The first step in defining security requirements for an SoC is to understand the usage and threat model applied to the product. This is not an easy task because one SoC design can be used in many products that address different markets and therefore have various usage models. Designers are advised to go through a threat and risk assessment (TRA) for their SoC, device and ecosystem. There are published methodologies for performing this task, as well as specialized companies to walk through the process. Generally there are four main steps:
- Establish the scope of assessment and identify assets
- Determine the threat to the assets and assess the impact and probability of occurrence
- Assess vulnerabilities based on the implemented protection and calculate the risks
- Implement additional protection to reduce the risks to acceptable levels
All assets will be classified to have one or more values related to their confidentiality, availability or integrity. The TRA process is not a means to an end, but is a continual process. Once started, it should be reviewed regularly to ensure that the protection mechanisms currently in place should adequately address the security requirements.
When evaluating the risk, the designers need to take into account the attacker's motivation to attack, the tools, equipment, skills, time, and money they need to break the system as well as the probability of success. Generally, if the cost to break the system is higher than the benefit, then an attacker will not attempt to break the system.
Sometimes, new attack models or new tools are invented or become general knowledge. In addition, the cost for attacks drops with reduction in the price of equipment and tools. Therefore, the classification of these threats can change over time, resulting in some devices with high tamper protection levels becoming easily compromised one day when a new, low-cost attack is found.
It is extremely difficult to measure or evaluate the damage impact of an attack from a system perspective. The damage can range from device failure, service interruption and monetary loss to brand damage. The designer of the system has to understand these impacts when assessing the potential damage.