What are the goals of PSA Certified?
PSA Certified aims to:
- Improve the security of IoT devices through independent testing – building trust into the devices and services that rely on them.
- Create a multi-level security certification scheme that is cost-effective, fast-to-market and ready in multiple markets – helping customers get the level of security they need.
- Build a developer ecosystem through consistent, easy to use software interfaces (APIs) to the PSA Root of Trust (PSA-RoT). We refer to this as Functional API Certification.
Why do we need PSA Certified for better security?
Most IoT chips and platforms do not get independently tested. This lack of assurance increases the chance of vulnerabilities in devices reaching the market. Independent testing raises the bar on security and sets agreed levels of security assurance and robustness.
What problem does PSA Certified solve for the electronics industry?
Too many IoT devices are not independently tested before they reach consumers and businesses. This makes it much more likely that vulnerabilities get through to mass production. PSA Certified is aimed at the whole of the IoT market where the scale of the industry demands that testing be quick, efficient and effective without being bureaucratic.
With regional guidelines and regulations in the IoT, PSA Certified aligns to key standards, by monitoring them closely, mapping security requirements and providing annual updates to the PSA Certified Level 1 questionnaire.
How will PSA Certified help secure Internet of Things (IoT) devices?
A secure IoT system needs to have security designed in. The Root of Trust (RoT) is at the heart of a System on Chip (SoC) providing security functions to the rest of the system. The Platform Security Architecture provides open source code and software interfaces (APIs) that the chip vendors can use to build in a PSA Root of Trust (PSA-RoT). PSA Certified provides independent lab-based assurance of the PSA-RoT and ensures that the device that uses it is built in line with the PSA 10 security goals.
One of the goals of PSA Certified is to make the security level of the IoT device (Level 1, Level 2 or Level 3) easily detectable so businesses can make informed decisions.
What makes PSA Certified different from other checklist approaches?
All three PSA Certified levels are provided via independent test labs rather than developers self-certifying.
The certification scheme has been methodically developed using three inputs to systematically create a set of security requirements:
- IoT threat models, using threat model and security analyses to identify common security requirements
- Security best practice, 10 security goals defined in the PSA Security Model document
- Government regulations monitored and reviewed to provide multi-region alignment
PSA Certified Level 1 questions derive from detailed, systematic work on the PSA Security Model and multiple published IoT threat models (English Language Protection Profiles).
All PSA Certified systems use the Entity Attestation Token which is a type of cryptographically signed report card where the device makes signed claims. This mechanism can be used to identify the hardware version and therefore the PSA-RoT that has been certified.
What do PSA Certified Level 1 / Level 2 / Level 3 mean?
PSA Certified Level 1 checks that the 10 PSA Certified security goals from the Security Model document and generic security requirements from the IoT threat models have been met. Level 1 assesses the system-on-chip, RTOS layer and device with questionnaire sections for the chip vendor, RTOS provider and the device maker. The chosen test lab checks the questionnaire in an interview process to establish that the questions have been understood and the answers are appropriate and sufficient. In the 2020 version of Level 1 (v2.0) mappings exist to important IoT standards and requirements and regulation as follows:
ETSI 303645 v2, NISTIR 8259 draft v2, SB-327 and proposed DCMS requirements.
Level 1 is proposed as a necessary security foundation for all IoT devices to demonstrate that security best practice has been met and that fundamental guidelines and regulations have been adhered to. A chip vendor who has passed Level 1 can continue to PSA Certified Level 2.
PSA Certified Level 2 tests the PSA-RoT and its nine security functions contained in the Protection Profile. Level 2 requires the PSA-RoT to be white box penetration tested by the lab for a fixed time period. The evaluation methodology is inspired by ANSSI CSPN. PSA Certified Level 2 builds on Level 1 and evaluates protection against scalable, remote software attacks. PSA Certified Level 2 would be a suitable choice for demonstrating that these security functions have been independently evaluated in a test lab. Level 2 is designed to be a mainstream IoT assurance level suitable for devices that do not have to resist advanced hardware or physical threats. It is recommended that an OEM using a Level 2 PSA-RoT should have unique keys per device to prevent creating a “honeypot” for physical attacks.
PSA Certified Level 3 is in development. It will focus on assurance for devices needing a substantial level of protection from software and hardware attacks.
What is PSA Functional API Certification?
To build interoperability between solutions we need software interfaces to the PSA-RoT security component. Functional API Certification (also known as API Compliance) tests that the software interfaces are present and functioning as expected. Functional API certification runs a test suite (or test kit) on a software implementation. Evidence of PSA Functional API certification is needed for security certification using PSA Certified by chip vendors or OS suppliers.
Who should be PSA Certified?
PSA Certified Level 1 is applicable to chips, RTOS and devices. It evaluates adherence to the 10 security goals through a questionnaire and test lab assessment.
Who should get PSA Functional API Certification?
- Chip vendors who want to show the functionality of their PSA Root of Trust (PSA-RoT) using the PSA Functional APIs.
- RTOS vendors who add PSA Functional APIs and want to demonstrate they have a compliant solution.
- OEMs who want to check their security RoT is using standard PSA Functional APIs.
PSA Functional API Certification is recommended, but not mandatory, for chip vendors who go on to do PSA Certified Security Certification.
Who runs the PSA Certified scheme?
The PSA Certified scheme is jointly developed by seven companies, the PSA Certified Founders, working together to create a specification for the benefit of the electronics industry. The founders are Arm, Brightsight, CAICT, Prove&Run, Riscure, TrustCB & UL.
Why are the PSA founding companies involved?
The PSA Certified Founders provide an independent scheme that is company, technology and product agnostic. Also referred to as the Joint Stakeholder Agreement members, they provide industry-leading inputs and geographic insights into the PSA Certified scheme. Brightsight, CAICT, Riscure and UL are world-leading test laboratories providing great experience of security evaluation. TrustCB are the certification body and scheme manager overseeing PSA Certified. Prove&Run are experts in creating threat models and highly secure solutions. Arm founded the Platform Security Architecture and developed the technical documents – they continue to be committed to helping the scheme evolve.
Why does PSA Certified have a certification body?
An independent certification body ensures the quality of the test lab-based evaluations. They are independent of the other founding members and get paid a certification fee for each evaluation. TrustCB have been appointed as certification body for PSA Certified.
How do I become PSA Certified Level 1, Level 2 or Level 3?
As an outline:
|Certification Level||Scope||Assessment Details||Assessment Duration|
|PSA Certified Level 1||Questionnaire based on PSA 10 security goals||Assessed by test labs in a short interview||1 day|
|PSA Certified Level 2||Assesses an agreed PSA-RoT Protection Profile, evaluation methodology and attack methods list||White box penetration testing by test labs||1 Month|
|PSA Certified Level 3||In development|
What is a PSA-RoT?
A PSA Root of Trust (PSA-RoT) is the trust anchor in a chip for a system that is connecting to cloud-based services. It provides trusted security functions such as crypto, secure storage and attestation, that the rest of the system relies on. The PSA-RoT is a source of confidentiality (it can keep secrets such as crypto keys) and integrity (you can rely on this system being unaltered from its intended state). The PSA-RoT protection profile identifies seven threats that the PSA-RoT should defend against at PSA Certified Level 2 and nine security functions of a PSA-RoT for the test lab to check.
What benefits does a PSA-RoT bring to an IoT device?
The PSA-RoT has been designed as a fundamental security building block for IoT devices that can provide essential security services. By providing an open source reference implementation, APIs and freely published architectural documents the vision is for the PSA-RoT to become a standard feature of IoT chips and systems.
- Chip vendors are able to demonstrate the security features of the chip to OEMs and have them valued by the ecosystem.
- RTOS vendors are able to integrate the PSA Functional APIs and then easily port security features across chips.
- OEMs are able to select the appropriate level of security and have common security features and APIs across chipsets.
- Service providers are able to easily identify the security level of the connected device and be able to make risk-based judgements.
Can PSA Certified be used on any processor architecture?
Yes, any processor in a suitably designed chip can be PSA Certified.
Can PSA Certified be used with other device or platform level certification schemes?
Yes, we actively encourage other device level or platform level certification schemes to build on top of PSA Certified (which focuses on the PSA-RoT).
How long is my certification valid for?
The digital certificate will be displayed on the PSA Certified website for four years. The certificate has the date of certification but there is no official expiry date. The viewer of the certificate should make their own decisions on interpreting validity. A developer may choose to renew a certification or do a delta certification with their chosen test laboratory.