EDACafe Industry Predictions for 2024 – Cycuity

By Andreas Kuehlmann, CEO, Cycuity

Andreas Kuehlmann

Regulations and Vulnerabilities Make 2024 a Pivotal Year for  Semiconductor Chip Security

What 2024 Holds for Semiconductor Chip Security

Conversations around semiconductor chip security took place with greater frequency and prominence in 2023. Government legislation and newly discovered hardware vulnerabilities thrust the issue under the spotlight, and these developments will ensure hardware security remains a priority throughout 2024 and beyond.

The good news is that with so much at stake, the semiconductor industry is recognizing the need for more investments, accountability, and transparency. In 2024, we expect security will become a greater part of the design process, with higher priority given to adapting a comprehensive security design lifecycle ranging from developing verifiable security requirements, comprehensive security verification to documentation of security signoff.

We already see more focus on increasing collaboration between security, design, and verification teams to ensure that a “secure by design” approach is adopted and implemented across the chip design lifecycle.

Here’s what else can be expected to transpire over the next 12 months.

Legislation will raise the stakes

In the past year, governments took meaningful steps toward securing our electronic product, including software and hardware. The EU released its Cyber Resilience Act (CRA), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a voluntary framework for a hardware bill of materials (HBOM).

Both have ramifications that will be felt more strongly in 2024. The CRA, ratified in December, is set to go into effect early this year. It is poised to elevate hardware security standards in much the same way as the General Data Protection Regulation (GDPR) did for data privacy.

The CRA’s requirements govern the entire product lifecycle and aim to bake secure methodologies into software and hardware from inception. Manufacturers must demonstrate accountability and transparency from end to end, with severe penalties for noncompliance — up to €15 million or 2.5% of global turnover — ratcheting up the importance of moving security to the forefront of design.

CISA’s HBOM framework, published in September, has sparked momentum around enhanced supply chain visibility in the U.S. While it centers on mitigating manufacturing-related risks, there will be more urgency in 2024 to expand its oversight further left into chip design stages. By understanding every component, including in-house and third-party intellectual property (IP) blocks, embedded in a semiconductor, we’ll identify and address vulnerabilities before devastating threats emerge.

Similarly, the U.S. Food and Drug Administration (FDA) circulated guidelines in September that
ensure medical devices “are sufficiently resilient to cybersecurity threats,” and the International
Society of Automation (ISA) adopted its ISA/IEC 62443 standards for infrastructure

cybersecurity. And within the automotive industry, the ISO/SAE 21434 standard and UNECE-R 155 require that automotive manufacturers incorporate cybersecurity considerations from the earliest stages of vehicle design and production. This “security by design” approach is intended to reduce risks and fortify the resilience of vehicles against cyberattacks.

These are all steps in the right direction, but we should anticipate that additional standards and regulation will be created to address the ever-evolving cyberthreat landscape. In addition, other federal or local governments might implement their own product security legislation in the coming year.

Regardless, the emerging standards, guidelines and legislative initiatives will ensure everyone considers the implications of semiconductor vulnerabilities more than ever before.

Threats will accelerate, but our knowledge will, too.

Several hardware vulnerabilities disclosed over the previous 12 months have highlighted persistent security gaps. Leading vendors like Qualcomm, Samsung, Intel, AMD, and Arm all acknowledged vulnerabilities in their semiconductors, making it clear that risks are ever-present.

These disclosures, while unfortunate, demonstrate why we must continually examine blind spots in chip design. Rigorous hardware security assurance goes beyond attempts at “patching” these vulnerabilities — which, unlike software, isn’t possible or very difficult with hardware. It requires stronger validation processes, more transparency into components that use third-party IP, and greater diligence across the ecosystem. We’re progressing on these fronts, but we’re not there yet.

In 2024, calls will only grow louder to expand regulation into the design stages — well before an affected chip is incorporated into millions of devices.

Category: Predictions

This entry was posted on Tuesday, January 9th, 2024 at 10:15 am. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.