Pim Tuyls Of Intrinsic ID On Embedding Security in Product Design and Development
An Interview With David Leichner
Authenticate everything: You cannot have trust without authentication or proof of identity. You shouldn’t trust something you don’t know for sure, be that a component, data or another device. As mentioned above this goes beyond design as we need to be smart about deploying updates. Authentication schemes are hence some of the most important building blocks for any embedded security solution.
In the face of escalating threats from malicious AI, incorporating cybersecurity best practices into the design and development of products is more crucial than ever, especially for manufacturing companies. How do product security managers incorporate these principles from the ground up? What steps do they take to ensure security is a core facet of their products? As a part of this series, we had the pleasure of interviewing Pim Tuyls.
Pim Tuyls, CEO of Intrinsic ID, founded the company in 2008 as a spinout from Philips Research. It was at Philips, where he was Principal Scientist and managed the cryptography cluster, that he initiated the original work on Physical Unclonable Functions (PUFs) that forms the basis of Intrinsic ID’s core technology. With more than 20 years experience in semiconductors and security, Pim is widely recognized for his work in the field of SRAM PUF and security for embedded applications. He speaks regularly at technical conferences and has written significantly in the field of security. He co-wrote the book Security with Noisy Data, which examines new technologies in the field of security based on noisy data and describes applications in the fields of biometrics, secure key storage and anti-counterfeiting. Pim holds a Ph.D. in mathematical physics from Leuven University and has more than 50 patents.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in Belgium and had the privilege to grow up in “University City” Leuven. Growing up in this academic environment is how I developed my critical thinking skills and eagerness to learn. It was a natural fit then to start my career at the Philips Research “Natlab” with a Ph.D. in mathematical physics from Leuven University in my pocket. At that time there was a spirit of being at the frontier of new technologies and inventing technologies used to make the world a better place. It was a fantastic environment for inventors, researchers, and technologists. This environment had a huge impact on my career and was eventually where Intrinsic ID was spun out of in 2008. There were many disciplines available at the lab (physics, semiconductors, mathematics, coding theory, crypto and more) and I credit this synergy with allowing us to make fast progress and develop deep knowledge of Physical Unclonable Functions (PUFs) that forms the basis of the Intrinsic ID core technology.
Outside of work, and since my move to Silicon Valley, I enjoy open water swimming in the San Francisco Bay. I have swum the crossing to Alcatraz several times, as well as the Golden Gate Bridge swim and the 10k swim between the two bridges.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
At that time, the word cybersecurity didn’t exist, but I had an interest in Quantum Crypto and Quantum Computing many years before I became Principal Scientist at Philips Research managing the cryptography cluster. It was there, looking at the biometrics of different chips, where I began to fully understand how this technology could bring an unprecedented level of chip security. As I mentioned, it was this inspiring environment that led me to where I am today.
Can you share the most interesting story that happened to you since you began this fascinating career?
Most fascinating is probably that I’ve experienced creating something from nothing. I was very lucky to be one of the co-inventors of PUF Technology. I’m grateful for the autonomy and support I had at Philips Research, and the opportunity to spin this activity out into a full business. We’ve grown into a company that now sells to the biggest tech and semiconductor companies in the world, and that has products deployed in more than 550 million devices and counting.
I am very thankful to all the people that have helped us along the road to achieve these results. At the same time, I often reflect on how many young people came to join us and have developed themselves into top technical or commercial experts. I feel lucky to have witnessed how a team of people focused on the customer and with a passion to win can achieve very remarkable results. I continue to be amazed and proud that with 30 engineers in the Low Countries, we sell to the biggest tech companies in the world!
Are you working on any exciting new projects now? How do you think that will help people?
For the past 15 years, Intrinsic ID has been a leading provider of solutions for enhancing embedded security at the hardware level. Our innovative offerings are rooted in the power of PUF technology, which harnesses the natural variations within the manufacturing process of integrated circuits to generate a distinct digital identifier. In particular, we use SRAM PUF, which leverages the behavior of standard SRAM memory, available on any chip, to create a digital fingerprint. This approach allows us to democratize hardware-level security. We make it scalable for the billions of smart things and their data that needs to be protected.
We’ve been working on commercializing the use of PUF technology for security and authentication longer than any other vendor. We play a key role in making the digital world more secure in millions of devices from your wrist up to in space.
How do emerging technologies like AI and machine learning influence the risk to the cybersecurity landscape?
The increasing use of AI brings both new threats and opportunities. There will be a growing number of attacks driven by AI due to the fact that it can help attackers more easily set up sophisticated attacks. However, AI can also be a tool to add an additional layer of protection to systems. AI can enhance the ability to recognize patterns quickly, which allows them to defend against attacks.
We also need to keep in mind the different security requirements of AI systems. In addition to protecting against threats, such as counterfeiting, IP theft and eavesdropping, AI systems must safeguard their data models, which serve as the foundation for AI decision-making. Additionally, we are seeing a growing number of physical scenarios where AI is deployed on the edge. Edge devices face physical security risks that we need to think about differently than centralized server environments.
Ok, thank you. Let’s now move on to our main topic of Embedding Security in Product Design and Development. Can you share a few reasons why this is so critical in today’s cybersecurity threat environment?
All computing applications today need to be highly concerned about security as semiconductors are everywhere performing critical functions. The rapid expansion of the Internet of Things (IoT) and our connected devices encompassing smart homes, industrial facilities, and extensive utility and transportation networks, has created an abundance of opportunities for malicious actors to exploit these devices and potentially gain entry into larger systems and networks.
It is estimated that there are 15 billion IoT devices in use today, and that number is projected to grow to nearly 30 billion by 2030. Each of these devices is susceptible to online attacks and physical breaches in real-world settings. As IoT becomes increasingly integral in pivotal sectors such as automotive, industrial, critical infrastructure, healthcare, wearables, finance, smart residences, and urban environments, the task of securing these IoT devices becomes both crucial and challenging.
“Security by Design” is a philosophy often mentioned in product development. Can you elaborate on this concept and explain its critical role in today’s manufacturing landscape?
The Cybersecurity and Infrastructure Security Agency (CISA) defines “Secure-by-Design” to mean that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.
For many years in the IoT industry security has been treated as an afterthought. Most companies producing IoT devices have rushed their products to market to gain some timely advantage over their many competitors. In a rush to market security is typically one of the things that gets overlooked or where corners are cut. This means that for years hundreds of millions (or maybe billions) of devices have been connected to the IoT without proper security in place, which has led to wide-scale attacks that have crippled infrastructures and industries. Now governments are starting to realize that they cannot leave it solely to device makers to get their act together themselves when it comes to security, so around the world IoT security legislation is being drafted (see the EU Cyber Resilience Act, and the IoT Cybersecurity Improvement Act in the United States). These legislations will be an enormous push for “Security by Design” and will help to make the IoT more resilient against the vast amounts of attacks that are taking place every day.
With the rise of IoT and connected devices, what challenges and opportunities do you foresee in ensuring security remains integral throughout the product development lifecycle?
The product development lifecycle of IoT devices does not end with the “Security by Design” from the previous question. When products have been deployed, they typically receive many software updates during their lifetime. These updates are an opportunity to update bugs in the functionality but also the security of these products. However, the challenge with these updates is that they should always come from a trusted source. You don’t want attackers to be able to update the software of a device, since they will add malicious code to it that will help them to get further access to the device. Authentication plays a vital role here to make sure that only trusted code is loaded onto devices throughout their lifecycle and authentication schemes are hence some of the most important building blocks for any embedded security solution.
Rapid prototyping is becoming the norm in product development. How do you maintain robust security standards during these accelerated design and testing phases?
Certification of IP is becoming increasingly important, amongst others for maintaining robust security during accelerated design cycles, which is why we support initiatives such as PSA Certified. PSA Certified is a globally recognized framework for security best practices and certification for connected devices. It vigorously tests components to help device manufacturers ensure their products meet high security standards. This pre-certification of IP allows developers to fast-track products for full certification and further helps ensure supply chain integrity, chiplet security, and protection against reverse engineering.
Given the complexities of the manufacturing supply chain, how do you ensure that security isn’t compromised, especially when integrating components from third-party vendors?
A typical supply chain spans several different production and assembly facilities, where components from many different vendors are pieced together into a final product. Each of the many steps required to create a product is threatened by many potential attacks, ranging from overproduction and counterfeiting, to using malicious or lower-quality components. Authentication of individual components is key to making the supply chain more secure. When you are able to authenticate individual components, you can verify if the components come from a trusted source. This way you build trust and prevent the use of counterfeit, malicious, or low-quality components. And something similar needs to happen with the software that gets to run on the system. Only if you can verify the source is it possible to assign some level of trust to the different parts that the final product is made of.
As Industry 4.0 and smart factories gain traction, how are strategies and approaches evolving to embed security in products that align with these futuristic manufacturing trends?
In all Industrial IoT networks, sensors are the genesis of the journey for IoT data streams. These sensors create the data on which decisions are based and action is taken. Imagine what happens when attackers manipulate sensor data, which can bring entire production lines to a halt, or endanger the wellbeing of people in and around a factory or infrastructure. It is highly important that sensor data is transported accurately from its source to where decisions are made — at an on-premises control server or in the cloud. Transporting data securely requires end-to-end security by setting up secure channels for communication. These secure channels make sure data cannot be eavesdropped upon or altered when in transit. Solutions for this kind of security already exist in other vertical markets that have been dealing with communication security for a much longer time. Now they are slowly finding their way into smart factories as well, but the greatest challenge is to find good ways to add security peripherals to the resource-constrained sensor devices that are scattered across factories and that have not been designed with this type of security in mind.
Here is the main question of our interview. What are your “5 Best Practices for Embedding Security in Product Design and Development”?
1 . Authenticate everything: You cannot have trust without authentication or proof of identity. You shouldn’t trust something you don’t know for sure, be that a component, data or another device. As mentioned above this goes beyond design as we need to be smart about deploying updates. Authentication schemes are hence some of the most important building blocks for any embedded security solution.
2 . Security should never be an afterthought: The thing about leaving out security is you usually don’t know there is a problem until there is. Historically security as an afterthought has been the default. Now the stakes are even higher as we have become even more intertwined with our devices everywhere. They contain valuable data and are performing critical tasks. This is another reason why secure by design is so important.
3 . Leave security to the experts (don’t try and do it yourself): Even if you have basic systems in place there are many aspects to consider. For example, there are many open-source security libraries that can serve as building blocks for encryption, authentication, authorization, data protection, cryptography, and more. However, these need to be integrated correctly. An example of this is that these libraries often come with placeholder keys. Many product developers have gotten down the road with their features and forgotten to change the key, making themselves an easy target for attackers.
4 . Increase certification and standardization: Certification not only has the benefit of providing lab-validated security (such as in the case of PSA Certification) but it also gives designers and developers confidence in their components, which improves security and efficiency. We will never have a truly secure world until all developers are adhering to a standard of security throughout the supply chain.
5 . There is no “one size fits all solution” for security Developers need to consider all the information and threat scenarios possible and plan accordingly. Though our devices are increasingly handling sensitive data and proprietary technology, low-cost IoT devices will have vastly different security metrics than top secret government and defense systems.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
That is my mission with founding Intrinsic ID, we want to create a world that can be trusted. Currently everything is connected, and we’ve had a lot of examples recently of how scary that is when devices get hacked. We built these security solutions so that you can uniquely identify and authenticate the connected world around you. We hope that we are making the world a safer place.
In addition to a safer world, I also hope to encourage others to become vegan. The impact of veganism on climate change is huge and one of the easiest and quickest ways known to have an impact on the many natural disasters we are facing.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent on this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.