After the highly publicized Mirai botnet attack in 2016, it became clear that a lot of IoT vendors pay little attention to security. To deal with this oversight, Arm is launching certification testing for the ecosystem of Arm-based devices using its Platform Security Architecture. The aim is to enhance consumer trust by making IoT devices more secure and continue advancing toward the goal of a trillion connected devices.
Arm is partnering with test labs Brightsight, CAICT, Riscure, and UL, along with consultants Prove&Run, to implement PSA Certified. The program will offer independent security testing so that IoT developers and device makers can establish the security and authenticity of the data collected from a diverse world of IoT devices. Arm’s customers have shipped more than 130 billion chips to date, and 70 percent of the world’s population uses Arm devices, the company said.
“With a trillion connected devices, we will need to build trust and implement the right security,” said Chet Babla, vice president of engineering at Arm, in a press briefing. “This is available now for silicon vendors, operating system vendors, and original equipment manufacturers (OEMs). Several are already certified at level one now. Trust is going to be essential for digital information.”
He said PSA Certified provides a simple and comprehensive approach to security testing. It comprises two elements: a multi-level security robustness scheme and a developer-focused API test suite. The security testing is based on a third-party lab-based evaluation of the generic parts of an IoT platform. These include PSA Root of Trust (the Root of Trust is the source of integrity and confidentiality), the real-time operating system (RTOS), and the device itself.
Validating IoT devices
PSA Certified enables devices makers to get the security required for their particular use case by offering three progressive levels of security assurance — assigned by analyzing the use case threat vectors.
For example, a temperature sensor in a field may require different security robustness (level 1) than a sensor in a home environment (level 2) or in an industrial plant (level 3). Following testing, all PSA Certified devices will get electronically signed report cards (attestation tokens) to show which level of security has been achieved, allowing businesses and cloud service providers to make risk-based decisions.
More security value for developers
As part of the program, the PSA Functional API Certification enables standardized access to essential security services, making it easier to build secure applications. Free test suites have been published for chip vendors, real-time OS (RTOS) providers, and device makers to test their PSA APIs and harness the hardware security of the latest silicon platforms.
PSA Certified is already gaining traction with leading silicon and IoT platform providers. Cypress, Express Logic, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics, and Silicon Labs have all achieved Level 1 certification. Nuvoton and OS provider ZAYA have achieved both PSA Certified Level 1 and PSA Functional API Certification, and Arm MbedTM OS will provide out of the box compliance with PSA Certified Level 1 and PSA Functional API Certification in its upcoming March 5.12 release.
Arm said that PSA Certified is the next step in the Platform Security Architecture (PSA) journey, a four-stage framework that guides IoT designers through the steps to creating a secure connected device. It goes beyond instructions and principles, with a comprehensive set of downloads, including threat models and security analyses documentation, hardware and firmware architecture specifications, open source Trusted Firmware (TF-M), and API test kits.
“Brightsight is pleased to support PSA Certified, which will improve the security of IoT devices and build a higher level of trust in the value chain,” said Brightsight CEO Dirk-Jan Out in a statement. “This trust is critical for the IoT to succeed. The multi-level approach of the scheme is designed to help the customers get the exact level of security they need, appropriate to the specific use case and threat model.”