To achieve a secure connected world it’s clear that the electronics industry must embrace security by design. Some governments have started to legislate for it and this is putting pressure on OEMs to adopt cybersecurity principles from the start of the design process. PSA Certified has been helping the electronics world to navigate this path for the last five years and we applaud others – such as Connectivity Standards Alliance (CSA) Product Security Working Group – who are proactively developing security specifications and evaluation schemes that share this collective vision. We believe that to transition to security by design, the industry needs to collaborate for the greater good.
PSA Certified’s Approach to Best Practice Security
PSA Certified is a foundational security-by-design scheme. It is an easy to use security framework for OEMs, helping them to align with important cybersecurity standards and regulation (we have mappings to important cybersecurity standards and draft legislation including UK PSTI, EU RED and EU CRA).
The starting point for PSA Certified is a standardised System on Chip (SoC) Root of Trust (RoT). On top of this is a composite (layered) security-by-design set of requirements for the software platform and device/application. This approach reduces the number and complexity of requirements for OEMs. It has been well received by the electronics industry – we’re soon to reach 200 PSA Certified certifications, with over 140 of those certifications for PSA Certified Level 1. This means that PSA Certified is an established, successful, business-to-business scheme that can be completed with a low level of investment: a few days of engineer’s time and a few thousand dollars.
Why Collaboration (Not Competing) is Key
It is unusual for one security evaluation scheme to help another – they usually compete for attention! One of the headaches for an OEM is the differences in security requirements between markets and regions. There are many other sets of cybersecurity schemes in the electronics industry, and rather than competing, we actively seek alignment with them to reduce industry fragmentation.
So, when we heard that CSA was creating a Product Security Working Group to target the requirements of the USA Cyber Trust Mark, we decided to join and help accelerate their work. We donated PSA Certified’s device level requirements to the group which was already aligned with NIST 8259A and EN 303 645 to give them a foundation that they could build on quickly. This means that their new IoT Device Security Specification 1.0 which underpins their certification scheme, shares a lot of DNA with PSA Certified Level 1 Device requirements.
When Will Companies Choose CSA Product Security Certification Program and When Will They Choose PSA Certified?
The key difference in PSA Certified and CSA Product Security Certification Program and Verified Mark is the way the stamps are used. For PSA Certified our focus has always been business-to-business (B2B) but CSA are opting for more of a business-to-consumer (B2C) approach.
Therefore it’s our belief that OEMs who want to simplify the security-by-design process with pre-certified chips and software platforms and also get ready for UK PSTI, EU RED and EU CRA will want to choose PSA Certified. If on the other hand, they want to get a consumer facing logo (like the US Cyber Trust Mark) to put on their product they may pick the CSA’s security scheme and Product Security Verified Mark.
Another difference is that PSA Certified is based on the Root of Trust, as a mandatory requirement for secure boot, key storage and crypto. This has long been regarded as foundational for security best-practice, and is based on many years of threat modelling and real-world experience. The CSA Product Security Certification Program is taking a more relaxed approach on the hardware Root of Trust (it is listed in their requirements, but it’s listed as a ‘should’ and not a ‘must’).
| PSA Certified Level 1 | CSA Product Security Certification Program and Verified Mark | |
| Logo | Business-to-business (B2B) | Business-to-consumer (B2C) approach |
| Scope | Chip/Software/Device | Device |
| Labs/Certs | 8/200 | TBA |
| Industry alignment | UK PSTI/EU RED/EU CRA EN 303 645, NIST 8259 | US CTM (target) EN 303 645, NIST 8425 |
| Root of Trust | Yes – Mandatory | Optional |
If you are an OEM, you now have another choice of cybersecurity scheme. Whichever you pick, PSA Certified is supporting your security by design journey.