Although cybersecurity is often seen as a problem that primarily affects software, the importance and relevance of secure hardware development should not be underestimated. The complex manufacturing processes of electronic components bear a high risk of manipulation by third parties. The production of integrated circuits is distributed over several suppliers and locations around the globe. While manipulations on artifacts prior to production can be detected by software tools for verification in many cases, ensuring that no tampering has taken place on a manufactured chip involves considerable effort.
Further possibilities of compromising interventions exist, for example, when components are distributed for the next production step or assembled on circuit boards. This whitepaper by OneSpin gives a good overview why security and trust are very important along the supply chain. In this context ISO/SAE 21434 requires a so-called “cybersecurity interface agreement” between customer and contractor, which defines how information about vulnerabilities and incidents is shared, what information is passed on and who is responsible for the respective handling.
But malicious manipulations are not the only reason why the security of a hardware component can be compromised, e.g. by a back door or weakened cryptographic properties. With the increasing complexity of integrated circuits and systems on chip, the risk that a design flaw makes the entire system vulnerable to attacks increases. Because errors in the design and implementation of hardware cannot be subsequently corrected by an update, as is often possible with software, “security by design” is particularly important for hardware. The threat analysis and risk assessment required by ISO/SAE 21434 is therefore also relevant for hardware components.
YAKINDU Security Analyst supports the modeling of the security properties of complex hardware systems and thus helps to verify that the system design is secure.
Please contact us now if you have further questions.
Want to discuss further? Feel free to contact the YSEC Team. Otherwise, read more on our insights from reading ISO21434.