- Arm and leading security testing labs collaborate to provide independent evaluation of Platform Security Architecture (PSA) implementations in IoT devices
- Arm, Brightsight, CAICT, Prove&Run, Riscure and UL establish PSA Certified™ to build trust in connected devices and grow IoT deployment
Bangalore, February 26, 2019: To support the widespread deployment of secure IoT solutions based on the Platform Security Architecture (PSA) framework, Arm and its independent security testing lab partners Brightsight, CAICT, Riscure and UL, along with consultants Prove&Run, today announced PSA Certified™. Through independent security testing, PSA Certified enables IoT solution developers and device makers to establish the security and authenticity of the data collected from a diverse world of IoT devices.
PSA: A comprehensive framework for IoT device security
PSA Certified is the next step in the Platform Security Architecture (PSA) journey, bringing a tangible measure of device security to the IoT. PSA is a four stage framework that guides IoT designers through the journey of creating a secure connected device. It goes beyond instructions and principles, with a comprehensive set of downloads, including Threat Models and Security Analyses documentation, hardware and firmware architecture specifications, open source Trusted Firmware (TF-M) and API test kits.
PSA Certified provides a simple and comprehensive approach to security testing. It comprises two elements: a multi-level security robustness scheme and a developer focused API test suite. The security testing is based on third-party lab-based evaluation that builds trust through independent checking of the generic parts of an IoT platform including: PSA Root of Trust (the Root of Trust is the source of integrity and confidentiality), the real-time operating system (RTOS) and the device itself.
Validating the foundational security of IoT devices
PSA Certified enables devices makers to get the security required for their use case through three progressive levels of security assurance which are assigned by analyzing the use case threat vectors. For example, a temperature sensor in a field may require different security robustness (level 1) than a sensor in a home environment (level 2) or in an industrial plant (level 3). Following the testing, all PSA Certified devices will have electronically signed report cards (attestation tokens) for determining which level of security has been achieved, allowing businesses and cloud service providers to make risk-based decisions.
More security value for developers
As part of the program, the PSA Functional API Certification enables standardized access to essential security services, making it easier to build secure applications. Free test suites have been published for chip vendors, RTOS providers and device makers to test their PSA APIs and harness the hardware security of the latest silicon platforms.
“PSA gave the industry a framework for standardizing the design of secure IoT devices, and PSA Certified brings together the leading global independent security testing labs to evaluate the implementation of these principles,” said Paul Williamson, vice president and general manager, Emerging Businesses Group, Arm. “This will enable trust in individual devices, in their data, and in the deployment of these devices at scale in IoT services, as we drive towards a world of a trillion connected devices.”
PSA Certified is already gaining traction with leading silicon and IoT platform providers. Cypress, Express Logic, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics and Silicon Labs have all achieved Level 1 certification. Nuvoton and OS provider ZAYA have achieved both PSA Certified Level 1 and PSA Functional API Certification, and Arm® Mbed™ OS will provide out of the box compliance with PSA Certified Level 1 and PSA Functional API Certification in its upcoming March 5.12 release.
To find out more about PSA Certified and the multiple independent test labs available, please visit: www.psacertified.org
Supplemental Quote Sheet:
Brightsight
Dirk-Jan Out, CEO, Brightsight said: “Brightsight is pleased to support PSA Certified, which will improve the security of IoT devices and build a higher level of trust in the value chain – this trust is critical for the IoT to succeed. The multi-level approach of the scheme is designed to help the customers get the exact level of security they need, appropriate to the specific use case and threat model.”
CAICT
Vicky Guo, CAICT, said: “We should expect that anything connected to the internet could be hacked eventually, and to implement security in a trusted manner, independent testing is crucial. CAICT is committed to working closely with partners such as Arm to build a secure IoT ecosystem, and PSA Certified is an important step towards that, enabling customers to achieve the security they need for their specific use case.”
Prove&Run
Dominique Bolignano, President & Founder, Prove&Run said: “PSA Certified is essential to enabling cybersecurity and security services companies to develop and provide the right security offerings in the IoT sphere. We are very proud to be part of this initiative, working to collect critical input from other lead partners and the wider ecosystem, and contributing to writing the security scheme documents that will be released as part of the program.”
Riscure
Marc Witteman, CEO, Riscure said: “The security of IoT requires proper architecture, implementation and verification, and Riscure is dedicated to supporting customers in their efforts to implement this structural security mindset. We believe that the multilevel PSA Certified program enables IoT vendors and their customers to address ever-growing privacy and security concerns, building further trust in connected devices.”
UL
Arman Aygen, Head of Strategy and Innovation at UL Identity Management & Security said: ‘‘With our world being increasingly connected, innovation should not compromise cybersecurity: it should never be something you factor in as an afterthought and needs to be managed throughout the supply chain. PSA Certified offers a non-prescriptive and voluntary framework to demonstrate the security and value of interconnected solutions.”