Smart speakers, connected thermostats, security cameras, intelligent gateways and the latest OLED TV’s are all examples of edge devices. They combine powerful processing capabilities, connectivity and complex system software to deliver impressive functionality for consumers and businesses. Securing them against basic or substantial cyber-attacks has been a challenge due to low level fragmentation of security solutions, requirements and even the language used to describe them. Additionally, very few of these devices have effective security certification or standard security components and that leads to an internet of vulnerable devices and a target rich environment for hackers.
As part of Arm Dev Summit, PSA Certified has announced the expansion of its offering to transform security for high performance edge devices. It is addressing the problems of fragmentation and lack of component certification by bringing a baseline of security to edge devices that is independently evaluated and built on a high-quality Root of Trust (PSA-RoT). The first deliverable is a new PSA Certified Level 1 questionnaire (v2.1) that has been updated to better fit the needs of connected devices that use an applications processor and Linux based system software.
The Mission of PSA Certified
PSA Certified has the mission to help the electronics industry secure all connected devices that need basic or substantial protection from cyber-attacks. Launched as a continuation of the Platform Security Architecture in 2019, its first focus was resource constrained devices such as sensors and actuators that are typically created with microcontrollers.
With the help of most of the World’s leading chip vendors, a new security component known as the PSA Root of Trust (PSA-RoT) has been built into the latest generation of connected system on chips, providing a trust anchor in the device that enables end-to-end security with cloud-based services. Our independent evaluation scheme provides three easy-to-understand levels of security assurance and robustness. This enables device manufacturers to select and choose the level of security they need, whilst also demonstrating that they meet regionally important cybersecurity requirements (such as NIST 8259A and ETSI EN 303 645) and documenting due diligence for meeting legal requirements.
Ultimately, the PSA Certified evaluation scheme moves the market from a position where chip vendors, software suppliers and device makers were saying “trust me, I did a good job on security” to one where security investment and credentials are proven by independent security evaluation carried out by leading test labs.
How PSA Certified is Helping…
From the beginning of PSA Certified, we believed that the industry needed a security framework and comprehensive set of free deliverables to help overcome the complexity of building secure by design products. The PSA Certified founders have actively contributed to this framework, providing resources that all developers can benefit from. The four steps of PSA Certified are shown below and the accompanying resources are:
- Analyze: Example threat models (also known as Protection Profiles) for connected devices to help device makers establish their security requirements
- Architect: A set of architecture documents that underpin PSA Certified such as the Platform Security Model, Firmware Framework and hardware security requirements.
- Implement: Open source reference implementation of Trusted Firmware for the PSA-RoT as well as API’s and test suites for software interface (API) compliance
- Certify: A set of security documents covering three levels of security assurance and robustness so that device makers can choose an appropriately robust chip for their market
Introducing PSA Certified Level 1 (Version 2.1)
PSA Certified Level 1 assesses security principles-based design using a security questionnaire and is applicable to chip vendors, system software providers, and device manufacturers. It is methodically developed using IoT threat models, security goals and key government and industry regulations and standards from around the world. The process is quick and low cost as it includes a concise questionnaire – less than 50 questions, followed by a review by one of the PSA Certified evaluation laboratories. It has a layered (composite) format with separate sections for chip, system software and device.
Although it’s always been possible to complete PSA Certified Level 1 on edge devices, the PSA Certified founders have actively been taking steps to align it better with the needs of high performance IoT and edge devices. Some of the changes in the latest Level 1 v2.1 include:
- Improved language and design for application processors and Linux-based systems
- Easier composition of chip plus system software plus device questions. An OEM may only have to answer 20 device PSA Certified Level 1 questions if they are using PSA Certified software and chips in their designs
- Latest mappings to final versions of EN 303 645 and NIST 8259A
- Questions added or improved to better fit application processor-based edge devices
PSA Certified has already transformed security for IoT based on connected microcontrollers and been massively adopted. The positive reaction from the IoT ecosystem has been impressive, many of the leading IoT silicon providers are PSA Certified Level 1, and a growing number of them are PSA Certified Level 2. In total, we have 50 PSA Certified products, from a collection of 26 partners – some examples include products from silicon partners (Renesas, Nordic, ST, Infineon and NXP), OEMs (Embedded Planet, Veridify, SDT Inc.) and software/OS (Free RTOS, EcoLux, RT Thread, Mbed OS, Zephyr).
The PSA Certified founding members continue to invest time and resources to make this the foundational scheme for IoT devices, software and chips. We’re excited to bring the success we have had in microcontroller and RTOS-based IoT systems to the world of application processors and high-performance edge devices.
Get Started with PSA Certified Level 1
PSA Certified Level 1 is for chip developers, system software suppliers and device makers. It enables a world of security certified components and software that can build upon each other to create a secure device. It simplifies the job of the IoT device manufacturers by having independently assessed security of their hardware and software.
To get started download the latest PSA Certified Level 1 security questionnaire (v2.1) from an evaluation lab and fill in the appropriate sections. When you are ready, review the questions and answers with one of the accredited evaluation laboratories who will help you with the certification process.
If you are interested in the open source reference implementations of the PSA-RoT head to www.trustedfirmware.org which is the open governance, open source engineering organisation delivering PSA-RoT on OP-TEE for applications processors and the TF-M project for microcontrollers.
Chip vendors can demonstrate the quality and robustness of their PSA-RoT to their device manufacturers customers by completing either PSA Certified Level 1 (questions based on security principles and best practice) or PSA Certified Level 2 (test lab-based evaluation showing protection against software attacks). The PSA Certified founding members have a draft of PSA Certified Level 3 that will enable chip vendors to show that their chip’s PSA-RoT can protect against substantial physical as well as software attacks. The draft PSA Certified Level 3 scheme documents are available to potential lead partners from any of the PSA Certified Founding members.