Arm and Leading Test Laboratories Unveil Independent Security Certification for IoT Devices

February 25, 2019

News Highlights

  • Arm and leading security testing labs collaborate to provide independent evaluation of Platform Security Architecture (PSA) implementations in IoT devices
  • Arm, Brightsight, CAICT, Prove&Run, Riscure and UL establish PSA Certified™ to build trust in connected devices and grow IoT deployment

To support widespread deployment of secure IoT solutions based on the Platform Security Architecture (PSA) framework, Arm and its independent security testing lab partners Brightsight, CAICT, Riscure and UL, along with consultants Prove&Run, today announced PSA Certified™. Through independent security testing, PSA Certified enables IoT solution developers and device makers to establish the security and authenticity of the data collected from a diverse world of IoT devices.

“PSA gave the industry a framework for standardizing the design of secure IoT devices, and PSA Certified brings together the leading global independent security testing labs to evaluate the implementation of these principles,” said Paul Williamson, vice president and general manager, Emerging Businesses Group, Arm. “This will enable trust in individual devices, in their data, and in the deployment of these devices at scale in IoT services, as we drive towards a world of a trillion connected devices.”

PSA Certified provides a simple and comprehensive approach to security testing. It comprises two elements: a multi-level security robustness scheme and a developer focused API test suite. The security testing is based on third-party lab-based evaluation that builds trust through independent checking of the generic parts of an IoT platform including: PSA Root of Trust (the Root of Trust is the source of integrity and confidentiality), the real-time operating system (RTOS) and the device itself.

Validating the foundational security of IoT devices
PSA Certified enables devices makers to get the security required for their use case through three progressive levels of security assurance which are assigned by analyzing the use case threat vectors. For example, a temperature sensor in a field may require different security robustness (level 1) than a sensor in a home environment (level 2) or in an industrial plant (level 3). Following the testing, all PSA Certified devices will have electronically signed report cards (attestation tokens) for determining which level of security has been achieved, allowing businesses and cloud service providers to make risk-based decisions.

More security value for developers
As part of the program, the PSA Functional API Certification enables standardized access to essential security services, making it easier to build secure applications. Free test suites have been published for chip vendors, RTOS providers and device makers to test their PSA APIs and harness the hardware security of the latest silicon platforms.

PSA Certified is already gaining traction with leading silicon and IoT platform providers. Cypress, Express Logic, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics and Silicon Labs have all achieved Level 1 certification. Nuvoton and OS provider ZAYA have achieved both PSA Certified Level 1 and PSA Functional API Certification, and Arm® Mbed™ OS will provide out of the box compliance with PSA Certified Level 1 and PSA Functional API Certification in its upcoming March 5.12 release. 

PSA: A comprehensive framework for IoT device security
PSA Certified is the next step in the Platform Security Architecture (PSA) journey, bringing a tangible measure of device security to the IoT. PSA is a four stage framework that guides IoT designers through the journey of creating a secure connected device. It goes beyond instructions and principles, with a comprehensive set of downloads, including Threat Models and Security Analyses documentation, hardware and firmware architecture specifications, open source Trusted Firmware (TF-M) and API test kits.

To find out more about PSA Certified and the multiple independent test labs available, please visit: www.psacertified.org

Supplemental Quote Sheet:

Brightsight 
Dirk-Jan Out, CEO, Brightsight said: “Brightsight is pleased to support PSA Certified, which will improve the security of IoT devices and build a higher level of trust in the value chain – this trust is critical for the IoT to succeed. The multi-level approach of the scheme is designed to help the customers get the exact level of security they need, appropriate to the specific use case and threat model.” 

CAICT 
Vicky Guo, CAICT, said: “We should expect that anything connected to the internet could be hacked eventually, and to implement security in a trusted manner, independent testing is crucial. CAICT is committed to working closely with partners such as Arm to build a secure IoT ecosystem, and PSA Certified is an important step towards that, enabling customers to achieve the security they need for their specific use case.” 

Prove&Run 
Dominique Bolignano, President & Founder, Prove&Run said: "PSA Certified is essential to enabling cybersecurity and security services companies to develop and provide the right security offerings in the IoT sphere.  We are very proud to be part of this initiative, working to collect critical input from other lead partners and the wider ecosystem, and contributing to writing the security scheme documents that will be released as part of the program.” 

Riscure  
Marc Witteman, CEO, Riscure said: “The security of IoT requires proper architecture, implementation and verification, and Riscure is dedicated to supporting customers in their efforts to implement this structural security mindset. We believe that the multilevel PSA Certified program enables IoT vendors and their customers to address ever-growing privacy and security concerns, building further trust in connected devices.” 

UL 
Arman Aygen, Head of Strategy and Innovation at UL Identity Management & Security said: ‘‘With our world being increasingly connected, innovation should not compromise cybersecurity: it should never be something you factor in as an afterthought and needs to be managed throughout the supply chain. PSA Certified offers a non-prescriptive and voluntary framework to demonstrate the security and value of interconnected solutions.”

Alex Harrod

Senior PR Manager, US and EMEA, Arm
Alexandra.Harrod@arm.com
+44 7795 363057

About Arm
Arm technology is at the heart of a computing and connectivity revolution that is transforming the way people live and businesses operate. Our advanced, energy-efficient processor designs have enabled intelligent computing in more than 130 billion chips. More than 70% of the world’s population are using Arm technology, which is securely powering products from the sensor to the smartphone to the supercomputer. This technology combined with our IoT software and end-to-end connectivity, device and data management platform enables customers to derive real business value from their connected devices and data. Together with our 1,000+ technology partners we are at the forefront of designing, securing and managing all areas of compute from the chip to the cloud.

All information is provided "as is" and without warranty or representation. This document may be shared freely, attributed and unmodified. Arm is a registered trademark of Arm Limited (or its subsidiaries). All brands or product names are the property of their respective holders. © 1995-2018 Arm Group.

About Brightsight

Brightsight is the number one security lab in the world and has over 35 years of experience in evaluating IT products against a variety of security requirements. We aim to be your preferred business and advisory partner when you need certification to enter a market with your hardware and/or software products.We offer security evaluations to developers and manufacturers of security products and applications, such as smart cards, ICs, HSMs, System on Chips, Payment terminals, Mobile Payment solutions, IoT solutions, Automotive solutions and Biometric solutions.

We can open up the global market for you by providing fast evaluations and certification. The results of our evaluations are recognized by major international organisations such as EMVCo, Arm PSA Certified, SESIP, Common Criteria, Mastercard, PCI, Visa and American Express, as well as several nation-specific certification schemes. In addition to security evaluations, we offer you customised training courses to equip you with the knowledge and skills necessary to take on future challenges in your business. Brightsight is located in Delft, the Netherlands (HQ), Barcelona, Spain and Beijing, China.

About CAICT

China Academy of Information and Communications Technology (“CAICT”), provides strong support for the industry’s major strategies, plans, policies, standards, testing and certification, thus proving itself an important facilitator in the leapfrog development and innovation of China’s information and communications industry. The official website is http://www.caict.ac.cn/english/.

About Prove & Run

Prove & Run’s mission is to help its customers resolve the security challenges linked to the large-scale deployment of connected devices and of the Internet of Things by providing security consulting services and cost effective off-the-shelf software solutions that dramatically improve the level of security of connected systems so as to protect them against remote cyber-attacks. Further information can be found at www.provenrun.com.

About Riscure

Founded in 2001, Riscure is a leading global advisor on the security of connected and IoT devices, as well as a recognized vendor of advanced security tools and security training. Riscure helps customers around the world to build robust hardware and software solutions and to speed up the process of secure development and certification. Riscure serves Semiconductor, Mobile and Electronic Payment, Automotive and Premium Content industries as well as Government sector. Riscure is headquartered in Delft, The Netherlands with offices in San Francisco, USA, and Shanghai, China. Follow us on Twitter @Riscure and LinkedIn.

About UL

With a focus on today’s realities and tomorrow’s needs, UL provides the trusted and critical security expertise that is required in an interconnected and cashless world. Governments and organizations rely on UL as a trusted partner.

Our security and identity management expertise enable businesses to implement innovations that guarantee regulatory compliance, maintain customer trust and increase market access.  As the leading safety and security authority, UL works with governments, industry associations, and businesses to rethink security. Globally, over 10,000 organizations rely on UL. Our marks appear on more than 22 billion products around the world. For more information, please check ims.ul.com