Put simply, digital transformation is the ability to deliver new services and efficiencies across multiple markets. This drive to bring new levels of services and efficiencies, is bringing a new wave of connected devices, often with new and exciting technology. This megatrend of digital transformation is not unique to one sector, it spans them all with the ability to transform our lives and the way we do business. Whether we are streaming music from our voice-activated smart speaker, monitoring property with smart cameras or finding new efficiencies in production lines – the digitization of consumer lives and businesses is everywhere.
Businesses have already started to see the possibilities, which span beyond just novel improvements, but gradually turning into products and services that we cannot live without. Industrial and enterprises have been the early adopters, realizing quickly how improved efficiency can translate quickly into business opportunities. From economising the amount of gas, electricity and water used in buildings, to reduce C02 and save energy costs, to optimize production processes and track assets at optimum temperatures or in remote locations, or even offering a new service that maybe wasn’t possible before – the opportunities are limitless.
Consumer adoption has perhaps been a bit slower than expected, as security breaches have sparked concerns about how to protect personal data. In the PSA Certified 2022 Security Report we found that a huge 83% of respondents are looking for specific security credentials when buying connected products as a consumer – however, 68% of this total admit they don’t know which credentials to look to look for. Which shows that consumers have a real interest in understanding how secure devices truly are.
In this blog, I will explore some of the hurdles ahead of us to make digital transformation a reality, and why security is crucial to delivering assurance at scale.
Digital Transformation Hurdles
This transformation offers a lot but doesn’t happen overnight, there are multiple business, market and technical challenges to overcome for this to be realized. Although there are many hurdles, they can broadly be grouped into three areas: connectivity, intelligence and security.
Connectivity is the ability to connect a device to a service. This is typically wireless but doesn’t have to be, wired connections such as Ethernet are still prevalent today. The advent of 5G networks brings the ability for cellular networks to support a massive scaling of devices through multiple techniques. Digital transformation is gated by connectivity, it is the plumbing of change and a key building block in the roll-out of services.
The rise of devices is largely driven by the need to collect more data, and by scaling devices quickly you can collect more data than ever before. However, data by itself doesn’t deliver value, instead the value is determined by the insights that can be derived. This scale of data is beyond human ability to process so we look instead at software algorithms that can interpret the data and make decisions. This process which is known as AI, or Artificial Intelligence, is the key to both the scaling of the services but also the value of the services – the better the interpretation of the data, the more valuable the service. We already see AI in applications such as voice assistants in our homes but there are richer, more complex applications where it is used to spot trends, anomalies and provide business insights.
With IDC predicting that by 2025 there will be 55.7 billion connected devices worldwide, the need for IoT security has never been more pressing. But the cost of IoT insecurity when designing products is higher than it has ever been. According to analysis from cybersecurity provider Kaspersky, the first half of 2021 saw 1.5 billion attacks on smart/IoT devices – double the number from the previous half-year – while the impact of the cost of cybercrime is predicted to reach $10.5 trillion by 2025 (source: CyberSecurity Ventures).
The massive scaling of connected devices brings with it an increased risk of hacks and ransomware attacks, especially as the value of the end services goes up. As we have seen with traditional IT and ’the internet’ there is a very real business risk in terms of how to manage and navigate these threats. With digital transformation, this is set to grow significantly unless the electronics industry takes steps to mitigate.
IoT security does not just protect the end user. In the PSA Certified 2022 Security Report, respondents almost unanimously agreed (96%) that having security in their products makes a positive impact to their bottom line. Product differentiation and charging a premium is tempting to any business. But being able to ship more significant volumes of products because partners and end-users trust them, and delivering them to the market at speed, is also a key advantage.
The Industry Needs Assurance to Embrace Digital Transformation
Markets grow based on confidence, if there is a perception that device networks are susceptible to attacks, the pace of adoption will slow down. The PSA Certified 2022 Security Report revealed that the technology ecosystem has already started to make positive change to overcome this risk: as 90% of respondents surveyed have seen security increase in importance over the last 12 months. Respondents noted a shift in consumer perspective to prioritize checking for security in connected devices, debunking the myth that consumers only care about cost and features.
Now that the ecosystem has realised that security is not optional, we need understand when security is fit for purpose. An inconsistent approach to security is the industries biggest challenge to solving this problem, how to drive a common set of requirements for devices that connect to services and collectively deliver the required security assurances. This was also highlighted in our PSA Certified 2022 Security Report where 96% said they would be interested in an industry-led set of guidelines on IoT best practices – a considerably higher finding than the 84% of respondents in our previous survey.
A Foundational Approach to Security
At the heart of a secure device is a ‘Root of Trust’ or RoT. This is the portion of the device that is completely trusted and is used for the basis of all secure operations. If the RoT is compromised in a device then we no longer trust the device. Although a RoT is not a new concept, the need to deploy connected devices at scale with a RoT is. A simple way to think about a RoT is the SIM card in your phone or the chip in your banking card. These devices have been designed with very high levels of security in mind, being able to offer extreme levels of robustness. Not all applications need banking card security, some need lower levels of security that are ‘right size’ to balance cost and complexity with the end market needs.
PSA Certified – An Industry Collaboration
PSA Certified is security framework and device-level security assurance scheme that was created to drive security best practices across the electronics industry. As we have learned earlier, the markets need assurance and confidence in device security to grow and achieve the scale they promise. The scheme was originally spearheaded by Arm, and is now maintained by a number of world-leading security companies (including Applus+, Arm, CAICT, ECSEC, Riscure, Serma, SGS Brightsight, ProvenRun, TrustCB and UL).
PSA Certified has been specifically designed to help create and certify best practice device security centered on the provision of a RoT. At the heart of PSA Certified is a multi-level assurance scheme evaluated by independent security labs. PSA Certified Level 1 is the industry ‘hygiene factor’ for a connected device and represents the minimum criteria for a device to be securely deployed and connected to services. As well as mandating a hardware Root of Trust, PSA Certified Level 1 also maps to the most significant regulations and standards for IoT devices such as NIST and ETSI and includes checks for how the device is managed during its deployment. Progressive levels of PSA Certified drill into the additional security measures around protecting the RoT with PSA Certified Level 2 certifying robustness to scalable software attacks and PSA Certified Level 3 defining protection against lightweight hardware attacks as well.
Embraced by the Ecosystem
Since launch over three years ago, PSA Certified has scaled to become one of the fastest growing, most valued security ecosystems, globally. Being awarded ‘Ecosystem of the Year’ in the IoT Global Awards 2021 is a testament to the role it has played and will continue to play, in uniting industry, standards bodies, regulators and insurers together under one initiative. In doing so it’s accelerating the cross-industry collaboration required to untap the full potential of the IoT.
PSA Certified has over 120 certifications from nearly 70 different partners worldwide, deploying products in all connected markets. This includes 35 silicon vendors, encompassing includes the majority of the top 10 vendors worldwide, who have all built a common PSA-RoT into their products. PSA Certified has democratized the adoption of security across the electronics industry, giving the ecosystem the confidence to innovate, while protecting consumers, businesses, and service providers from the most common hacks.
The technology ecosystem is not alone either, in the PSA Certified 2022 Security Report found that a huge 96% believe that if the industry increased its rate of certification, it would only be beneficial. This momentum towards security certification will accelerate the path to a more robust IoT ecosystem.
From Conception to End-of-life, Device Security Matters
As we have seen, PSA Certified represents the electronics industries collective approach to drive security best practice into connected devices. The provision of security is not something that can be added just at the network layer (although clearly that does have a role in spotting rogue devices) but is rather something that has to be considered right from the outset. PSA Certified manages this in four distinct phases whereby the device requirements are analyzed against the perceived threats that the device will have to counter during its lifetime. Secondly, these threats are architected right into the heart of the device and most notably through the design of a RoT. The third step is to implement the design, we can already see most of the major chip vendors in IoT working to implement security into their designs. Finally, the product is certified to validate that the security best practices were followed, this allows vendors to showcase their security capabilities and in turn allows OEM designers to choose secure silicon that best meets their requirements.
We have seen how digital transformation is driving the adoption of connected devices across multiple industries and applications. To realise this vision it is essential that these massive networks of connected intelligent devices are secured to assure the end users of the robustness and resilience of the service. PSA Certified is a multi-level certification scheme that has been designed to drive industry best practice into how connected electronic devices are secured and trusted.