Close Search

Transforming Business

Effectively Navigating Security Guidelines and Regulations to Protect your Business in 2020 and Beyond

IoT Security in the 2010’s – “The Wild West Years”

Businesses, consumers and governments recognise that IoT insecurity is a problem, and this is backed up by the number of news stories covering IoT devices being hacked. You may remember some of the most memorable hacks: the car that could be compromised and driven off the road, the connected video cameras that could be turned into a botnet to take out parts of the internet infrastructure, the casino fish tank that was used to spy on sensitive network data or the hacked tracking watches. When you dig into how these products were compromised, they all possessed common vulnerabilities that could have been avoided by applying good security principles.

Enter Platform Security Architecture (PSA)

Platform Security Architecture was first launched in 2017 to encourage the industry to design-in security rather than add it as an afterthought. PSA helps IoT developers by providing a holistic set of free resources to the electronics industry that have been methodically developed:

  • Threat modelling of IoT devices to identify core common security requirements
  • Generic security model with 10 goals
  • Firmware architecture documentation
  • Open source code, Trusted Firmware-M, for the PSA Root of Trust (PSA-RoT) with built-in security functions

The provision of an open source software reference implementation proved to be a critical step in gaining widespread adoption by chip vendors. Most of the world’s top 10 chip vendors have embraced PSA Certified and can now deliver a new security component, the PSA-RoT, with trusted boot, crypto, attestation and secure storage trusted functions. OEMs starting an IoT development with a PSA enabled chip today have a security component they can build on to deliver trusted devices and trusted data for cloud services.

PSA helps IoT developers by providing a holistic set of free resources that have been methodically developed
PSA helps IoT developers by providing a holistic set of free resources that have been methodically developed

PSA Certified: Moving the Industry from “Trust Me” to Independent Testing

Traditionally chip vendors, would have proprietary solutions for a chip’s Root of Trust (RoT) that might include features such as trusted boot and crypto accelerators. These solutions would not normally be security certified as there was no standard protection profile for IoT. The OEM would have to trust the vendor that they had done a good job, applied sound security principles and security engineering.

With PSA Certified we have created a standard security component, the PSA-RoT, made up of trusted hardware and trusted software that can be evaluated in a test lab. With this, an OEM developing IoT products can now have a standard benchmark for chip security that a test lab has evaluated, with access to the source code and knowledge of the hardware.
At the software platform or device application level the pragmatic approach is to show that the design is based on sound security principles. The code is usually considered too large to be exhaustively assessed for security vulnerabilities and tested. What is required is a small set of methodically derived security goals that are generally applicable to connected products.

To enable the transition to independent testing, the PSA Certified Founding Members agreed to create a security assessment scheme that works at IoT scale. We launched PSA Certified one year ago with the backing of the world’s major chip vendors, this momentum is a game changer in an otherwise fragmented market.

The scheme has three levels of increasing security assurance and robustness, designed for systems with a RoT in the chip at its foundation. PSA Certified Level 1 was created for the chip vendor, software platform and device developer, with a set of approximately 40 critical security questions that demonstrate how the developer applied good security principles and used a hardware-based PSA-RoT.

At the time of writing there are over 30 PSA Certified Level 1 products from chip companies, software platforms and device makers. PSA Certified Level 2 and Level 3 focus on the PSA-RoT from the chip vendor and offer progressively increasing levels of assurance and robustness.

The PSA Certified ecosystem continues to gain momentum
The PSA Certified ecosystem continues to gain momentum

PSA Certified enables a chip manufacturer, software platform or device maker to transition from saying “Trust me – I’ve applied good security principles” to one who can say “I took my product to a test lab and got it independently assessed and here is the evidence”. It is a major step forward in building trust, based on evidence, through the ecosystem.

A Growing Challenge – Fragmentation of Security Standards, Baseline Requirements and Law

A new and growing challenge in the IoT industry is the forest of new security standards, baseline requirements, frameworks and now regulations. This is bewildering for IoT developers, and choosing which IoT security standard, framework, baseline and principles to follow is a real issue. Add to this the regional differences where each major market adopts slightly different requirements and wording, the challenge to develop products for multiple markets worldwide becomes more complex and intimidating. If you are an IoT product manufacturer how do you navigate this and decide which IoT security framework to turn to?

With so many standards, how do you know where to start?
With so many standards, how do you know where to start?

Navigating Security Standards and Regulation in the 2020’s – PSA Certified Healing Fragmentation

At launch we promised to monitor the ecosystem and make any necessary changes to the scheme that further reduced fragmentation in the market. Which is why we’ve launched the 2020 update to the PSA Certified Level 1 questionnaire (officially known as v2.0).

In this version we have worked on aligning the security questions with the essential parts of four other documents:

  1. ETSI 303 645v2 (formerly security by design) which is likely to be important in the European market
  2. NISTIR 8259 baseline that is likely to be important to North America
  3. Californian state law (one of the first big markets with law requiring security features)
  4. Draft UK DCMS IoT requirements
PSA Certified aligns with key standards and requirements, so organizations can adhere to these complex regulations with ease
PSA Certified aligns with key standards and requirements, so organizations can adhere to these complex regulations with ease

At the end of the new PSA Certified Level 1 questionnaire there is an appendix showing the mapping of PSA Certified questions to the requirements set in these other documents. This will guide device makers, who can turn to PSA Certified and know they have a security scheme that has been methodically developed from IoT threat models and has a test lab-based security assessment. PSA Certified has become the “go to” for documents, open source software and now IoT security assessment.

This is just one of the exciting updates were announcing this year. Why not check out our momentum blog which covers our reflection on key achievements in the last twelve months and exciting updates surrounding the PSA Certified program. In this blog we will touch on new government standards and regulatory alignment with PSA Certified Level 1, the wave of world-leading silicon providers achieving PSA Certified Level 2, plus critical momentum we’ve seen from device manufacturers embracing their role in security for digital transformation.

The Future

With the evolution of our growing modern digital economy and the pace of IoT deployment only accelerating into the future, it is vital to ensure every IoT device is protected. It is essential that these devices build in security at the design stage, starting with the Root of Trust to provide a trust anchor for the device, the data that flows from it and the services that need to trust the data.
PSA Certified has the momentum to heal the fragmented world of IoT security and offer a comprehensive solution that is leading to broad industry adoption. You can see the long list of PSA Certified products here.

Find out more about our approach to IoT security


Simplifying Security for OEMs: A Four Step Framework

In the world of IoT, there’s a widely held belief that building security into devices prevents manufacturers from creating products quickly and simply. Security is often seen as a speedbump that will require expertise, delay time-to-market, increase total costs, and risk potential for success.

Of course, historically there is some truth to this. At least there has been up to now. Without a clear understanding of security options—and what’s required to achieve appropriate levels of protection—the ability to get products to market fast and at minimum cost can be diminished. But at the same time, we know that IoT devices can act as vectors through which cyberattacks can occur, so neglecting security isn’t an option we should be exploring.

In a recent study, Cybersecurity Ventures added up the costs associated with a cyberattack. They included forensic investigations, the restoration of hacked data and systems, the loss of intellectual property, lost productivity, harm to reputation, and a host of other associated expenses, finally estimating the cost of global cybercrime against businesses will be USD $6 trillion in 2021.

There’s a lot at stake, but the task at hand isn’t insurmountable. Device security can be achieved by taking a relatively simple yet comprehensive approach. PSA Certified is well-positioned to offer such an approach. The collaborative partnership of organizations behind PSA Certified has been helping the ecosystem secure devices from chip to cloud for years and we remain committed to end-to-end security.

PSA Certified is committed to end-to-end security, enabling digital transformation
PSA Certified is committed to end-to-end security, enabling digital transformation

PSA Certified: Security Guidelines for Manufacturers

PSA Certified was developed to meet the need for standardized security across the IoT industry. Designed to provide a comprehensive assurance framework that aligns market requirements and supports digital transformation, PSA Certified is built upon IoT threat models, 10 security goals and government regulations.

PSA Certified is open to any architecture and it includes both hardware and software security design standards and assists you in implementing the right protection for your device by offering multiple levels of security assurance and robustness.

Addressing OEM Security Challenges

Beyond preventing cyberattacks and securing data, there are other benefits to securing IoT devices: minimizing the risk of downtime, reducing the risk to the business’s reputation and achieving multi-level assurance. And by building consumer trust, you can increase revenue by attracting the sizeable number of end users that haven’t purchased IoT devices due to security concerns.

Whether you are designing and building your own silicon, software and IoT components, or building systems through partnerships, there are several universal challenges, especially when it comes to security:

A lack of available resources and guidance: The lack of widely accepted IoT security standards across the industry results in a time-consuming, expensive process of navigating multiple sets of guidelines and standards. PSA Certified offers free resources and a clear and open framework to implement security from the chip to the entire device.
Cost containment: Security is typically thought of as a built-in commodity, so charging a premium for it can be difficult. But a misstep can result in lost revenue and a damaged reputation. PSA Certified helps you select correct forms and appropriate levels of security, so device protection is achieved in the most cost-effective way possible.
Regulatory requirements: Working out new and continuously evolving cross-regional security requirements and mapping them to your design is labor-intensive and costly. PSA Certified maps to global government regulations. Specifically, PSA Certified Level 1 aligns with key ETSI, NIST and Californian state law requirements, so organizations can adhere to these complex regulations with ease.
Time-to-market: Being first to market can act as a powerful kickstart for a new product and can even make the difference between success and failure. PSA Certified is designed to provide access to resources, pre-certified components, and free APIs for quick and easy device security.

A Framework to Simplify Security

PSA Certified is the first complete security framework, open source firmware project and matching certification scheme designed to dramatically reduce the labor, guesswork and other challenges associated with designing security into IoT devices. It gives clarity to a fragmented, fast-moving market, and provides a foundation of trust for next-generation IoT devices.

PSA Certified consists of a four-step program that guides OEMs through the security design and development process.

Once the four steps are completed and products are tested and certified by third-party labs, products are awarded a PSA Certified certificate and use of the logo. These quality markers illustrate the commitment to protecting customers, and act as a notification that the security standards required for the device have been met.

The four steps include:

Step 1: Analyze

Understand the level of security needed

Define and create list of security requirements through a comprehensive analysis of use case threats and vulnerabilities, and match them to a list of security best practices.

PSA Certified offers:

Step 2: Architect

Plan what security you will implement and how

Leverage best practices and specifications to build a blueprint of the required security architecture, or select PSA Certified chips and RTOSes from the list of ready-Certified products.

PSA Certified offers:

Step 3: Implement

Build or integrate your solution

Implement PSA Certified components or security design into your device and use application software and APIs to ensure communication with underlying security features within the silicon.

PSA Certified offers:

Step 4: Certify

Evaluate and certify product security

Test security implementations to be sure you’re meeting all use case-based security robustness requirements.

PSA Certified offers:

Adherence to PSA Certified protocols embeds security into the heart of your product and can protect your brand, bolster revenue, enhance your reputation and even act as a key selling point. With considerable industry support behind it, PSA Certified is quickly becoming the de facto standard for IoT device security.

Get started with PSA Certified today. Download our handy guide to the 4 steps.