Creating a Common Security Language

Case Study | Nuvoton

Skip to content

Increasingly, its customers are looking for solutions to help them develop IoT devices, but the lack of an IoT security standard acceptable to multiple governments, and the sheer number of IoT devices with different designs and requirements have presented major challenges.

“Varying governmental security regulations in different parts of the world have added to the complexity of addressing security in IoT devices,” explains Jason Lin, vice president of Nuvoton’s microcontroller application business group. “Plus, many of our customers don’t know what kind of security to include and try to reduce costs.”

As we expand our business geographically, the PSA Certified program enables us to maximize our products’ security and brand visibility, and ultimately the value we offer customers. It’s not only good for Nuvoton but it’s an efficient and cost-effective way forward for the entire IoT industry.

Jason Lin, VP, Nuvoton Technology

One Standard for Multiple Governments

With the rise of the IoT era, governments around the world, including the US, China, and the EU, are working on security standards for IoT devices.

“We all know that security is a major concern for IoT devices,” Lin adds. “If governments could agree to one standard through the PSA Certified independent security assessment, the electronics industry could simplify design and manufacturing processes and reduce costs. This is where we think that the PSA Certified program offers tremendous value.”

Secure functionality has always been a hallmark of Nuvoton products for its embedded applications, such as smart cars and mobile phones, so Nuvoton started to look for a similarly robust approach for its latest series of microprocessors for IoT devices.

Security Based on Arm Technology

The NuMicro® M2351 series of microprocessors is powered by the Arm Cortex-M23 core with Arm TrustZone for Armv8-M architecture and offers robust software-level security in addition to traditional firmware-level security. The NuMicro M2351 series is focused on IoT security and is PSA Certified Level 1 and PSA Certified Level 2.

“We’ve designed security features based on the PSA Certified standard into entire families of microprocessors, not just a single unit,” says Robert Ling, technology manager at Nuvoton. “This allows us to offer customers a wider range of options depending on the application under development and other requirements.”

To gain the PSA Certified Level 1 and PSA Certified Level 2 for the NuMicro M2351 series, Nuvoton followed the threat analysis, security architect, implement, and certify process laid out in the PSA Certified framework.

“We defined the chip’s security specification from an application point of view and used the PSA Certified standard to do threat model analysis for our applications,” Lin explains. “We then optimized our chip design using the PSA Certified standard as a high-level guideline, together with the team’s own accumulated security experience and customer feedback.

Creating a Common Security Language

Nuvoton completed the mandatory lab interview after implementing all requirements for PSA Certified Level 1 and carried out penetration testing to achieve PSA Certified Level 2. They are exploring developing products that are eligible for PSA Certified Level 3. The company sees several benefits to participating in the program.

“Today, there’s no common language and no common security standard for IoT,” Lin says. “However, we hope that as governments create security regulations and the number of IoT devices on the market continues to grow, PSA Certified emerges as a single security standard so customers know that what they’re buying is secure, and manufacturers won’t have to try to meet varying security standards in different countries.”

As Nuvoton continues to expand its global reach, the PSA Certified designation is raising its visibility both in the IoT security market and in new geographies.