Arm leads fight to tighten IoT device security
Cambridge superchip architect Arm has created a new protocol to spearhead a global fight to make IoT technology watertight against security risks.
Its game-changing independent security testing, PSA Certified – launched today – enables IoT solution developers and device makers to establish the security and authenticity of the data collected from a diverse world of IoT devices.
The technology supports widespread deployment of secure IoT solutions based on the Platform Security Architecture (PSA) framework. In the front line of the battle are Arm and its independent security testing lab partners Brightsight, CAICT, Riscure and UL, along with consultants Prove&Run.
Paul Williamson, vice-president and general manager of Arm’s Emerging Businesses Group, says: “PSA gave the industry a framework for standardising the design of secure IoT devices and PSA Certified brings together the leading global independent security testing labs to evaluate the implementation of these principles.
“This will enable trust in individual devices, in their data, and in the deployment of these devices at scale in IoT services as we drive towards a world of a trillion connected devices.”
PSA Certified provides a simple and comprehensive approach to security testing. It comprises two elements: a multi-level security robustness scheme and a developer focused API test suite.
The security testing is based on third-party lab-based evaluation that builds trust through independent checking of the generic parts of an IoT platform including: PSA Root of Trust (the Root of Trust is the source of integrity and confidentiality), the real-time operating system (RTOS) and the device itself.
PSA Certified enables devices makers to get the security required for their use case through three progressive levels of security assurance which are assigned by analysing the use case threat vectors.
For example, a temperature sensor in a field may require different security robustness (level 1) than a sensor in a home environment (level 2) or in an industrial plant (level 3).
Following the testing, all PSA Certified devices will have electronically signed report cards (attestation tokens) for determining which level of security has been achieved, allowing businesses and cloud service providers to make risk-based decisions.
As part of the programme, the PSA Functional API Certification enables standardised access to essential security services, making it easier to build secure applications. Free test suites have been published for chip vendors, RTOS providers and device makers to test their PSA APIs and harness the hardware security of the latest silicon platforms.
PSA Certified is already gaining traction with leading silicon and IoT platform providers. Cypress, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics and Silicon Labs have all achieved Level 1 certification.
OS provider ZAYA has achieved PSA Certified Level 1 alongside PSA Functional API Certification, Express Logic X-Ware IoT Platform has also been PSA Certified Level 1, and Arm® Mbed™ OS will provide out of the box compliance with PSA Certified Level 1 and PSA Functional API Certification in its upcoming March 5.12 release.
Williamson said: “2018 saw the topic of security continue to hit the headlines, showing the unrelenting damage both hardware and software security vulnerabilities are having on businesses and consumers alike.
“IoT security challenges are a constant presence and if we are to instil confidence in IoT devices, the industry has a shared responsibility to rectify this – security cannot be optional.
“Last October, Arm’s CEO Simon Segars shared our second security manifesto stating that security is never ‘solved,’ the threat landscape is ever-changing and we must remain vigilant.
“When we launched Arm’s Platform Security Architecture in 2017 we defined a framework to bring best practice approaches to security and since then a huge amount of work has been done to continue to equip the ecosystem to offer consistent secure foundations for devices – for example, this time last year, we launched the first set of PSA Threat Models and Security Analyses documentation.
“Now it’s time to combat the current lack of security validation of IoT devices and we’re doing this by partnering with renowned test lab partners Brightsight, CAICT, Riscure and UL, and security experts Prove&Run, to create PSA Certified.
“This programme is a natural step in the evolution of PSA as trusted, independent security testing is critical to enabling the development and deployment of these devices at scale.
“PSA Certified is applicable to the vast majority of the IoT device market volume today. It is based on openly published threat models, specs and open source reference code, allowing for older MCUs, as well as newer processor architecture, processors, to be tested.”
Level 3 of PSA Certified is currently under development and will support more extensive attacks such as side channel and physical tamper and Arm will bring it to market in the near future.