 Hello. Welcome to this session with the STM32 trust and get started with security. In today's session, we're going to talk about why do we need it? Why do we really need security? In our second part, we're going to talk about threat analysis, then root of trust in the third part, the fourth part, chain of trust, and the last, we're going to go through some practical examples of threat analysis and analyzing your product design. We see a lot of threats in the news and this is concerning. Most of the large hacks detailed in the media are hacks about confidentiality and they can be expensive. One recent survey estimated that data breaches cost on average $3.8 million each. This type of theft can be embarrassing too, like the theft of celebrity photos from Apple's iCloud or personal information at the Ashley Madison website. They can even be financially damaging, like the theft of tens of millions of internal documents from Sony or 83 million customer accounts from JP Morgan Chase. However, the Internet of Things and connected devices are a bit different. These are mostly threats to integrity and availability and are just as important as threats to confidentiality. It's one thing for a hacker to be able to monitor your smart door lock to know who's at home, but it's another thing to be able to use that information and have the ability of unlocking the door to allow a burglar in or even prevent you from opening the door. With the advent of connected physical systems like cars, industrial equipment, medical devices, we've given the hackers the ability to cause injury or even death, so you need some sort of security, but do you know what you want? Do you know what you need? You know you want your devices to be secure, but what does it mean? Security needs to be considered from the beginning, but where is the beginning? So who really needs security anyway? And what are we trying to protect? Well, we all need some level of security to keep safe information about ourselves, like health, financial, personal details, as well as our business processes, products and services. All these items or assets are valued by all participating stakeholders in an ecosystem. Different stakeholders value assets differently, and it's important to appreciate the true value of these assets. Of course, with handling and protecting assets comes risk. What sort of assets would a cyber criminal be after? Almost anything they believe that can be exploited. It's one thing to have your personal data stolen, like the credit card information of a major retailer. It's another and far more dangerous if they can deny you control of your car. When a security breach involves transport, industrial or medical devices where personal injury can occur, data integrity is also linked to safety regulations, legal actions and fines if harm were to occur. So first, what's at risk? Your brand, your reputation, and possibly lots of money. One important item to mention about security, and this is the most important item about security, is that security is a system. It is not a peripheral that you turn on and off. Let's take a look at how the hacking community views a common Wi-Fi network. We see that a hacker will look at all possible routes to gain access to valuable assets. Your device needs to make sure that not only the device is protected, but also how this device participates into the bigger system. This high-level view will ensure that it can't be used to gain access to assets, or that other systems can't be used to gain access to the asset of your design. In our example, we need to make sure the system is built to protect the asset from perceived threats, all working together to make things secure. Most attacks today, about 95%, are logical vulnerabilities, mainly software errors. They need to make sure that these flaws are fixed quickly and make sure that they're identified up front, if possible, so that the consequence of overlooking these isn't huge development test or support efforts. We need to keep the time-consuming support and development low. Another important consideration is that security means different things to different people. Let's take a look at protecting a home here in 2020 and the security needed to protect a castle in the 15th century. Today, do you need a dog, cameras, door and window bars, or sensors, the police or your own weapons, or do you live out in the country? The security considerations here are very different from my castle. In the castle, I need to make sure I have food prepared for a siege, well-equipped archers, boiling oil, maybe a trebuchet or two, the location on the highest point to make sure my cannonballs are the most effective and to make sure my family, friends and community are all behind large stone walls. The situations are very different, but people within the 2020 home or the castle, they feel safe and secure because of what I've put in place to mitigate the threats and vulnerabilities that I have. This is really the beginning and this process is starting you down the road of risk management. So what's important in risk management? It's building fortified solutions and when you do that, you need to understand the value of the assets you're going to protect. You need to understand your threats and vulnerabilities and you need to develop a security strategy to reduce your risk and that strategy needs to be at the right level of security for the value of the assets that you're protecting. So make sure when you use microcontrollers, you make use of their integrity and hardware-based cryptography tools available, the crypto libraries, crypto accelerators, and also the robust robustness features like debug port protection, memory partitioning, firewall and tamper detection. And in the end, you want to make sure that your fortified solution builds a layering of security functions and features and that your fortified solution makes the best use of these features for the system that you're participating in. So let's not make it easy for cyber criminals.