Offering Choice for IoT Security Certification with SESIP and CSPN-style Methodologies

Skip to content

In the PSA Certified 2021 IoT Security Report , 48% of respondents cited standards and regulation fragmentation as a top challenge for IoT security. As the world wakes up to the burden of insecurity, we are seeing a growing number of standards and guidelines. This mountain of requirements is slowing down the adoption of technology, as many developers are adopting a “wait and see” approach, waiting for regulations to establish before evaluating the robustness of their products.

In this blog, we explore how PSA Certified is reducing fragmentation of security standards in the IoT ecosystem, why the PSA Root of Trust is so important, and how a choice of evaluation methodologies can help the chip developer.

Fragmentation is a huge worry for the IoT technology ecosystem

Enabling Certification Reuse

Over time, the guidelines for specific markets will become requirements, and in some cases, they will develop into vertical market-specific certifications (for example industrial, medical and consumer). If we’re not careful this rapid growth of varying requirements will exacerbate the fragmentation problem, slow down the market and stifle innovation. Therefore, it’s critically important that we encourage certifications that can be reused across different schemes and support composite evaluations (where certifications can be more easily reused later). By making use of these two approaches, we can ensure that all products are aligning to a common security language and reuse drives efficiency for the value chain when complying with additional market requirements. By enabling this composite and reusability approach, which can be utilized in multiple verticals we reduce fragmentation and ensure that security remains the number one priority.

PSA Certified Level 1 is a security questionnaire with a lab audit; the questionnaire has three sections that work in composition: Chip, System Software and Device.  This makes it simpler for OEMs to fill in the Device section if they are using chips or software platforms that are already PSA Certified.  Silicon vendors can certify at higher PSA Certified levels to showcase additional robustness to OEMs.

A PSA Certified Level 2 chip has a security promise of protecting against scalable software attacks whereas a PSA Certified Level 3 chip offers protection against substantial physical and software attacks.  Chips being evaluated at PSA Certified Level 2 or PSA Certified Level 3 are subjected to penetration testing in an evaluation lab, which means an Evaluation Methodology (EM) needs to be selected by the developer.  PSA Certified offers a choice of two equivalent evaluation methodologies for Level 2 and 3: an in-house CSPN style EM and GlobalPlatform’s SESIP (Security Evaluation Scheme for IoT Products).    

Aligning to a Common Approach for Security

A common approach is key to unlocking the certification reuse that we mentioned before. At the inception of PSA Certified over two years ago, we defined a new chip-based security component, the PSA Root of Trust (PSA-RoT) and created an independent security evaluation and certification program to assess security implementations according to a Protection Profile for the PSA-RoT. Wide adoption across the market has resulted in over 60 PSA Certified products from silicon providers, software vendors and OEMs who are all aligning to the same security goals. This enables device manufacturers to leverage the security functions from the silicon RoT and use the PSA-RoT as a foundation for further device certifications.

The PSA-RoT is a security component that is isolated in a Secure Processing Environment and acts as the trust anchor for the device and services that depend upon the device. It is usually created by combining trusted hardware (such as cryptographic accelerators, private key stores and random number generators) with trusted firmware that is hidden from the main device software by a hardware isolation mechanism. It provides a small set of security primitives (such as crypto, secure storage, attestation and secure boot) which lay the foundations of device security and must be trusted by the device and services. Consequently, the PSA-RoT must be dependable across the value chain, and an independent test lab-based evaluation helps to build trust. The chip’s PSA-RoT can be tested through a PSA Certified security evaluation where there are three levels of progressively increasing assurance and robustness for silicon vendors.

The developer’s investment in achieving PSA Certified status can often be reused by other security frameworks and evaluation schemes:

How to reuse your PSA Certified certificate

Protection Profiles and Evaluation Methodologies Explained

Another key area for creating consistency in IoT is with Protection Profiles (PP) and Evaluation Methodologies (EM). The relationship between the two can be confusing if you are new to certification as the way the PP is written will depend on the choice of EM.

Choosing a certification scheme often means that the PP (and in turn the EM) is fixed for you and restricts your choices when it comes to certification reuse. However, PSA Certified is different as we are fostering alignment across the industry and have developed two equivalent PPs for the PSA-RoT.  PSA Certified offer two PPs that enable chip vendors to choose either one written in the style of a Certification de Sécurité de Premier Niveau (CSPN) PP or a GlobalPlatform SESIP Profile for PSA Certified Level 2 or PSA Certified Level 3.

What is the Relationship Between PSA Certified and SESIP?

The PSA Certified founding members (otherwise known as the PSA JSA) believe that developers should have a choice of evaluation methodology. The two routes have equivalent security robustness and assurance, managed under one Certification Body (CB) and lead to the same PSA Certified level. An option to use SESIP EM  has recently been added as an alternative to the existing CSPN-style EM for PSA Certified Level 2 and PSA Certified Level 3.  SESIP follows the mandatory aspects of the Common Criteria standard but offers greater ease of use and a custom set of assurance levels that have been aligned with PSA Certified.   

Offering a choice of evaluation methodology

SESIP or CSPN-style? Choosing Your Certification Methodology

With the addition that silicon vendors can now achieve PSA Certified Level 2 and PSA Certified Level 3 using either the CSPN-style methodology or GlobalPlatform’s SESIP EM, you might be wondering which to choose.

Uses a more formal documentation style with a library of Security Functional Requirements (SFRs) that the PP references.  The PP typically requires more study than a CSPN-style PP to interpret its meaning and implication for the developer.

OEM’s might want to develop their own market-specific SESIP Profiles.  If the chip vendor has a SESIP evaluation it will be easier for the OEM to use this certificate in composition, which means the OEM can reuse it and reduce their efforts and costs.

The key benefit of the CSPN PP is that it’s written in plain English and is, therefore, easier for the developer to interpret.  

CSPN is a logical choice for companies that are new to certification and do not have first-hand experience in writing a formal security target document.  CSPN saves time and energy involved in learning formal CC requirement language and easier documentation.

Some of the PSA Certified documentation only available in CSPN-style, this includes PSA Certified Level 2 Ready, which is a pre-certification evaluation for components that can’t reach all of the requirements needed for the full certification process.

Composite Certification: Unlocking New Potential and Easing Fragmentation

In conclusion, by enabling composition in the PSA Certified scheme and encouraging reuse across schemes we can make IoT security evaluation efficient for the electronics industry.  At PSA Certified Level 1 we are making it easier for OEMs to demonstrate best practice security by design and consume the certificates from chip vendors and software platforms.  Other schemes and cybersecurity baseline requirements are becoming aligned with the PSA Certified work providing even greater levels of efficiency.

For the chip vendor, we are providing a choice of two equivalent protection profiles and evaluation methodologies.  The CSPN style PP is written in plain English and easier to interpret into good design choices.  Choosing SESIP offers a more sophisticated EM with greater opportunities for the OEM to reuse the certificate if they wish to do their own SESIP evaluations at the device level.  

Offering this choice to chip vendors (CSPN style PP or SESIP PP) will encourage more evaluations of the PSA-RoT and provide this valuable security component to the electronics industry which will ultimately make the IoT more secure.