PSA Certified: Building Trust in IoT

By Paul Williamson, VP and GM, Emerging Businesses Group, Arm

February 25, 2019 -- 2018 saw the topic of security continue to hit the headlines, showing the unrelenting damage both hardware and software security vulnerabilities are having on businesses and consumers alike. IoT security challenges are a constant presence and if we are to instill confidence in IoT devices, the industry has a shared responsibility to rectify this – security cannot be optional.

Back in October, Arm’s CEO Simon Segars shared our second Security Manifesto stating that security is never ‘solved,’ the threat landscape is ever-changing and we must remain vigilant. When we launched Arm’s Platform Security Architecture in 2017, we defined a framework to bring best practice approaches to security, and since then a huge amount of work has been done to continue to equip the ecosystem to offer consistent secure foundations for devices – for example, this time last year, we launched the first set of PSA Threat Models and Security Analyses documentation.

Now it’s time to combat the current lack of security validation of IoT devices and we’re doing this by partnering with renowned test lab partners Brightsight, CAICT, Riscure and UL, and security experts Prove&Run, to create PSA Certified. This program is a natural step in the evolution of PSA as trusted, independent security testing is critical to enabling the development and deployment of these devices at scale.

Why should you care about PSA Certified?

You should care, especially if you’re a software developer, because PSA Certified is applicable to the vast majority of the IoT device market volume today. It is based on openly published threat models, specs and open source reference code, allowing for older MCUs, as well as newer processor architecture, processors, to be tested.

Developers who build systems in line with PSA principles will be able to have all products tested and certified at one of three assurance levels.

Level 1: The foundation of PSA Certified

This is the initial level of certification which requires a critical security questionnaire based on PSA security model goals and IoT threat models. There are different forms depending on if you are a chip maker, OS provider or device maker, and once completed, the questionnaire is reviewed alongside a PSA Certified lab check of your product.

The foundational Level 1 certification uses the 10 security model goals from the PSA architecture documents and aims to catch common security issues through an assessment of security functions. The questionnaire can be downloaded, filled in and then you can contact a partner test lab for an interview style assessment.

We have already seen leading silicon partners and IoT platform providers achieve Level 1 certification, including Cypress, Express Logic, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics and Silicon Labs.

Level 2: Lab-based evaluation

Level 2 is aimed at chip makers and includes a 25-day lab based evaluation against the PSA-root of trust (PSA-RoT) protection profile. This time-limited evaluation makes the scheme affordable and efficient, and tests for both software and light-weight hardware attacks.

PSA Developer APIs – simplifying developer access to security functions

PSA Functional API Certification is a separate certification which uses test kits to prove that PSA based solutions have a consistent set of APIs for essential security functions, ensuring a consistent developer experience. As we launch, Nuvoton and OS provider ZAYA have already achieved both PSA Certified Level 1 and PSA Functional API Certification, and Arm Mbed OS will provide out of the box compliance with PSA Certified Level 1 and PSA Functional API Certification in its upcoming March 5.12 release.

What’s next for PSA Certified?

Level 3 of PSA Certified is currently under development, and will support more extensive attacks such as side channel and physical tamper, and we will bring it to market in the near future. There is also room for additional device level evaluation such as any vertical specific devices, and we will share more information on this later in the year.

The goal of PSA Certified is to build trust in IoT and services. The program completes the circle in delivering the total PSA IoT security framework, providing a mechanism for the whole value chain to more easily specify or buy silicon or devices with the right-level of security. As it becomes widely utilized, it will build trust in the ecosystem through independent security testing of large volumes of designs, and enable the ecosystem to agree a solid security API for the industry.

Visit PSAcertified.org to find out more.

About Arm

Arm technology is at the heart of a computing and connectivity revolution that is transforming the way people live and businesses operate. Our advanced, energy-efficient processor designs have enabled intelligent computing in more than 130 billion chips. More than 70% of the world’s population are using Arm technology, which is securely powering products from the sensor to the smartphone to the supercomputer. This technology combined with our IoT software and end-to-end connectivity, device and data management platform enables customers to derive real business value from their connected devices and data. Together with our 1,000+ technology partners we are at the forefront of designing, securing and managing all areas of compute from the chip to the cloud.