Few of us would consult with a doctor who did not have some kind of medical certification, give our child a toy that hadn’t passed basic safety standards or install a water heater that had not been certified to meet industry regulations.
Yet every day, companies of all sizes are designing, deploying, and trying to manage thousands of Internet of things (IoT) devices without common standards, regulations, or a consistent approach to IoT security.
Who hasn’t heard of the hackers who stole the details of a casino’s high-roller database through a poorly protected thermometer in the lobby’s fish tank? Or researchers who discovered a way to access a robot-connected vacuum cleaner and spy on the homeowner through its onboard camera and microphone?
IoT devices—from intelligent edge gateways to ultra-constrained sensors—are permeating every aspect of our lives and transforming entire industries. IoT security has to be uniformly and effectively addressed to build trust, and with trust the IoT can scale and deliver value to new and emerging services across multiple markets.
Internet of Things security is a growing challenge
As the challenges of IoT security grow and IoT security trends become more complex, everything from cars to baby monitors to pacemakers to lightbulbs are at risk of being compromised, exposing confidential or private data or surrendering control of a wider system as the new weapon of choice in malicious attacks. At worst, whole swathes of IoT devices could be compromised to form a giant botnet capable of taking down high-profile targets.
So how do manufacturers and businesses know how to protect their IoT deployments, and what are they protecting them from?
Today, very few IoT devices are subjected to any security testing, let alone the kind of independent testing that can instil the same level of trust and peace of mind that we get when we visit a licensed medical professional or buy a baby’s toy.
In the Arm 2018 Security Manifesto, Yossi Naar, chief visionary officer and co-founder of cyber security company Cybereason, explained that “in too many cases security features are considered toward the end of the design process when making a product more secure can mean reducing or eliminating features, or even delaying a product release – outcomes that can hurt sales. It’s a situation that can end without any winners, with devices released that are inherently insecure.”
The reasons for this are clear: developers often lack security expertise and access to simple, consistent frameworks that enable them to build on the security capabilities of devices. Combined, these kinds of challenges are reinforcing a lack of trust and slowing uptake in the Internet of Things.
Certification helps build trust
The good news is that many industry organizations and consortia are beginning to promote IoT standards, and regulators are waking up to the need for strident IoT security. However, there’s still too much fragmentation; in a landscape of immature and fragmented markets with diverse requirements and massive data challenges, there remains a huge need for a consistent and inclusive approach.
In short, only industry-wide certification can help to build trust in devices and create value in existing and emerging use cases.
Consider that the vision for IoT is the deployment of massive numbers of connected devices, all generating a huge volume of data. For businesses, that data is then processed locally, at the edge or in the cloud, to generate business insights and drive productivity gains.
However, the validity of those business insights is predicated on those devices and their data being trusted. This trust can only be established by having the right level of security for the given use case. And only independent security certification can establish the trust necessary for IoT to deliver business value.
Multi-level assurance and robustness
In working closely with our partners to help mitigate these risks and challenges, we recognised that if the reality of a trillion connected devices is to be met, we needed to develop a trusted framework for IoT security that the industry can follow to build-in consistent security from the ground up. The result was the Platform Security Architecture, or PSA – an architecture-agnostic framework that many manufacturers are already using to implement the right level of security for their IoT projects.
PSA has four key elements: analysis, architect, implement and certify. Arm has freely published the specifications, threat models, and reference firmware related to PSA, and PSA has received wide industry support as a cost-effective and consistent security initiative.
To complement PSA, in February 2019 PSA Certified was launched. PSA Certified is an independent certification scheme that enables silicon vendors, OS vendors, and OEMs, to build trust in devices and the services that rely on them.
PSA Certified was developed in partnership with leading test laboratories and security consultants to ensure independence and the broadest market enablement. These labs include Brightsight, CAICT, Riscure and UL, and external security consultants Prove and Run.
Through the close collaboration of industry experts, all with the common goal of raising the security bar, PSA Certified has been designed as a multi-level assurance and robustness scheme. Several leading silicon vendors are already PSA Certified at Level 1. A multi-level scheme is important because clearly a one-size fits all approach to IoT security doesn’t meet the breadth of business or IoT use case needs.
Scale IoT with PSA Certified
The multi-level nature of PSA Certified allows companies to determine and then independently verify the right level of security for their use case. Once the right level of assurance and robustness is reached, trusted service deployment at scale can be achieved.
If the reality of a trillion connected devices is to be met, many of which will spend years in the field, we must build trust into those devices through simple, independent multi-level IoT security certification and consistent developer APIs. Only then can consumers rest easy that they made the right choice, and businesses realize the full potential of IoT.