We know the opportunity of a world of intelligent, connected devices lies before us: an estimated 55 billion of them will be influencing most of the world’s population each day in just three years. But we also know that as interest grows, cybercriminals lie in wait, looking for vulnerable devices and networks to pry into and wreak havoc.
Will we realize the true potential of the Internet of things (IoT) if we don’t embrace a security-first culture?
That was one of the questions we set out to answer with our second PSA Certified Security Report. When Arm initially spearheaded the PSA Certified framework, we wanted to supplement our existing security investments across architecture, software, and hardware technologies, programs, and initiatives.
We set out with the mission to provide standardized security resources, ensuring that security is no longer a barrier to product development for our partners and IoT developers worldwide. The worldwide program made up of security-leading companies (Applus+ Laboratories, Arm, CAICT, ECSEC Laboratory, ProvenRun, Riscure, SGS Brightsight, TrustCB, and UL) made the promise to not only to smooth the process of certifying secure systems and devices but also to monitor and understand the latest trends, hopes and concerns around security in the industry.
The turning point for IoT security
What you’ll find in the PSA Certified Security Report 2022 is a combination of astonishing progress by the industry in recent years around security best practices, coupled with some challenges that, while concerning, are solvable.
The good news? Nearly all respondents (90 percent) have seen an increased interest in and focus on security, both professionally inside their organizations and as consumers. Security used to be a nice-to-have on the long list of design objectives; today, it is at the top of the to-do list, with nearly 9 out of 10 putting security in their top three priorities. The mantra of “security first” is indeed spreading like wildfire, with 42 percent ranking building a ‘security-first culture’ as their top organizational priority. It’s more apparent than ever that companies are seeing increasing value in marketing and selling security as part of their systems and solutions.
Although the expectations around security are growing, there are barriers to overcome. For example, most organizations say they struggle to find security expertise, which is widespread. The World Economic Forum estimates a gap of more than 3 million security experts worldwide. Despite this, we’ve found that most organizations today don’t conduct external lab testing for security on their devices, citing the cost.
Barriers remain, yet solutions are within reach
The solutions, however, are within reach. Today, our vision of providing a security framework is a reality. Daily, it reduces the investment needed in security, which can free up financial resources, which is especially important for smaller businesses with fewer resources on hand. It’s also moved far beyond just an “Arm vision,” and today the program is backed by over 55 Arm-based partners with PSA Certified products, but also governments, standards bodies, cloud vendors and insurance vendors.
The framework also includes:
- Free threat modelling examples and specifications to bridge the security knowledge gap
- The certification program, which maps to government standards and legislation to help over fragmentation challenges
- Security best practice provides a path to certification and answers the needs of the whole value chain, including original equipment manufacturers (OEMs), purchasers, and consumers
- Independent testing of chips, software, and devices. This is an essential step to moving the industry beyond “marking our own homework,” which will reduce the number of insecure devices.
The combination of best practices and access to leading security-certification organizations and protocols, I think, has gone a long way toward helping instill a security-first mindset in the technology industry. We’re not finished, but the path ahead to making those 55 billion devices secure – and building a security-first design culture – is clear.