Nicole Fern is a Senior Security Analyst at Riscure North America. In this role she works on both hardware and software projects, and is also involved in Riscure’s Training Academy as a trainer. Nicole also often represents Riscure at various conferences and events on topics like Fault injection, Side-Channel Analysis, and Pre-Silicon. In this interview, Nicole shares her perspective on device security, her experience at Riscure, and a memorable onsite training experience involving Riscure’s CEO.
What appealed to you to join Riscure?
One of the factors that drew me to Riscure was the hands-on factor, specifically that at Riscure you are actually working with devices and various equipment for side-channel and fault injection testing. I have also met Jasper and others from the Riscure team at various conferences in prior years and from what they shared with me about the company and the projects it was clear that there is a broad spectrum of topics. In prior positions, I worked only on pre-silicon security, so this variety and the ability to choose different topics also appealed to me. It’s always something new, challenging, and exciting.
What was your first impression of Riscure?
I joined Riscure in the middle of the pandemic, so the onboarding and initial introductions to the team was completely online. From the first moments, I was impressed by how talented all the people at Riscure are and by the depth and variety of knowledge and experience that each person has. Everyone has a unique set of backgrounds, experiences, interests, and projects that they have worked on. This uniqueness allowed me to learn so much from my colleagues.
Riscure North America is a smaller office compared to the headquarters in Delft, the Netherlands. The office in Delft is always fun to visit and reminds me of a university environment more than an office environment, with high energy levels and a lot of activity. The office in San Francisco is a bit quieter and more distributed, with many analysts and project managers living and working outside the SF Bay Area. To bring everyone together we have a lot of great all-hands events, where the entire Riscure North America team comes together for a week to build connections and collaborate. The first of such events was very freeform, chaotic, but so much fun. We tried to hack different devices, and rode bikes to the top of Hawk Hill, on the other side of the Golden Gate Bridge. The next events became more structured with more team building activities, which helped us interact not only with other analysts but with the larger team.
How would you define device security?
Device security is looking at the device as a complete system, including hardware, software, and the infrastructure it communicates with. The goal is to try and identify what is worth protecting in the device, what is valuable, and what could become the target for attackers. It could be private or personal data, secrets stored in the device, proprietary and intellectual property. In other words, device security is identifying what is worth protecting in the device and securing it from attackers.
What is the role of a Senior Security Analyst?
When we look at a new device for a project, we typically perform a vulnerability assessment or a vulnerability analysis. First, we look at the documentation and try to gather as much information about the device as possible. Using all the information, we identify what are the most likely areas of attack. Then the fun part, at least fun for me, starts with actually running the test cases and performing the attacks themselves. Those attacks can be different, hardware or software, physical or remote, successful or not.
What do you think about the concept of Pre-Silicon security?
Before the chips are manufactured they exist in a different form. They are basically software that describes how the hardware behaves. When we say pre-silicon analysis, we refer to the analysis of the model of the device that is written in a language that looks like the software but is meant to describe the hardware. Pre-silicon analysis is all about analyzing these models of the device before it enters the physical world. The goal is to identify logical, side-channel, and fault injection vulnerabilities before tape out. The main advantage of this approach is that any changes, extra countermeasures, and improvements can be done before fabrication, which saves time and money.
Pre-silicon verification is not new, however, determining susceptibility to side-channel and fault injection attacks pre-silicon is relatively new both to the industry and to Riscure. I hope I can help Riscure succeed in pre-silicon security with my expertise and experience from my academic work and prior work experience.
What is it like working in the center of innovation, such as Silicon Valley?
It definitely makes it easier to meet with customers, as I can just stop by for a meeting in their offices. There are a lot of meet-ups and knowledge sharing due to the concentration of experts in the bay. I have given multiple talks and lunch presentations at other companies and at public meetups covering different topics. There is a nice hardware reverse engineering meetup in Mountain View, which is fun because it is attended mainly by people who have reverse engineering as a hobby and present various personal projects they are currently working on. It is a gathering of so much talent, knowledge, and passion for technology, especially for hardware hacking and hacking in general.
What is the difference between innovation and research in academia and in the industry?
Being a PhD and a postdoc researcher, you are working on projects for a longer term compared to my experience at Riscure. The projects at Riscure may have a long duration but you are jumping in and out of the project based on the workload, conference schedules, training schedules etc. Working as an academic researcher you are more focused on just a single project at a time and novelty is of utmost importance in academic research. Whereas in the industry, the focus is less on novelty, and more on researching something that helps the customer. In industry, it doesn’t matter if that’s something that has never been done before or if it’s an area that has been explored but not commercialized.
What are the latest important industry developments?
Open-source hardware is something that I’m noticing in recent years, such as the Open Titan and RISC-V projects. RISC-V is an open instruction set architecture that anyone can use without having to pay licensing fees. We are starting to see hardware opening up, which is traditionally a very closed industry. When I was a graduate student there were a few open-source hardware designs but they were developed by and for academia and were not deployable in a commercial product. But now we are starting to see larger companies like Google really getting involved in trying to make open-source security IP, which is an exciting trend.
This trend means that there is going to be more variety in the type of security IP available, which can lead to the space becoming more fragmented. To address this, going the direction of pre-silicon is useful, as we can find a way to automate analyzing different implementations quickly.
What is your most memorable story from Riscure?
Three or four months after I joined Riscure I was asked to deliver my first training (Embedded Systems Security) in Kentucky. I was delivering the training together with Marc Witteman. I was struggling with the time change, so I took some allergy medication to help me fall asleep. I was peacefully asleep until the fire alarm went off at the hotel in the middle of the night, at two in the morning! I remember peeking my head out of the hotel room door and also seeing Marc Witteman peeking his head out of his room down the hall. We both evacuated the building and ended up standing around outside the hotel for over an hour while waiting for the fire department to give the all-clear to re-enter the building. Standing there, bleary-eyed and still in my pajamas trying to make conversation with Marc Witteman was quite surreal. I was still half asleep, tired, and kind of unresponsive, while Marc seemed perfectly put together. Even after we were let back in the hotel it took another hour for the alarm to turn off. I put a pillow over my head and tried to block it out. The good thing was that I was so tired the next morning that I was not at all nervous and the training went smoothly. It was definitely a memorable experience!