To support widespread deployment of secure IoT solutions based on the Platform Security Architecture (PSA) framework, Arm and its independent security testing lab partners Brightsight, CAICT, Riscure, and UL, along with consultants Prove&Run, announced PSA Certified. Through independent security testing, PSA Certified enables IoT solution developers and device makers to establish the security and authenticity of the data collected from a diverse world of IoT devices.
“PSA gave the industry a framework for standardizing the design of secure IoT devices, and PSA Certified brings together the leading global independent security testing labs to evaluate the implementation of these principles,” said Paul Williamson, vice president and general manager, Emerging Businesses Group, Arm. “This will enable trust in individual devices, in their data, and in the deployment of these devices at scale in IoT services, as we drive towards a world of a trillion connected devices.”
PSA Certified provides a simple and comprehensive approach to security testing. It comprises two elements: a multi-level security robustness scheme and a developer focused API test suite. The security testing is based on third-party lab-based evaluation that builds trust through independent checking of the generic parts of an IoT platform including: PSA Root of Trust (the Root of Trust is the source of integrity and confidentiality), the real-time operating system (RTOS) and the device itself.
Validating the foundational security of IoT devices
PSA Certified enables devices makers to get the security required for their use case through three progressive levels of security assurance which are assigned by analyzing the use case threat vectors. For example, a temperature sensor in a field may require different security robustness (level 1) than a sensor in a home environment (level 2) or in an industrial plant (level 3). Following the testing, all PSA Certified devices will have electronically signed report cards (attestation tokens) for determining which level of security has been achieved, allowing businesses and cloud service providers to make risk-based decisions.
More security value for developers
As part of the program, the PSA Functional API Certification enables standardized access to essential security services, making it easier to build secure applications. Free test suites have been published for chip vendors, RTOS providers and device makers to test their PSA APIs and harness the hardware security of the latest silicon platforms.
PSA Certified is already gaining traction with leading silicon and IoT platform providers. Cypress, Express Logic, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics and Silicon Labs have all achieved Level 1 certification. Nuvoton and OS provider ZAYA have achieved both PSA Certified Level 1 and PSA Functional API Certification, and Arm Mbed OS will provide out of the box compliance with PSA Certified Level 1 and PSA Functional API Certification in its upcoming March 5.12 release.
PSA: A comprehensive framework for IoT device security
PSA Certified is the next step in the Platform Security Architecture (PSA) journey, bringing a tangible measure of device security to the IoT. PSA is a four-stage framework that guides IoT designers through the journey of creating a secure connected device. It goes beyond instructions and principles, with a comprehensive set of downloads, including Threat Models and Security Analyses documentation, hardware and firmware architecture specifications, open source Trusted Firmware (TF-M) and API test kits.
Supplemental Quote Sheet:
Dirk-Jan Out, CEO, Brightsight said: "Brightsight is pleased to support PSA Certified, which will improve the security of IoT devices and build a higher level of trust in the value chain – this trust is critical for the IoT to succeed. The multi-level approach of the scheme is designed to help the customers get the exact level of security they need, appropriate to the specific use case and threat model."
Vicky Guo, CAICT, said: "We should expect that anything connected to the internet could be hacked eventually, and to implement security in a trusted manner, independent testing is crucial. CAICT is committed to working closely with partners such as Arm to build a secure IoT ecosystem, and PSA Certified is an important step towards that, enabling customers to achieve the security they need for their specific use case."
Dominique Bolignano, President & Founder, Prove&Run said: "PSA Certified is essential to enabling cybersecurity and security services companies to develop and provide the right security offerings in the IoT sphere. We are very proud to be part of this initiative, working to collect critical input from other lead partners and the wider ecosystem, and contributing to writing the security scheme documents that will be released as part of the program."
Marc Witteman, CEO, Riscure said: "The security of IoT requires proper architecture, implementation, and verification, and Riscure is dedicated to supporting customers in their efforts to implement this structural security mindset. We believe that the multilevel PSA Certified program enables IoT vendors and their customers to address ever-growing privacy and security concerns, building further trust in connected devices."
Arman Aygen, Head of Strategy and Innovation at UL Identity Management & Security said: "With our world being increasingly connected, innovation should not compromise cybersecurity: it should never be something you factor in as an afterthought and needs to be managed throughout the supply chain. PSA Certified offers a non-prescriptive and voluntary framework to demonstrate the security and value of interconnected solutions."