In these days of the Internet of Things (IoT), Industrial IoT (IIoT), and Artificial Intelligence of Things (AIoT), in which everything is connected to everything else, either directly or via the cloud, nothing can be assumed to be secure, but everything has to be guaranteed to be secure. The number of devices connecting to the Internet each year is growing at an exponential rate. In fact, Arm expects there to be over 1 trillion connected devices by 2035, and the one thing each of these devices is going to need is security.
To address the issues associated with developing and productizing secure embedded systems and IoT devices, Arm has been instrumental in creating standards, frameworks, tools, design flows, and initiatives that help developers create secure products faster. These include the PSA framework and the PSA Certified initiative.
Introducing the PSA Framework
The Platform Security Architecture (PSA) offers a framework for securing connected devices. It provides a step-by-step guide to building in the right level of device security, reducing risk around data reliability, and allowing businesses to innovate on new ideas to reap the benefits of digital transformation.
The PSA is a holistic set of threat models, security analyses, hardware and firmware architecture specifications, and an open-source firmware reference implementation. The PSA provides a recipe, based on industry best practices, that allows security to be consistently designed in, at both a hardware and firmware level. This helps embedded developers get their designs securely deployed in the field faster.
The PSA was created to help ensure that security is designed into a device from the ground up. The four PSA stages that guide security implementation for each specific use case are as follows:
- Analyze: This involves the evaluation of assets and assessment of threats to define specific security requirements.
- Architect: The architecture of the security design is based on identified security requirements.
- Implement: This features an open source firmware implementation that complies with the specifications from the architecture stage.
- Certify: This provides assurance that products adhere to security requirements and PSA guidelines through the PSA Certified scheme.
Introducing the PSA Certified Initiative
The reasons for implementing security are well known. We are surrounded by applications that collect, store, and analyze data, both personal and commercial. The cost of a security breach can be crippling, both financially and in terms of reputation. If an individual or a business feels that a device manufacturer or a service supplier cannot be trusted to keep their data secure, they will take their business elsewhere.
The term “PSA Certified” refers to an industry initiative that was founded by Arm and six other industry-leading companies. Most IoT chips and platforms do not get independently tested. This lack of assurance increases the chance of vulnerabilities in devices reaching the market. Independent testing raises the bar on security and sets agreed levels of security assurance and robustness.
PSA Certified: Enabling “right-sized” device security (Image source: PSA Certified.org)
PSA Certified builds trust through an independent certification scheme. It helps the developers of embedded and connected systems meet multi-region IoT security requirements with a simple multi-level evaluation scheme. Putting security at the heart of the product, PSA Certified provides an independent assessment of IoT devices, platform software, and the chip’s Root of Trust (PSA-RoT).
The certification program is built on the foundations of the PSA, which was created to address the need for scalability and consistency across large-scale IoT deployments. PSA Certified offers a full security framework with example threat models, security architecture documents, and an open-source reference implementation of the Root of Trust.
There are currently two levels of PSA Certified (a third level is in development):
PSA Certified Level 1
The foundation of PSA Certified, this level features a questionnaire which is filled in by the partner and checked by a PSA Certified test lab. These questions were derived from analyzing threat models of common IoT products and establishing ten key security goals. The latest release of this questionnaire is aligned and mapped to IoT security standards, government requirements, and emerging law, thereby making it easier for chip makers, software platforms, and device manufacturers to show globally recognized best practice.
PSA Certified Level 2
This follows on from Level 1 by adding 25 days of security evaluation of the Root of Trust (PSA-RoT) in a test lab. Achieving this level of certification represents significant dedication to security, where the chip vendor needs to provide evidence of protecting against scalable, remote software attacks.
PSA Certified Level 1 is applicable to chips, real-time operating systems (RTOSs), and devices. PSA Certified Level 2 increases the robustness testing by focusing on the PSA Root of Trust (PSA-RoT), and is therefore aimed at chip vendors.
PSA Certified Adoption and Building Momentum
Building secure chips and devices for the IoT is non-trivial. The documents, deliverables, and testing scheme of PSA Certified have been designed to make the path easier, quicker, and more affordable for the electronics industry. Chip vendors, RTOS companies, and OEMs who have their products PSA Certified can showcase their solutions on this website and use PSA Certified trademarks and logos.
The momentum behind PSA Certified is growing, with certifications from eight out of the ten top silicon providers at PSA Certified Level 1, including new certifications from Renesas, Unisoc, Winbond, and Nordic Semiconductor.
The PSA Certified initiative has enjoyed an exciting year, resulting from hard work by the full PSA Certified founding members and lead partners. Momentum is increasing as more and more partners join the PSA Certified scheme. The result of PSA Certified is to make the IoT a smarter and more secure place for all.
First Published on Embedded-Computing.
