Following the first birthday of the PSA Certified assurance scheme, the PSA Certified founders felt it was the perfect time to reflect on some of our key achievements in the last twelve months and exciting updates surrounding the PSA Certified program. In this blog we will touch on new government standards and regulatory alignment with PSA Certified Level 1, the wave of world-leading silicon providers achieving PSA Certified Level 2, plus critical momentum we’ve seen from device manufacturers embracing their role in security for digital transformation.
At the launch of PSA Certified in 2019, we promised to closely monitor the security ecosystem and if necessary, adjust our efforts to bring further alignment. Over the course of 2019 new IoT security standards, government-backed requirements and laws have emerged, offering a new challenge for businesses choosing which to follow and comply to. These include ETSI 303 645 (Cyber Security for Consumer Internet of Things), California State Law (SB-327) and NISTIR 8259 (Core Cybersecurity Feature Baseline for Securable IoT Devices). We are pleased to announce that the new PSA Certified Level 1-2020 certificates will now show if a product is in alignment with these latest regulations.
This means that when a PSA Certified partner (a silicon supplier, software provider or device manufacturer) achieves PSA Certified Level 1 their security efforts can be recognized more widely and shown to be in alignment with some of the world’s biggest markets, allowing them to focus on product differentiation. We believe this will help the ecosystem to navigate confusion around historically fragmented security requirements.
Delivering on Our Promise: Establishing Globally Recognized IoT Security Best Practice
The foundation of PSA Certified (PSA Certified Level 1) offers a questionnaire which is filled in by the partner and checked by a PSA Certified test lab. The PSA Certified Level 1 questions were originally methodically derived from analyzing threat models of common IoT products and establishing 10 key security goals. For the new PSA Certified Level 1 2020 questionnaire we have aligned wording and provided mappings to the aforementioned global IoT security standards, government requirements and emerging law. This makes it easier for chip makers, software platforms and device manufacturers to show globally recognized best practice.
Many partners have already pledged support for the PSA Certified Level 1 2020 questionnaire, including Renesas who are using it for their latest certifications. We expect many other partners to adopt the questionnaire very soon. If you’d like to learn more about the 2020 questionnaire, read our blog.
PSA Certified: The Fastest Growing Security Scheme
We’re only a year into the existence of the certification scheme, but we’re already seeing significant momentum with the program – in fact we believe it has the broadest support in the ecosystem from silicon and RTOS vendors, backed by great adoption rates.
Silicon Momentum Continues: PSA Certified Level 1
Following on from our initial certifications last year, the momentum behind PSA Certified Level 1 is growing. We now have certifications from eight out of the ten top silicon providers at PSA Certified Level 1, with new certifications from Nordic, Renesas, UNISOC and Winbond. Level 1 is also growing in popularity with software platform providers and device makers who use the questionnaire to demonstrate security by design and mappings to other standards, requirements and regulation.
PSA Certified Level 1: Critical Uptake from Device Manufacturers and Ecosystem Players
Security doesn’t stop at the silicon level, in fact, to truly deliver trusted insights, it is critical that security is layered through the whole device from the ground up. It’s encouraging to see that PSA Certified has had significant uptake with device manufacturers (known as OEMs), thanks to PSA Certified offering best practice assurance, lower total cost of ownership, lower risk and regulatory alignment across geographies. Since the launch of the scheme, we’ve had certifications from Security Platform Inc and Qinglianyun. Embedded Planet, SDT Inc., Veridify are also committed to PSA Certified Level 1 and they are in the lab at present. Plus certifications from other key ecosystem players such as NXM Labs, RTThread and Zephyr Project by Linaro.
Protecting Against Scalable Software Attacks: PSA Certified Level 2
PSA Certified Level 2 follows on from Level 1 by adding 25 days of security evaluation of the Root of Trust (PSA-RoT) in a test lab (see the PSA Certified Level 2 Protection Profile for details on the evaluation). The purpose of Level 2 is to provide independent assessment that the PSA-RoT meets nine security requirements expected from this sub-system and that it can protect against scalable software attacks that are the common baseline threat for IoT. It represents significant dedication to security, where the chip vendor needs to provide evidence of protecting against scalable, remote software attacks.
After announcing the availability of PSA Certified Level 2 at Arm TechCon, we have commitment from several of the key silicon vendors. STMicroelectronics has already achieved certification with their STM32L5 family. At the time of writing there were six more major chip vendors with products being evaluated at the labs: Infineon, Microchip, NXP, Nuvoton, Renesas and UNISOC have also committed to PSA Certified Level 2 and are currently in the lab expected to achieve certification in the near future.
Pre-certification for FPGA and test-chips: PSA Certified Level 2 Ready
We also recently announced PSA Certified Level 2 Ready, which reflects the fact that everyone has unique requirements in the security space. PSA Certified Level 2 Ready is a pre-certification assessment for development systems which have made significant investment in security, but with waivers for things like JTAG access and non-secure boot, which are often necessary to omit during the development phase and then enable in production. By achieving PSA Certified Level 2 Ready, partners can speed to route to the more comprehensive PSA Certified Level 2 certification for the mass production products. Several companies have completed the PSA Certified Level 2 Ready pre-certification step and received their Evaluation Technical Reports including Winbond, Arm China and Arm.
PSA Certified APIs & PSA Certified Functional API Certification: Smoothing the Route to Market
As we all know, for security to be scalable, hardware and software need to come together harmoniously. We are seeing continued momentum across the industry with a number of key partners adopting the PSA Functional APIs, smoothing the route to market whilst reducing development time and cost. The support for the key security functions spans across silicon, RTOS and middleware vendors.
The PSA Certified Functional API Certification represents that developers have correctly implemented mechanisms to access the critical, complex security features that change from chip-to-chip. NXM Labs, RTThread, STMicroelectronics, Winbond and Zephyr Project have achieved PSA Certified Functional API Certification since the launch last year.
It Takes an Ecosystem to Secure the IoT
Watch This Space
We’ve had an exciting year which is a reflection of hard work from both the PSA Certified founding members and the lead partners. This year we’re expecting more momentum with the program as more partners join PSA Certified. Together we will make the Internet of Things a more secure, smarter place.
As the largest independent security lab in the world, SGS Brightsight is proud to be a founding member of one the fastest growing security schemes. Today IoT security challenges are driven by a climate of continuous change and rapid evolution for both the technology and the threats, multiplied by the larger number of devices in operation, as well as a growing number of security frameworks from public and private organizations. PSA Certified is looking to address those challenges helping to meet the promise of security by design.
We should expect that anything connected to the internet could be protected and secured, and to implement proper security measures, security evaluations and certifications can help organizations successfully strengthen the security of IoT products, PSA Certified is an important step towards that. CAICT is committed to working closely with partners such as Arm to build a secure IoT ecosystem, and enabling customers to achieve the security they need for their specific use case and by performing security related tests.
Infineon is proud to be a lead partner for the PSA Certified program and has instructed a PSA Certified test lab to certify our PSoC 64 microcontroller (MCU) at PSA Certified Level 2. The PSoC 64 MCU offers hardware-based isolation for the device Root of Trust, Secure Processing Environment, and the Non-Secure Processing Environment, that together provide a security foundation for IoT device designers to build end-user privacy capabilities.
Nuvoton are a proud leader partner in the PSA Certified program and are committed to showcasing our security credentials by certifying products through the PSA Certified program. We’ve chose to certify our NuMicro M2351 product line at PSA Certified Level 2 and believe this certification is important to showcase our investment to protect against scalable software attacks.
We believe the PSA Certified program will play a key role in increasing consumer confidence in connected devices by providing a full security framework and independent security evaluation, enabling us to introduce exciting new insurance products specific to IoT devices. After achieving PSA Certified Level 1 in 2019, we are on the path to achieving PSA Certified Level 2 Ready certification which offers enhanced security capabilities for scalable IoT deployments
Confidence in security, safety and privacy is essential for the growth of processing at the Edge. As such, NXP and Arm continue to work together on PSA certification standards, which are founded in the sound principles of secure root of trust and protection against scalable software attacks. We currently have our LPC5500 series of secure MCUs and i.MX RT600 crossover MCUs being assessed for PSA Certification Level 2.
Platform Security Architecture was a cornerstone for establishing a necessary security foundation for IoT that everyone can appreciate and apply. As lead partner for PSA Certified Level 1 2020, I’m very pleased that it is inclusive of the leading industry recognized certification standards, focusing on addressing cyber security risks and mitigations. Renesas is poised to launch new products in 2020 with enhanced security features, and we are looking forward to augmenting our current portfolio of PSA Certified Level 1 products by achieving PSA Level 2 Certification.
RT-Thread is a leading open source Internet of Things operating system from China. With the joint efforts of RT-Thread, NXP and Arm, and based on the Arm Cortex-M33 processor, RT-Thread was awarded PSA Certified Level 1 at the beginning of 2020. The certification process helped RT-Thread to improve security in various areas including like software framework, OTA and network communication. RT-Thread is committed to providing developers with a more secure, easy-to-develop, and component-rich operating system software platform in the future.
Customers are concerned about threats to their IoT devices but do not fully understand IoT security. For device manufacturers like us, it is difficult to make consumers trust how secure their products are. This is why we’ve chosen to achieve PSA Certified Level 1, the trustworthy certification standards, which helps our customers purchase with confidence that our IoT system-on-module has the right level of security.
With our STM32L5 series, ST is the first Arm partner to pass a Cortex-M Microcontroller to the PSA Certified Level 2 certification program. This recognises our leadership in security, being able to reach the high expectations of PSA Level 2 criteria, with new STM32 products having enhanced level of robustness. With STM32 and PSA, ST and Arm pave the way of IoT Devices future.
Improving upon security concerns is our top priority at UNISOC and we are proud that our solution UNISOC V5663 is qualifying for the PSA Level 2 certification. With Internet of Things pervading every aspect of our lives, the rising concerns with respect to security in solutions offered make business decisions crucial. For true potential of a business product to be realized, the right level of security needs to be integrated and vouched for by the recognized authority to gain the trust of the businesses and ultimately, the consumers. The PSA Certified accreditation is a testament to our commitment to keep innovating and refining our products to match the best practices of the security standards in the industry.
PSA Certified offers a security foundation which plays a critical role in ensuring the secure implementation of chips and software in the IoT, so we are very excited to see our DOME Client™ achieve PSA Certified Level 1. “DOME™ is the foundation for our zero-touch onboarding and blockchain device management solution making this PSA Certified milestone important to our company and our customers.
Our platform Biblios Wireless Module is PSA Certified Level 1, which supplies a critical foundation of security in chips, OS, and devices. Security is incredibly important to our customers who expect the strongest measures are taken while handling their sensitive data. Embedded Planet takes the responsibility of developing these systems very seriously.
We recognise that the PSA Certified program is reducing confusion in the marketplace with a full security framework and independent security evaluation. Our TrustME W75F Secure Flash Memory product is one of the first products to achieve the PSA Certified Level 2 Ready accreditation and offers a flexible and secure memory subsystem for SoC and MCU vendors
We recognise that the PSA Certified program is reducing confusion in the marketplace with a full security framework and independent security evaluation. Our SHANHAI security solution is one of the first products to achieve the PSA Certified Level 2 Ready accreditation and offers hardware-level protection of user data, support of China commercial cryptography, plus services on IoT devices
Microchip is committed to MCU security functionality and recognizes security starts at the Root of Trust, which is at the heart of the PSA Certified program. This is why we’ve chosen to put the Microchip SAM L11 product through PSA Certified Level 2 testing, to confirm robustness and protection against scalable software attacks.