In the world of IoT, there’s a widely held belief that building security into devices prevents manufacturers from creating products quickly and simply. Security is often seen as a speedbump that will require expertise, delay time-to-market, increase total costs, and risk potential for success.
Of course, historically there is some truth to this. At least there has been up to now. Without a clear understanding of security options—and what’s required to achieve appropriate levels of protection—the ability to get products to market fast and at minimum cost can be diminished. But at the same time, we know that IoT devices can act as vectors through which cyberattacks can occur, so neglecting security isn’t an option we should be exploring.
In a recent study, Cybersecurity Ventures added up the costs associated with a cyberattack. They included forensic investigations, the restoration of hacked data and systems, the loss of intellectual property, lost productivity, harm to reputation, and a host of other associated expenses, finally estimating the cost of global cybercrime against businesses will be USD $6 trillion in 2021.
There’s a lot at stake, but the task at hand isn’t insurmountable. Device security can be achieved by taking a relatively simple yet comprehensive approach. PSA Certified is well-positioned to offer such an approach. The collaborative partnership of organizations behind PSA Certified has been helping the ecosystem secure devices from chip to cloud for years and we remain committed to end-to-end security.
PSA Certified: Security Guidelines for Manufacturers
PSA Certified was developed to meet the need for standardized security across the IoT industry. Designed to provide a comprehensive assurance framework that aligns market requirements and supports digital transformation, PSA Certified is built upon IoT threat models, 10 security goals and government regulations.
PSA Certified is open to any architecture and it includes both hardware and software security design standards and assists you in implementing the right protection for your device by offering multiple levels of security assurance and robustness.
Addressing OEM Security Challenges
Beyond preventing cyberattacks and securing data, there are other benefits to securing IoT devices: minimizing the risk of downtime, reducing the risk to the business’s reputation and achieving multi-level assurance. And by building consumer trust, you can increase revenue by attracting the sizeable number of end users that haven’t purchased IoT devices due to security concerns.
Whether you are designing and building your own silicon, software and IoT components, or building systems through partnerships, there are several universal challenges, especially when it comes to security:
|A lack of available resources and guidance: The lack of widely accepted IoT security standards across the industry results in a time-consuming, expensive process of navigating multiple sets of guidelines and standards.||PSA Certified offers free resources and a clear and open framework to implement security from the chip to the entire device.|
|Cost containment: Security is typically thought of as a built-in commodity, so charging a premium for it can be difficult. But a misstep can result in lost revenue and a damaged reputation.||PSA Certified helps you select correct forms and appropriate levels of security, so device protection is achieved in the most cost-effective way possible.|
|Regulatory requirements: Working out new and continuously evolving cross-regional security requirements and mapping them to your design is labor-intensive and costly.||PSA Certified maps to global government regulations. Specifically, PSA Certified Level 1 aligns with key ETSI, NIST and Californian state law requirements, so organizations can adhere to these complex regulations with ease.|
|Time-to-market: Being first to market can act as a powerful kickstart for a new product and can even make the difference between success and failure.||PSA Certified is designed to provide access to resources, pre-certified components, and free APIs for quick and easy device security.|
A Framework to Simplify Security
PSA Certified is the first complete security framework, open source firmware project and matching certification scheme designed to dramatically reduce the labor, guesswork and other challenges associated with designing security into IoT devices. It gives clarity to a fragmented, fast-moving market, and provides a foundation of trust for next-generation IoT devices.
PSA Certified consists of a four-step program that guides OEMs through the security design and development process.
Once the four steps are completed and products are tested and certified by third-party labs, products are awarded a PSA Certified certificate and use of the logo. These quality markers illustrate the commitment to protecting customers, and act as a notification that the security standards required for the device have been met.
The four steps include:
Step 1: Analyze
Understand the level of security needed
Define and create list of security requirements through a comprehensive analysis of use case threats and vulnerabilities, and match them to a list of security best practices.
PSA Certified offers:
- The Platform Security Model document which outlines the 10 security goals and how to achieve them.
- Example threat model and security analysis documents to guide this process.
Step 2: Architect
Plan what security you will implement and how
Leverage best practices and specifications to build a blueprint of the required security architecture, or select PSA Certified chips and RTOSes from the list of ready-Certified products.
PSA Certified offers:
- A simple way to identify the right component for your device on the PSA Certified products page.
- Specifications outlining hardware and firmware security architectures that comply with the 10 security goals.
Step 3: Implement
Build or integrate your solution
Implement PSA Certified components or security design into your device and use application software and APIs to ensure communication with underlying security features within the silicon.
PSA Certified offers:
- A reference implementation of the PSA Root of Trust containing key security functions for silicon security.
- Free and open high-level APIs that provide an easy-to-use interface with the security functions in the PSA Root of Trust.
Step 4: Certify
Evaluate and certify product security
Test security implementations to be sure you’re meeting all use case-based security robustness requirements.
PSA Certified offers:
- Independent security evaluation for connected devices to ensure adherence to security best practice and alignment to global regulations.
- Multi-level silicon security assessment so the right level of chip security can be selected for use in devices.
Adherence to PSA Certified protocols embeds security into the heart of your product and can protect your brand, bolster revenue, enhance your reputation and even act as a key selling point. With considerable industry support behind it, PSA Certified is quickly becoming the de facto standard for IoT device security.