New Security Industry Association (SIA) member NewAE Technology Inc. provides tools for performing embedded hardware security research and works to make these tools widely available by minimizing cost and keeping the designs open. The company is headquartered in Dartmouth, Nova Scotia.
SIA spoke with Colin O’Flynn, chief technology officer and co-founder of NewAE Technology Inc., about the company, the security industry and working with SIA.
Tell us the story of your company.
Colin O’Flynn: NewAE Technology Inc was founded in 2015 as part of an offshoot of my Ph.D. research on embedded system security. We were helping to build open-source tooling to help designers understand advanced cybersecurity threats that exist when you take software and put it onto physical systems (such as access control readers and controllers).
Since then, we’ve grown across many industries and have more recently been working with companies developing and installing burglar and access control systems on several fronts. There can be a lot of confusion around “hardware hacking” and what it really means for users (How secure are the systems? How sophisticated are attackers?). We realized there is an opportunity to help across the board here – working with concerned customers, helping access control techs understand these threats and even working to disclose issues we find along the way to the designers so they can be fixed.
What solutions/services does your business offer in the security industry? And what makes your offerings/company unique?
CO: Our background is heavily in the low-level security analysis and consulting world. As part of our growth we’ve developed test equipment that is now widely used as part of embedded cybersecurity testing in many industries (ChipWhisperer and ChipSHOUTER products), along with developing educational materials such trainings at Black Hat and other conferences. Our educational material spans all ranges – we also produce many free examples and tutorials, and I’m co-author of the Hardware Hacking Handbook, which was just released, and parts of it are based on our educational materials.
Our solutions and services are unique, as we come with a large background of embedded cybersecurity expertise. Our current background has been mostly one-off efforts such as validating specific device security or installing systems with unique evaluations required, but we’ve realized there is a demand for more general and widely available training and services to help everyone in the industry with this embedded cybersecurity knowledge. We’ve also built some custom equipment around improving access control security against these threats that we’re looking at bringing to market.
What is something we might not know about your company – or something new you are doing in security?
CO: Embedded cybersecurity is a relatively well-established field, as many of the foundations go back to the battles against pirates with satellite TV hacking more than 20 years ago. We haven’t been around quite that long, but we have been releasing educational material and test equipment products since our founding eight years ago. But in the past couple of years it’s a very noticeable shift in interest in embedded cybersecurity, and especially validating products and designs against next-generation attacks.
A big part of that is to help everyone in the value chain understand the threats and countermeasures. Simple attacks (card cloning) are well known enough to be of concern for end users, but bringing awareness of more advanced attacks such as power analysis for leaking encryption keys is important to make smart decisions around threat modeling for system design.
What is your company’s vision, and what are your goals for the security industry?
CO: Our company’s vision has been to make the tools and information required for embedded engineers to understand cybersecurity threats more readily available. For the security industry we want to engage with stakeholders of all types – not just the designers, but installers who need to better understand cybersecurity claims that manufacturers may be making.
What are the biggest challenges facing your company and/or others in the security industry?
CO: Anyone involved in electronics manufacturing knows about the supply chain pains – it’s not a very exciting challenge but may be one of the most difficult ones to surmount when physical products are involved!
What does SIA offer that is most important to you/your company? And what do you most hope to get out of your membership with SIA?
CO: For a company recently transitioning to the security industry, the chance to meet others in the industry is critical for understanding the current requirements. In the future we hope to also provide effort to working with standards that are bringing the highest security levels to new systems, such as SIA OSDP, and providing feedback about how more validation of a system’s resistance to cybersecurity threats can be provided.
How does your organization engage with SIA? What are your plans for involvement in the next year?
CO: COVID operations have obviously impacted our ability to offer the sort of in-person training along with attending events, but we’re hoping for the chance to meet others in the area virtually until we are at the next in-person event. If you’re interested in the sort of cybersecurity knowledge we mentioned, we’d love to hear from you. We’re planning on setting up a virtual “catch-up” around the topic of embedded cybersecurity to hopefully give people a chance to ask the sort of casual questions that make the in-person events so much fun.
The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association.