As we look back four years ago when Arm first introduced the Platform Security Architecture, the change in the ecosystem is staggering. At our inception, IoT security was incredibly fragmented, with little collaboration from the electronics industry to make the world a more secure place. While we still have a long way to go, four years later, things are quite different. Not only do we have an ecosystem recognizing the Root of Trust (RoT), but we also have an ecosystem of partners actively deploying the RoT into chips, software, boards, modules, and end products. As hacks and news stories hit the headlines, it’s easy to feel quite deflated that IoT security may never be “solved”, but in fact, there is a lot to be celebrated.
Realizing an Ambitious Goal
If you have been following PSA Certified, you’ll know that our certification scheme was a continuation of the aforementioned Platform Security Architecture, first introduced at Embedded World in 2019. At the time, seven of the leading security companies (Arm, CAICT, Riscure, Prove & Run, SGS Brightsight, TrustCB and UL) came together to introduce a certification that was the first of its kind: certification based and unpinned by the PSA-RoT. We wanted to unify the suppliers within IoT to base their products on the RoT, reducing development time and fragmentation, while raising the security bar to protect digital transformation.
I personally align with the admirable goal of aligning around a hardware Root of Trust, which the IoT industry have built together.
Silicon Vendors Revolutionizing Security with a Common PSA-RoT
We started our journey with the chip vendors, who are at the heart of devices and have the responsibility to make the right security choices at the start of development. The chip vendors really live and breathe our mission today, where we have almost 50 chips all based on a certified PSA-RoT. PSA Certified has three levels of security certification, which represent different levels of investment and robustness. PSA Certified Level 1 documents security best practice, PSA Certified Level 2 includes penetration testing against remote software attacks, and PSA Certified Level 3 includes penetration testing against hardware attacks. As the scheme has matured, the chip vendors have increasingly provided chips with greater levels of robustness, to combat the threat landscape.
In the last year we’ve had some exciting developments in our chip ecosystem in this space, which include the World’s first PSA Certified Level 3 products, first by Silicon Labs and then by STMicroelectronics. The bar for PSA Certified Level 3 is very high, including both hardware and remote software attacks, and it deserves to be commended. On top of that, there is the growing ecosystem of PSA Certified Level 2 products, that again represents silicon vendors who have taken that additional step to have their chips penetration tested in the lab to ensure that their products can withstand the majority of remote software attacks.
The PSA Certified program enables the STM32U585, and the previously certified STM32 platforms, to be recognized as trusted secure micro-controllers to aid design-in and development of IoT devices.
The Expanding PSA Certified Level 1 Ecosystem
Of course, we also have a whole suite of PSA Certified Level 1 partners and products – with over 70 certifications – who choose to document security best practice. Notable mentions here in the last 12 months include:
- The expansion of PSA Certified into the application processor space, in order to help secure the edge devices that are growing in popularity, and are in desperate need of updating from legacy devices. This includes chip vendors such as NXP, but also ODM certifications such as Eurotech.
- Our growing software ecosystem, which this year has expanded to include Sequitur Labs, Foundries.io (again enabling the edge ecosystem) but also Haier, Eurotech and FreeRTOS which enables a new range of devices to achieve PSA Certified status.
Device Manufacturers Leading The Way with Best Practice Security
Finally, I want to touch on our growing device ecosystem, as ultimately this is where our composite scheme and the value of a hardware-based RoT really comes to life. Achieving device certification with PSA Certified requires many proactive choices around security, it’s a choice by manufacturers to do the right thing with security. To have 15 PSA Certified devices is a great achievement – and we’re proud this year to welcome Arrow, Eurotech and Flex, among many other early adopters, to our partnership. Not only do these PSA Certified OEMs lead the way with best practice security, they also unlock many other benefits including regulation alignment, faster time to market with security and of course, a demonstrable badge of trust.
Collaboration is at the Heart of Success
Outside the partnership of the PSA Certified products, there are many other ongoing collaborations which help to bring more robust security to the IoT. First, we have the recognition from other schemes, such as IoXT, UL and DLC – who all have pledged to recognize the PSA-RoT as best practice, and also as fast-tracks in their own certification schemes. Second, we have expanded the PSA Certified evaluation labs this year to include Applus and ECSEC, offering more choice and an expanded global reach for companies looking for the right-fit evaluation partner.
Technical Advancements Make it all Possible
All of the great achievements from the PSA Certified partnership is made possible by the technical advances the PSA Certified founders are making every year. We are continuously investing in new resources and scheme enhancements to reflect the trends in the ecosystem. Some key examples of this include:
- Updates to the PSA Certified Level 1 questionnaire, which maps to key regulation and standards
- The introduction of PSA Certified RoT component certification curated for IP and subsystems to recognize their role in creating the PSA-RoT
- Additional protection profiles (building on the original CSPN-style protection profiles) with the SESIP evaluation methodology, that opening up different routes for PSA Certified, but also increasing the reusability to help your certification go further.
Don’t Wait to Join the Partnership Leading the Charge to Secure Digital Transformation
The PSA Certified vision is for the IoT to be built upon devices with a certified RoT and for all connected devices to have demonstrable security built on common, best practice principles. By achieving these two major steps we protect businesses and consumers alike, while providing a solid foundation for collaboration and success. To date, PSA Certified has evaluated over 80 products, from almost 50 partners. All our partners and our ecosystem, are taking proactive steps in their design choices and working with external labs to demonstrate their security robustness. PSA Certified is not something you achieve by luck; our partnership is leading the charge to make secure digital transformation a reality in the future and making the most of being at the forefront of change; don’t get left behind, join the fastest growing security ecosystem today.