AspenCore Media has taken a deep dive into the question of Where Security Meets Privacy in the 21st Century. Included in this Special Project are: Sitting at the Crossroads of Cybersecurity and Privacy, Designing Hardware for Data Privacy, and Facial Recognition: The Ugly Truth.
Electronics distributors – which often serve hundreds of suppliers and thousands of customers – have always been cognizant of their partners’ privacy and security. The stakes have gotten higher, though, as the supply chain reckons with the digital evolution.
There was a time when distributors’ biggest worry was keeping Dell’s orders isolated from Hewlett-Packard’s. Now, intellectual property (IP) protection is the channel’s responsibility. One example: Distributors program FPGAs, PLD, and similar devices in bulk for their customers. That requires customers to transmit proprietary code and IP to distributors’ programming facilities.
“There’s a lot been going on regarding programming in the past five years,” said Don Elario, who heads the ECIA’s Global Industry Practices Committee (GIPC). “When you engage with the top-tier tech companies of the world, their IP and identity protection expectations are very high.”
The Electronic Components Industry Association (ECIA) represents distributors, component manufacturers and manufacturers’ reps; develops industry-specific guidelines and best practices; and works closely with international standards organizations. The ISO 27000 series of standards addresses the security of information and software exchanged within an organization or with any external entity, Elario said.
ISO 27000 provides a process framework for IT security implementation and can also assist in determining the status of information security and the degree of compliance with security policies, directives and standards. It promotes efficient security cost management, compliance with laws and regulations, and a level of interoperability due to a common set of guidelines followed by partners. It can improve IT information security system quality assurance (QA) and increase security awareness among employees, customers and vendors, and it can increase IT and business alignment.
Among its guidelines, ISO advocates the development of formal exchange policies, procedures and controls to protect data shared internally or externally through all communications methods.
As an industry, Elario said, distributors have spent time, effort, and resources to understand and comply with ISO 27000. “[IP protection] is extremely important to companies that go to distributors for programming,” he said. “Their IT systems must work together, and agreements must encompass how the systems are going to protect the code and programming. Those efforts [within the channel] have been ongoing and strong. Customers are demanding protection not just for code but for their identities.”
As distributors get more involved with high-level global customers, he added, “their security and privacy services have to be appropriate for that space.”
ISO 27000 advises policies cover the protection of data “at rest.” This includes antimalware controls and guidelines for the retention and disposal of information. Any policy needs to cover all methods of modern communication.
In this regard, distributors’ responsibilities are twofold. They must protect against the insertion of malware or malicious code into the components they store, sell and transport. They also must guarantee – for the component’s entire lifecycle-- that the parts are authentic.
Protecting parts, point-of-sale & provenance
Best practices guide customers to buy only through authorized distribution. These resellers take possession of components directly from the factory and then track and trace them throughout their lifespan. They also adhere to all quality, storage, and handling practices required by suppliers.
Components frequently are sold to non-authorized distributors, most of which won’t touch factory-sealed boxes. Less scrupulous entities may mix counterfeit parts with authentic products; tamper with the markings or even coding of chips; and fail to provide the provenance of the devices. Suppliers may not honor warrantees on such parts.
Supplier-distributor relationships also require significant data exchange about customers – OEMs, EMS providers and designers. This has always been a sticky issue for the channel. Suppliers want to know who is buying their products and what applications they’re targeting. They also reward distributors for assisting with customers’ designs. This requires information beyond customer identities, buying habits, pricing and shipping agreements. It requires information about their designs.
Privacy laws are changing the way distributors share customer and point-of-sale (POS) information with their suppliers. A California privacy law recently caught the supply chain’s attention. Like the EU’s General Data Protection Regulation (GDPR), according to ECIA, the law permits an individual to know what information is being collected about them, with whom that data is being shared and permit data collected about them deleted.
The statute adds requirements about the sale/transfer of data to third parties and specifically permits an individual to opt out of data sales to third parties. The act, in short, clearly establishes the principle that consumers own and control their personal information.
One unique provision is that the law permits businesses to incentivize consumers who allow for the sale of their personal information. These financial incentives could include a different price, rate, level, or quality of goods and services when "reasonably related" to the value provided to the consumer by use of the consumer's data.
The new law is likely to have broad application throughout the digital world, according to Robin Gray, chief operating officer and general counsel of ECIA. The supply chain is proceeding with caution.
“GDPR has been impacting the reporting between suppliers, distributors and customers,” Elario said. “[ECIA] has been reviewing POS guidance. There will be some adjustment to POS to be compliant with GDPR.”
The channel has embraced the digital evolution and manages data at multiple levels, including customers’ financial information; supplier technology roadmaps; and board and systems designs. It could be a challenge, experts say, for the supply chain to match technology’s rate of change.
Check out all the stories inside this Privacy and Security Special Project
Privacy Versus Security:
These two notions have never been mutually exclusive, but today's technological developments have been increasing the tension between them.
Where Security Meets Privacy in the 21st Century
Since time immemorial, humans have been concerned with the subjects of security and privacy, but the convergence of many of today's technologies -- especially in the form of the internet the Internet of things (IoT) -- mean that the stakes have never been higher.
Designing hardware for data privacy
Ensuring privacy of electronic data requires data security, but a secure design does not necessarily assure data privacy. Developers must consider the two together.
Sitting at the Crossroads of Cybersecurity and Privacy
The combination of the headline worthy data breaches and new privacy legislation have put data protection and privacy on the top of the agenda for electronics OEMs.
Facial Recognition: The Ugly Truth
AI is making automated facial recognition for mass surveillance a reality -- but at what cost?
Why engineers need to understand data privacy laws
Industry initiatives are underway in the U.S. to explore data privacy and how deep in the design process it should start, but in the meantime, U.S. engineers need to understand and be compliant with the EU's GDPR in a global economy.
Enhancing privacy and security in the smart meter lifecycle
Concerns about security and privacy of connected devices coalesce in the lifecycle of smart meters. Here's how IoT platforms help protect smart meters and their data despite an ever-growing number of threats.
Chip Security Emerges a Hot Topic in the Supply Chain
As more electronics devices are connected and hence hackable, OEMs are having to bring good security practices, designs, and devices into their products as soon as possible.
Also check out these related columns
The Illusion of Security
This mini-series of articles explains how today's cyber security is like a bucket with hundreds of holes, and each software solution is a patch to a single hole. We don't need more patches; we need a new bucket!
Privacy Issues with Voice Interfaces
Voice interfaces are only going to get more common, and there is a great market opportunity for those vendors that get their product and its approach to privacy correct.
Security in Semiconductor Manufacturing
Today's manufacturing lines are increasingly prone to IP theft and reverse engineering attacks. Savvy chipmakers know to institute secure systems to guard against them.
Will the Real Root of Trust Stand Up?
Not all roots of trust are created equal, nor are they all implemented in the same fashion on silicon.
How Many Layers of Security Do You Have?
Depth of defense and principle of least privilege are two concepts system and SoC designers must embrace as they seek security answers for their designs.
Multiply and Isolate Your Roots of Trust for Greater Security (Part 1)
Security designs can have multiple entities, as well as isolation, among separate applications on a chip.
Multiply and Isolate Your Roots of Trust for Greater Security (Part 2)
In order to give you confidence, you want assurances that all applications in your secure silicon IP are isolated from each other.