The foundations of PSA Certified
The PSA Certified assurance scheme was collaboratively developed by the PSA Certified Founding Members. It is built on firm foundations using IoT threat models, the PSA Security Model and government guidelines and requirements. This investment in methodical development, along with an annual renewal, provides the structure and features of the PSA Certified scheme, creating clarity through a common security language.
A Methodically Designed Scheme
The framework underpinning PSA Certified was launched in 2017. It provides a step-by-step guide to building in the right level of security for connected devices.
PSA Certified was created to ensure that security is designed into devices from the ground up.
The PSA Certified framework follows four stages:
- Analyze: Create a threat model to assess the risks to your system and to work out your security requirements.
- Architect: Use the PSA security architecture specifications to build in security and trust.
- Implement: Port trusted software (for example, the Trusted Firmware-M open source project) to your hardware to form the PSA Root of Trust (PSA-RoT) and implement the PSA Functional APIs to provide an interface to the security functions.
- Certify: Use the PSA Certified evaluation scheme and independent test lab assessment to provide security assurance to your customers.
Through its four stages, PSA Certified goes beyond outlining security guidelines by providing a set of free specifications and engineering documents to accelerate the development of secure systems.
It provides the recipe (architecture documents) ingredients (open source code, threat models, development boards and models) and quality assurance (API test suites and PSA Certified assurance scheme) to make security easier and accessible to everyone. Through this approach, the development of trustworthy chips, firmware, software and devices is more straightforward.
The holistic framework forms the foundation of device security, outlining the analysis of security requirements, the creation of an IoT security component, the PSA-RoT and the implementation of trusted firmware and easy-to-use software APIs.
Documents of importance to PSA Certified are:
Analyzing your Security Requirements Using Example Threat Models
The first stage of PSA Certified involves the evaluation of assets and assessment of threats. This should result in a Threat Model and Security Analysis document for the particular use case. To inspire device makers to create these document, Arm published three example IoT threat models for an asset tracker, water meter and a network camera.
Aligning the PSA Certified 10 Security Goals
The PSA Security Model document details 10 security goals of IoT platforms. These 10 goals create the security requirements for the generic parts of IoT systems and form the outline for the evaluation of chips, OSes and devices in PSA Certified Level 1.
Globally Recognized IoT Security Best Practice
As regional and global IoT security standards, guidelines and laws emerge, PSA Certified is focused on making compliance to these standards as easy as possible.
The PSA Certified scheme will be continuously reviewed and updated annually, providing mappings and alignment to globally important IoT security standards, government requirements and emerging laws. The PSA Certified Level 1 v2.0 questionnaire aligns chip vendors, software platforms and device manufacturers with globally recognised best practice. Find out more about this mapping here.
PSA Certified partners can demonstrate security due diligence, access the world’s biggest markets and enable businesses to make informed decisions on security.
Find out more about the PSA frameworkAccess PSA resources