The newly released PSA Certified Security Report 2021: Bridging the Gap gave a unique view of where we are with IoT security today. Although there is growing awareness of the importance of security, the report highlighted a huge gap in the industry’s security expertise and practices. We found that under half of the companies are carrying out threat models for new products, and only 41% of respondents from small companies are happy with their in-house security expertise. With the number of hacks on the rise and IoT becoming more prevalent, it’s more important than ever to achieve an agreed baseline of security.
The report also highlighted that 85% of tech decision-makers are looking for a collaborative approach to IoT security, building a framework and industry-led set of guidelines to improve security. All of this builds on the PSA Certified mission, set two years ago, to transform embedded security and defragment the ecosystem.
Looking back over the last two years, the PSA Certified ecosystem has gone from strength to strength, with silicon vendors, software providers and device manufacturers, all working with PSA Certified to navigate the complexities of IoT security – we now have a total of 60 PSA Certified products from over 30 partners. Together we are ensuring that our partners are implementing best practice security at every stage of product development.
In this blog we look at some of our major achievements over the last year, demonstrate how the ecosystem has revolutionized embedded security and share some hints at what is coming in 2021 and beyond.
A Strong Year for Certifications
In our second year, we have seen more industry leaders choosing to certify their products using the PSA Certified framework, in order to demonstrate their commitment to security best practice.
Silicon Providers Ease the Certification Route for OEMs
Commitment from silicon and software providers puts the Root of Trust (RoT) right at the heart of devices, enabling OEMs to leverage security in their products. Silicon providers have backed PSA Certified from the very beginning of the journey, and continue to choose the PSA Root of Trust (RoT) as their secure foundation.
- In 2020, we had new PSA Certified Level 1 certifications from long-term partners Renesas, NXP, Nordic and Infineon, plus a certifications from new partners Xiamenshi C-CHIP and GigaDevice.
- Following our announcement of PSA Certified Level 2 in 2019, we have seen a wave of certifications from silicon vendors eager to demonstrate increased robustness and achieve PSA Certified Level 2 including STMicroelectronics, NXP, Renesas, Unisoc, NXM Labs, Nuvoton and Silicon Labs.
- PSA Certified Level 2 Ready is open to vendors who can’t meet all the criteria for PSA Certified Level 2 but want to help fast track certification for their partners. This year we had certifications from Winbond and Arm.
- New for 2020 was PSA Certified Level 3 which showcases substantial security robustness of the PSA-RoT. This is a high bar for silicon vendors to reach and we’re pleased to announce that Silicon Labs are officially the first ever chip to be PSA Certified Level 3.
Commitment from Silicon and Software Vendors Building in Best Practice with Common APIs
PSA Certified also places importance on software vendors to implement security best practice and adopt common APIs to make it easier to extend the RoT services throughout systems.
- We’ve had new system software platforms achieve PSA Certified Level 1 including Arm, Foundries.io, Haier, OneOS, Sequitur Labs, and FreeRTOS.
- Silicon and software vendors have continued to embrace the PSA Functional APIs. GigaDevice, OneOS, FreeRTOS and Renesas have achieved PSA Functional API Certified, simplifying security integration for devices.
PSA Certified Level 1: Critical Uptake from Device Manufacturers
It’s critically important that the RoT foundation created by the silicon vendors and software providers is consumed and utilized in end-devices. The composition of our scheme allows device manufacturers (OEMs) to leverage existing silicon and software certifications, further easing the security journey at the device level. In 2020 we saw more certifications from industry-leading OEMs including Embedded Planet, Flex, SDT Inc., Veridify and InGeek.
For many, the development cycle for IoT devices is too long and the cost of investment too high. That’s why we created our rapid IoT development platform, iENBL, as a low-risk, low-cost and fast way to bring IoT products to market. But there is little point in offering customers a rapid IoT development platform, and then having to spend time and money figuring out how to make the device secure. PSA Certified is the fastest way for our customers to have confidence in the security of the devices we build.
Renesas has kept our promise of continuing to roll out new products in the RA Family that are aggressively based on the value proposition of advanced security and easy-to-deploy solutions with Arm TrustZone and Renesas Secure Crypto Engines. In addition, we kept our firm commitment towards PSA Certified as the security foundation for IoT, recently attaining PSA Certified Level 2 with our RA6M4 MCU Group. The certification is testimony, affirmed by independent assessment, that RA Family security is up to the challenge of protecting against scalable attacks. On the 2nd anniversary of PSA Certified, I wish to thank Arm and SGS Brightsight for their leadership and support, facilitating Renesas’s efforts to provide confidence in security for IoT enabled customers.
We are proud to join the PSA Certified Program, and we’re so happy to see that PSA Certified has gone a long way toward ensuring an effective security policy.
RT-Thread is an open-source embedded real-time operating system (RTOS) that provides a wide range of components and 300+ software packages for the Internet of Things (IoT). RT-Thread has now powered 600 Million IoT devices security is our number one priority. In 2021 we’ll continue working with PSA Certified, making IoT development easy, simple, and built with trust.
Veridify Security protects low-resource devices in the Industrial IoT and Smart Building markets where we see cyber-attacks continually growing. These threats make correctly implementing security and earning our client’s trust a critical and daily exercise. PSA Certification ensures that our DOME™ Client Software is adhering to the best industry best-practices and that we can easily communicate this to the market. We congratulate the PSA Certified team on their 2nd birthday and their essential contributions to IoT security.
At Foundries.io we believe the most up to date software is the most secure. The PSA Certified Level 1 awarded to FoundriesFactory is the first given to a Linux-based solution and validates that we are working with best-in-class approaches to security. Our customers continue to focus on their own business value-add in the knowledge that the security of their shipped devices is maintainable via FoundriesFactory.
ECOLUX is committed to providing easy-to-adopt IoT lifecycle security solution and we recognise that PSA Certified plays a vital role in helping customers realise how security IoT product is. That’s why we’ve chosen to certify our Firmware Encryption and Protection Service, awarded PSA Certified Level 1 in the middle of 2019.
Embedded hardware security is a critical component that enables trust for internet-connected devices. PSA Certified program provides a comprehensive security framework, independent security evaluation and assurance to our customers that security is designed correctly. Our award-winning Semper Secure NOR Flash solution achieved PSA Level 1 certification. The solution offers secured storage to protect data privacy by extending the root-of-trust from the SoC/MCU to the non-volatile secured memory.
PSA Certified gives us a common language in the IoT world to describe the security required for IoT devices. As we expand our business geographically, the PSA Certified program enables us to maximize our products’ security and brand visibility, and ultimately the value we offer customers. It’s not only good for Nuvoton but it’s an efficient and cost-effective way forward for the entire IoT industry.
SDT is a Hardware-as-a-Service (HaaS) company that provides hardware products with integrated IoT software. From hardware to cloud services, all of our architecture follows the PSA Certified guidelines. It allows our customers to trust us and deploy hundreds of thousands of devices in the field.
What’s particularly great about PSA Certified is that it’s not mandating a specific security implementation or architecture. It’s saying, you need to have a secure world and a non-secure world, plus a way to divide up the tasks that need to be executed in the secure world. It just makes sense.
Security is the top priority for FreeRTOS. We are excited to see FreeRTOS libraries, including the FreeRTOS kernel and IoT libraries, meet the set of security standards defined by PSA Certified Level 1. This gives all FreeRTOS developers confidence in their use of FreeRTOS, and makes it easier for those who need to achieve security compliance.
Evolving PSA Certified to Break Down IoT Security Complexities
The PSA Certified founders have taken some fundamental steps this year to reduce fragmentation in the industry.
- Regulation alignment: Our survey identified that the fragmentation of standards and regulations is a top challenge. We are continuing to monitor emerging IoT security standards to ensure that PSA Certified Level 1 aligns with most major guidelines. This includes ETSI 303 645, NISTIR 8259 and California State Law SB-327. Alignment helps all members of the value chain navigate a traditionally complex regulatory environment and facilitates the global applicability of products.
- Easing certification with composite evaluation: Version 2.1 of the PSA Certified Level 1 questionnaire, released in 2020, provides flexible composition of certificates. This allows device makers to use a certified chip and certified system software that have showcased correct use of the PSA-RoT, meaning the device manufacturer only needs to answer the device level questions to achieve certification.
- Collaboration to ease fragmentation in certification: This year we celebrated a strategic new partnership with IoXT Alliance where they recognize PSA Certified and the PSA-RoT in their product evaluations, helping to align silicon-level security across the industry. We’re also working with UL to consider how PSA Certified fits in with their UL Secure Component Qualification.
- Choice in protection profile: We also believe that choice is crucial for IoT security, as it offers more flexibility to our partners. That’s why at PSA Certified Level 2 and PSA Certified Level 3 we’re now offering two choices of methodology: a common language protection profile, plus a GlobalPlatform SESIP protection profile. You can find all versions of the protection profiles here.
- PSA Certified Foundational Training Course: A training course to guide all members of the value chain through their certification has been developed by the world-class training team at Arm, one of the PSA Certified co-founders. The course has been designed for decision makers and architects, providing them with an overview of the PSA Certified scheme, why it’s important and how it can be used.
Embedded World 2021: Back Where It All Began
We’re excited this week to be taking part in Embedded World, the event where we first launched PSA Certified two years ago. This year we have a PSA Certified virtual booth with exclusive roundtables from our world-leading evaluation labs, plus an update on PSA Certified from Rob Coombs, Business Development Director at Arm and PSA Certified co-founder, live in the conference track.
Join the PSA Certified ecosystem at Embedded World as we discuss the challenges of IoT security, the opportunities that lie ahead and how we can work together to take steps today to secure tomorrow. Learn more about our presence at the event here.
Looking to the Future
Thanks to the hard work of the PSA Certified founders and our partners, we have overcome obstacles and celebrated a hugely successful year. PSA Certified is committed to embracing a collaborative approach to bridge the gap and secure the future of the IoT. Our momentum will continue to grow this year and for years to come with more partners joining our ecosystem and helping to heal IoT security fragmentation. Join the ecosystem that is revolutionizing embedded security and deploy with confidence today.