouten. Employee retention is good, and they’re active in standards bodies and in academic research.

Security is also like insurance: it should be boring. If all goes well, your monthly payments are wasted. You don’t really want to see any activity. Kudelski would like to shake off the boring part and make security more interesting, even profitable. Just ask your bus driver.

Leave a Reply

featured blogs
Sep 18, 2021
Projects with a steampunk look-and-feel incorporate retro-futuristic technology and aesthetics inspired by 19th-century industrial steam-powered machinery....
Sep 17, 2021
Dear BoardSurfers, I want to unapologetically hijack the normal news and exciting feature information that you are accustomed to reading about in the world of PCB Design blogs to eagerly let you know... [[ Click on the title to access the full blog on the Cadence Community s...
Sep 15, 2021
Learn how chiplets form the basis of multi-die HPC processor architectures, fueling modern HPC applications and scaling performance & power beyond Moore's Law. The post What's Driving the Demand for Chiplets? appeared first on From Silicon To Software....
Aug 5, 2021
Megh Computing's Video Analytics Solution (VAS) portfolio implements a flexible and scalable video analytics pipeline consisting of the following elements: Video Ingestion Video Transformation Object Detection and Inference Video Analytics Visualization   Because Megh's ...

featured video

Gesture Detection for Automotive In-Cabin Applications

Sponsored by Texas Instruments

See how using 60GHz radar for automotive in-cabin gesture is ideal due to its small size and ability to sense through various materials. Applications using gesture control include changing radio stations, answering phone calls, opening windows, and more.

Click to learn more about gesture detection using 60GHz mmWave radar sensors

featured paper

What is a smart DAC?

Sponsored by Texas Instruments

See how to add simple logic and programmability to analog circuits, without writing, maintaining and qualifying software. These devices have built-in non-volatile memory and are factory programmable. They also include programmable state machines, PWM generators and custom waveform generators – all in a single device. This means that adding simple intelligence to your analog circuits no longer requires a microcontroller.

Click to read more

featured chalk talk

Power over Ethernet - Yesterday, Today, and Tomorrow

Sponsored by Mouser Electronics and Microchip

Power over Ethernet has come a long way since its initial creation way back in 1997. In this episode of Chalk Talk, Amelia Dalton chats with Alan Jay Zwiren from Microchip about the past, present, and future of power over ethernet including details of how a PoE system works, why midspans are crucial for power over ethernet connectivity and why Microchip can be your one stop shop for your next PoE design needs.

Click here for more information about Microchip Technology multi-Power over Ethernet (mPoE)