48 EE|Times EUROPE

        Know Your Adversary: Think Like a Hacker








































        A general training session at NXP (Source: NXP Semiconductors)


        following clues and solving puzzles related to security. Using hacking   should be avoided because perfect or absolute security does not exist.
        techniques and good security practices, they encounter and solve phys-  Training “pods” or cohorts bring together a diverse group of employ-
        ical and logical attack situations as well as social engineering traps.   ees from different levels and focus areas: IT, mobile, automotive,
        Time-driven tasks increase the likelihood of making mistakes, which   industrial, and IoT. This diversity builds a richer training environment
        forces the team to think quickly and take decisive action.   and results in better collaboration and discussion of experiences and
          Because Covid-19 has moved our training online, we plan to offer   viewpoints from across the organization. Our customer-facing account
        a virtual escape room to encourage participation from our employees   managers also join this training to gain a solid basis for understanding
        around the world, as well as those working from home.  customer needs and answering their questions.
                                                                Companies can also benefit from being active in industry organiza-
        Think like hackers who try to break our products.     tions. Our participation in associations like the Charter of Trust and
        What are hackers doing, and what are their tactics for attacking chips   Auto-ISAC enables us to leverage industry best practices, know-how,
        and embedded devices? What is basic cryptography, and how is it used?   and intelligence about new threats and vulnerabilities.
        What’s in the attacker toolkit? What are the threats and attack sce-
        narios available to a hacker? How are vulnerabilities identified? What   THE TRAINING NEVER STOPS
        security functionality should be used and when? How are products   Consider the wider importance of security training. Consumers, com-
        evaluated and certified for security? Finally, how are attacks countered   panies, and governments rely on connected things, especially at the
        and implementations secured? These are some of the questions we   edge, where people want their devices to operate transparently, fairly,
        ask our attendees to explore during their training. They are especially   and safely while also giving them control over their privacy. Security is
        crucial for companies like NXP that build security products for    vital: We believe that building trust starts with learning how to build
        e-government, automotive, banking, industrial, and IoT applications.   devices that protect data.
          The format and approach of our program are similar to a university   At NXP, we invest in training for our employees and customers by
        curriculum. Students start with the basics of cybersecurity and security   sharing best practices, training, and opinions on emerging topics,
        design methodology and then ramp up to advanced training. For exam-  including an artificial intelligence ethics initiative for designing trust-
        ple, tracks for in-depth architecture address security in the product   worthy systems.
        development (concept-to-release) life cycle. We also train our employ-  Because there is no such thing as “perfect security,” no organization
        ees to meet new standards, laws, and regulations in different markets,   can be 100% protected from threats, which is why the information
        geographies, and industries. This includes the emerging standards ISO/  sharing with our colleagues and customers never stops. Security
        SAE 21434, for automotive, and IEC 62443, for industrial markets.  knowledge and behaviors are important for every stakeholder, from the
          Students are encouraged to use a common vocabulary and com-  CEO to the intern. We want to establish a culture that fosters collabo-
        municate in unambiguous and decisive language in order to prevent   ration, to build secure systems and secure connections for a world that
        misunderstandings. For example, ECC is a familiar abbreviation for   constantly gets smarter — and training is key to doing that. ■
        error correction code, but in a security context, it usually stands for
        elliptic-curve cryptography. Training also clarifies which terminology   Lars Reger is executive vice president and chief technology officer
        to use and which terminology to avoid. For example, “tamper proof”   at NXP Semiconductors.

        DECEMBER 2020 | www.eetimes.eu