Issue link: https://resources.mouser.com/i/1437738
Step 1: Commit to designing in security from the beginning. When starting a new design, upper management wants to see progress, and to them that means a working prototype, but prototypes don't have to be secure, and security doesn't make a flashy demo to impress management and investors. As enticing as it is to defer security until the end of the design, do not succumb to the temptation. Yes, it will take some time up-front, and often require some management re-education, but it has been proven many times that security cannot be retrofitted into a design. Security is not an add-on; it is fundamental to the foundation of the architecture. Trying to add it later almost invariably results in a complete redesign–a data stream that was generated and transmitted byte-by-byte cannot be converted to an encrypted data block, hard-coded plaintext private keys can't magically become securely- stored device-unique keys, and so on. Step 2: Does your product fall under industry or government regulation? This requirement overrules any other thoughts about security. If your industry requires a specific suite of cryptographic functions, you must use that exact suite, even if there are alternatives that offer the same level of protection. Financial transactions and energy meters are just two examples where specific regulations exist and must be adhered to. Make sure you research and understand any regulatory requirements for your product, being sure to include general government regulations for the areas where your product will be used. Security for the Connected World By Kimberly Dinsmore, Sr. Engineer, IoT Infrastructure Business Unit, Renesas Electronics Corp. Security is a word that never fails to elicit a response, but what it means varies greatly depending on context, even when narrowed down to the world of electronic devices. For the consumer, security usually means that personal data is not available to anyone other than the specific intended recipients, but for products powered by a microcontroller, there often isn't much end-customer data to protect. Let's look at some other definitions of the word security. For software developers, "security" might mean that no one can steal their code. For original equipment manufacturers, security could mean that no one can create clones of their device. For service providers that offer a service via an electronic device, security often means that no one can use their service without proper authorization or payment. For governments, security can mean that the device cannot be infiltrated and used as a weapon as part of a distributed denial-of-service (DDoS) attack. All of these definitions definitely apply to microcontrollers and products based on them, regardless of market segment. As soon as you enter the security realm, you are inundated by new terms and acronyms. The sheer quantity of jargon is mind-numbing. Let's take it one step at a time, while avoiding the difficult vocabulary. How do you go about incorporating security into your MCU-based design? | 4 |