A multi-level assurance scheme for securing digital transformation
Many vulnerable devices are getting to market without prior security testing, leaving thousands of networks vulnerable to attack. Independent security evaluation provides an opportunity to simply test these devices before they reach the market.
PSA Certified is an assurance scheme that independently tests and certifies IoT products, building trust and providing product owners the chance to show security due diligence.
With all IoT products having unique security requirements, it is challenging to communicate security best practice across the ecosystem. PSA Certified focuses on the security requirements of the generic parts of IoT products and combines this with a multi-level evaluation scheme.
This ensures IoT products are built to a consistent set of security principles with additional security features assessed for products requiring additional measures.
A Multi-level, Scalable Evaluation
The PSA Certified scheme has three levels of certification with increasing robustness testing.
PSA Certified Level 1 checks for essential security principles through a security questionnaire for chip vendors, software providers and device makers.
PSA Certified Level 2 evaluates the chip’s PSA Root of Trust (PSA-RoT) security component to ensure protection against scalable, remote software attacks.
PSA Certified Level 3 ensures substantial security assurance and robustness against physical and software attacks through evaluation of the PSA-RoT.
Methodically Created Scheme
The security requirements evaluated in PSA Certified have been derived from careful and methodical work. This draws on information from IoT threat models, the PSA Security Model and government and regional guidelines. Together these create a strong foundation for the scheme.
Assurance for the Whole IoT Value Chain
PSA Certified security certification has been designed to benefit the whole IoT value chain, from the chip hardware, to the cloud.
It establishes a common IoT security component in the silicon, the PSA-RoT, that provides a strong foundation for security and adds to that security requirements at an RTOS and device level.
With this foundation of security, a mechanism to communicate trust outside the device is needed to ensure only devices following best security practice can be added to networks.
PSA Certified products are given a unique digital certificate number (International Article Number EAN-13). It is recommended that the EAN-13 reference number is used in the chip’s attestation token to communicate the PSA-RoT and security certification level to device manufacturers and cloud providers to make informed decisions about the product.
Cloud service providers can access trust information of products using Entity Attestation Tokens that hold security claims for individual devices.
Device manufacturers can integrate PSA Certified chips and RTOS with suitable robustness for their products. This limits the amount of security measures they need to implement on their device and lowers the total cost of ownership.
RTOS vendors can integrate their solutions with PSA Functional APIs and implement security measures to align with the 10 security goals. This streamlines access to security functions in the chip.
Chip vendors can clearly showcase the security level of their Root of Trust to the ecosystem, providing a trusted foundation for the next generation of IoT devices.
Getting Started with PSA Certified Security Certification
The PSA Certified Founding Members have provided a set of free and open resources making security certification accessible for everyone.
These include step-by-step guides, the PSA Certified Level 1 questionnaire and the PSA Certified Level 2 Root of Trust Protection Profile.
Get Started with your