As engineers explore the internet-of-things, purchasers need to ensure the security of intellectual property throughout the procurement and programming process. MicrochipDirect global sales manager, Martin Warmington, explain.
As IoT moves from small proprietary networks into mass applications in the consumer, enterprise, industrial and other markets, the potential reward for attackers is also increasing. From a technical perspective, there are established cryptographic and non-cryptographic methods for in-field protection of IoT networks and the data that they transmit. From a purchasing perspective, however, the security strategies are less clearly defined.
If the experience of off-shore manufacturing has taught the industry anything, it is that the process of protecting IP should not start when the final product hits the streets. Counterfeiting, reverse engineering and IP theft can occur on the production line or within an insecure supply chain, making security critical throughout production.
One of the most effective ways to protect IP is for buyers to make security a natural extension of the procurement and supplier evaluation process. The main priority is to check that the component manufacturer has complete control over the manufacturing and programming process. While there are some excellent third-party programming houses, each new link in the supply chain potentially injects additional risk. All companies involved in the supply chain should therefore have appropriate industry standard accreditations, such as those for the medical and automotive sectors, to ensure compliance for the end-product.
For MicrochipDirect, protecting customers’ code for PIC microcontrollers means that all programming is carried out in a dedicated in-house programming centre. This high level of control helps to ensure security for the code and for the microcontrollers during final assembly and programming.
Customer anonymity throughout programming can also make IP theft considerably harder. This starts with the customer uploading the device code as a 256kB encrypted hex file, via the company website. From here, the customers’ name is replaced by a barcode before the file is sent to the in-house programming facility. During programming, the barcode is the only means of identification, concealing the customer name and ensuring a more secure process. The customer’s name is entered back into the process only at the point when the components are ready to be despatched.
Some customers take anonymity a stage further by removing or replacing the Microchip markings on the device itself. Rather than using the Microchip logo and other identifying marks, the component is anonymised with custom markings, making it unidentifiable as an original Microchip component. This helps to prevent IP theft through reverse engineering of the end-product. For added protection, these custom markings always include a date and trace code. Primarily used by volume customers, this service can be accessed via Microchip’s distribution network as well as through the MicrochipDirect website.
A custom finish
While some customers want anonymity for the components used in their end-products, others prefer custom branding. This can include adding customer labels to components during the finishing process, which not only effectively camouflages the original source of the device, but can also help original equipment manufacturers to enhance the brand value of their end-products.
Finally, programming components at the end of the production process offers further procurement advantages. By purchasing a microcontroller ex-stock from MicrochipDirect and adding programming as part of the order, the only lead time is that required for the parts to be programmed. This eliminates any additional lead time incurred while the device is being manufactured and allows devices to be labelled as per customer specifications. Programming can be applied to all parts on a purchase order, or for a smaller batch of parts within a larger order.
IP and IoT
Although estimates vary, there seems to be a consensus that the current growth in IoT applications will develop into a multi-billion-dollar industry over the next five years. Securing the IP for IoT end-products will require the combined efforts of component manufacturers, as well as OEM design and procurement teams, to prevent IoT opportunity from transforming into an IoT threat.