PSA Certified

PSA Certified is a security certification scheme for Internet of Things (IoT) hardware, software and devices. It was created by seven stakeholder companies as part of a global partnership. The security scheme was created by Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure, CBTrust and UL.

Arm Holdings first brought forward the Platform Security Architecture (PSA) specifications in 2017 to outline common standards for IoT security,^[1] with PSA Certified assurance scheme launching two years later in 2019.

Foundation

In 2017, Arm Holdings gathered industry best practices into a common standard for IoT security - the Platform Security Architecture (PSA) - to enable trust to be built into Internet of Things devices and services.^[2][3] PSA has since evolved to become PSA Certified, a four stage framework which aims to guide IoT designers through best practices when considering security.^[4][5] In March 2018, the first IoT threat models and PSA documents were published as free downloads.^[6]

The certification portion of PSA Certified launched at Embedded World in 2019,^[7] where Level 1 Certification was presented to chip vendors. It received support from NXP Semiconductors, STMicroelectronics, Cypress Semiconductor, Microchip Technology and Nuvoton. A draft of Level 2 protection was presented at the same time.^[8]

Six of the seven founding stakeholders created the PSA Certified specifications, which are now make up the PSA Joint Stakeholders Agreement. The stakeholders are Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure and UL. TrustCB became the seventh PSA Certified JSA member, acting as an independent Certification Body for the scheme.^[9] Out of the six other founding members, four are security test laboratories, which includes Brightsight, CAICT, Riscure and UL. They provide worldwide coverage for chip vendors, software platforms or IoT device manufacturers, so products can be security assessed against the PSA certification guidelines. Specifications and accompanying documents are published on the PSA Certified website, all of which are free-of-charge to access, or donated to other standards defining organisations.

The first PSA Certified Level 2 certificates were issued to chip vendors in February 2020.^[10] By this stage, a number of companies such as Cypress Semiconductor Corporation^[11] and STMicroelectronics.^[12]

Certification

The PSA Joint Stakeholders Agreement outlines how members can create a worldwide standard for IoT security that enables the electronic industry to have an easy to understand security scheme. The security certification scheme documents enable a security-by-design approach to a diverse set of IoT products. The scheme starts with a security assessment of the chip and its Root of Trust (RoT) and then builds outwards to the system software and device application code. PSA Certified specifications are implementation and architecture agnostic so can be applied to any chip, software or device.^[13][14]

PSA Certified aims to removes industry fragmentation for IoT product manufacturers and developers in a number of ways. The world’s leading IoT chip vendors are delivering system-on-chips built with a PSA Root of Trust (PSA-RoT) providing a new widely available security component with built-in security functions that software platforms and original device manufacturers (OEMs) can make use of.^[15] A high-level set of APIs are provided to the PSA-RoT abstracting the complex trusted hardware and firmware used by different chip vendors. Free API Test Suites are available to provide this software API compliance to achieve PSA Functional API Certification.^[16][17]

Security

As part of the third stage of PSA Certified, threat models and security analyses documents are provided for a set of IoT devices.^[18] These English Language Protection Profiles differ from the treat models, and derive security requirements that are generalised by the PSA Certified 10 Security Goals.^[19][20]

References

1. Dent, Steve (October 23, 2017). "Google and others back Internet of Things security push". Engadget.
2. McGregor, Jim (October 30, 2017). "Not All Electronic Device Are Secure, But ARM's PSA May Change That". Forbes.
3. Takahshi, Dean. "Arm unveils security certification testing for IoT devices". VentureBeat.
4. Khan, Jeremy (October 23, 2017). "SoftBank's ARM Makes Bid to Standardize IoT Security Industry". Bloomberg.
5. Condon, Stephanie (February 25, 2019). "Arm partners with testing labs to provide IOT security certification". ZDNet.
6. "Arm launches first set of Threat Models for PSA: IoT Security should start with analysis". Arm Holdings. February 23, 2018.
7. Hayes, Caroline (February 25, 2019). "Embedded World: Arm introduces fourth security element to PSA". Electronics Weekly.
8. "PSA Certified–building trust, building value". EE Times. March 4, 2019.
9. "PSA Certified background". TrustCB.
10. "The $6trn importance of security standards and regulation in the IoT era". IoT Now. March 16, 2020.
11. "Cypress Accelerates Secure IoT Designs with Support for Platform Security Architecture Trusted Firmware-M from Arm". BusinessInsider.
12. "STMicroelectronics' STM32H7 Series MCU Leverages the New Platform Security Architecture from Arm to Boost Protection for Connected, Smart Devices". STMicroelectronics.
13. McGregor, Jim (March 4, 2019). "Arm Introduces Security Certification Testing For IoT". Forbes.
14. "Resources". PSA Certified.
15. Speed, Richard (February 26, 2019). "Azure IoT heads spacewards to maintain connectivity at the edge, courtesy of Inmarsat". TheRegister.
16. "PSA Functional API Certification". PSA Certified.
17. "PSA Functional APIs Architecture Test Suite". GitHub.
18. "The framework for securing a trillion devices". Arm Holdings.
19. "What are the PSA Certified 10 Security Goals". PSA Certified. February 20, 2020.
20. Hayes, Caroline. "Embedded World: Arm introduces fourth security element to PSA". Electronics Weekly.