Just over a year ago, Napa Valley was in flames, and the annual MEMS and Sensors Executive Congress (MSEC) had to be relocated from the Silverado Resort and Spa, located on the fringes of the Atlas Fire, to its sister hotel in San Jose, CA. So, it was with a bit of trepidation that I drove the switchbacks from Sacramento Airport to Napa to attend MSEC 2018 at the Silverado, October 28-30, 2018.
While the surrounding hills still showed some charred evidence of last year’s fire, I was relieved to see the resort had weathered the tragedy. And so, members of SEMI’s MEMS and Sensor’s Industry Group gathered to share a year’s worth of MEMS and sensors business developments, new application spaces, technology advancements, and important issues to keep in mind as artificial intelligence (AI), machine learning, and the internet of things (IoT) come into play.
Keynote speaker Cynthia Wright, cybersecurity expert at Mitre, kicked things with a reality check on the inevitability of IoT-based cyber attacks and the importance of designing in privacy, security, and resiliency into our MEMS and sensors. Future business could depend on it.
First, The Good News
According to MEMS and sensors market forecasters, the industry is on a growth trajectory, with revenue predicted to double from $50B in 2018 to $100B by 2023. This will impact every sector that feeds into it. Additionally, manufacturers are increasing the number of sensors they use in all applications to improve functionality.
Time-of-flight sensors are improving facial recognition. Smart speakers, such as Alexa, require more microphones to extend “listening” capabilities. More and different sensors are being added to drones to improve their capabilities, and autonomous driving requires a plethora of new and different sensor types. Additionally, as sensor and sensor fusion becomes more advanced, we see the application spaces grow to extend beyond traditional to include the wine industry, the bee industry, and other smart farming applications.
Yole Dèveloppement’s Guillaume Girardin said these are the electronics megatrends to watch for MEMS and sensors.
Seemly Impossible, Certainly Improbable, but Necessary
This is the mantra Wright says the MEMS and sensors industry needs to adopt when thinking about security and privacy. If we don’t, all of this growth could disappear, as we lose consumer confidence.
While MEMS and sensors have tremendous potential to do good in the world, says Wright, because they are now pervasive in every sector of our world, hacking is a real concern. Thanks to how they are networked together, and the availability of machine learning and automated attacks, each one has some potential for cyber insecurity. Everyone is vulnerable.
Quoting multiple sources, she said, “There are two kinds of companies, those who have been hacked, and those that will be hacked.” The risks to our security span everything from actual safety to liability, destruction, privacy, extortion, theft, reputation, and more.
Wright cited some real-world examples of what has already happened over the past 11 years, and what could happen in the future:
- Hospitals have been targeted for ransomware, and there is evidence of individual devices being targeted such as heart monitors and insulin pumps.
- In 2016, the Mirai botnet attack exploited weaknesses in 300K connected autonomous systems to execute a denial of service (DDOS) attack, bringing down most of the east coast Internet.
- Reports of cyber-savvy thieves hacking into homes through IoT devices for pre-theft reconnaissance: what’s worth stealing and when.
- Strangers hacking into baby monitors to watch/speak to children.
- Controlling vehicles by hacking onboard sensors.
- In the 2007 Aurora Experiment, Idaho National Labs demonstrated a hack against a power substation based on compromising the data being reported by embedded sensors.
- In the past month, recent hacks were reported into the ports of San Diego and Barcelona admin/business systems, exposing physical systems like cranes, auto-docking, or fuel delivery.
- Last week China-made malicious chips were found embedded in SuperMicro’s motherboards that handle video compression of music streaming start-up, Elemental.
What’s Taking So Long?
With 11 years of attacks under our belts, why haven’t we made more progress on IoT security? Because leadership in companies don’t yet prioritize it. “There’s not a sense that the problem is big enough, close enough or expensive enough that they should appropriate resources to deal with it,” said Wright.
When people developed these devices, why didn’t they think about securing them then? “Simple – it’s the not natural tendency of inventors to think that way,” said Wright. “It’s more, ‘what can we do with this technology, not ‘will people hack into my lightbulb.’ Chip people have been making chips for years the same way. They are chip experts, not cybersecurity experts. But it’s not too late to put the genie back in the bottle.”
Security By Design
It’s not feasible to go back and replace the infrastructure, but Wright suggests that as we modernize we incorporate principles into follow-on designs. While legislation is being considered, Wright urged attendees to make security a priority. She stressed the importance of designing in privacy, security, and resiliency into our MEMS and sensors going forward.
She said design engineers need to think about the whole ecosystem from chip to cloud to implement a system comprising an immutable device or non-changeable identity. It must enable a trusted boot and ensure over-the-air updates and authentication that can be successfully carried out.
There are industry guidelines available to get things started, she said. The FDA has a medical device cybersecurity playbook that gives guidelines on how to procure medical devices, for example.
“I absolutely believe that in the next few years, whether or not a device is secure will be the differentiator in the market. We have the ability to move this in a positive direction. it’s important for society, for how the technology works, and for how we main national and economic security. And it’s just good business,” she said. “We can lose consumers if we don’t start doing this. People are becoming more cautious.”
No longer is it ok to accept the inevitability of attack and weather it. We need to plan for it with built-in redundancy to recover from it, she said.
Wright closed her talk stressing three takeaways:
- Cybersecurity is cheaper built in then bolted on
- MEMS are the ultimate shadow IT. Beware of it. You can’t protect what you don’t know about.
- Don’t leave the solution up to the user. If security requirements are too inconvenient, they won’t be used.
No More Excuses
If we don’t take steps as consumers become more educated about the risks, it could reverse the trends towards autonomy. Now that the industry understands the possible consequences, however unintended they may be, we have a responsibility to act accordingly.
Some attendees still didn’t see the urgency, and their first response is “who will pay for it?”. Wright assured us that it’s a much costlier venture to “bolt-on” security vs building it in. She presented it as an opportunity to add value to MEMS and sensor products. Bottom line: the MEMS and sensor industry can’t afford NOT to address these issues. ~ FvT