IntroductionWith the increasing use of mobile devices, malware targeting smartphones and tablets has become more prevalent. Banking Trojans, in particular, are designed to steal banking credentials and financial information from mobile users.The modern trend in the Integrated Circuits industry is System on a Chip (SoC) and Microcontrollers (MCU), which integrate different discrete solutions, including security functions in a single IC. In particular, the Secure Element / Hardware Security Module (HSM)/UICC can be integrated into the SoC. The main motivations for this integration are reduced system cost, enhanced performance, and added-value functionality.The integrated security function in the SoC needs to meet the same security level as the discreet part. To address the security of integrated solutions and provide the industry with a unified set of security requirements to be fulfilled and clear to evaluate and asses, PP-0117, Secure Sub-System in System-on-Chip (3S in SoC) Protection Profile was developed.BackgroundCybersecurity statistics indicate that there are 2,200 cyber-attacks per day, with a cyber-attack happening every 39 seconds on average. In the US, a data breach costs an average of $9.44M, and cybercrime is predicted to cost $8 trillion by 2023.ENISA[1], in its "ENISA Threats Landscape 2022 Report", presented in several aspects that the segments which were affected the most were the Public Administration and the Finance sectors:Figure 1 ENISA: Reputational impact by sector[1] ENISA - European Union Agency for Cybersecurity, https://www.enisa.europa.eu/This figure points to the potential for negative publicity or an adverse public perception of the affected sector.In the following diagram, it can clearly be seen that the Public Administration and the Finance sectors suffered more seriously from damaged or unavailable systems, corrupted data files, or exfiltration of data compared to the other sectors:Figure 2 ENISA: Digital Impact by SectorSecure Element is a technical solution for digital payments via credit cards and mobile devices, as well as for identification and biometric purposes, such as passports and personal IDs.Since this device secures critical data, governmental bodies and private entities, such as credit card organizations, EMVCo[2], mandate that it be certified to Common Criteria EAL 5+ when using PP0084 – Security IC Platform Protection Profile with Augmentation Packages (Eurosmart, 2014)[3]. Till today more than 250 product certifications were done claiming for this PP.With the integration of the Secure Element in SoC, new challenges/threats were raised on top of the existing challenges/threats of the secure device with high resistance to physical and logical attacks:• Preventing the insecure state of the product by disturbing the boot process and enabling manipulation of the product by hostile software or malicious code.• Preventing content abuse of the data and code stored at the external non-volatile\volatile memory which is part of the SoC architecture by the attacker which accesses the external memory for disclosing or modifying the content of the external memory used by the secure component and by compromising confidentiality and/or integrity of secure content to be protected by the secure component.• Preventing Cloning of the content stored in the external memory or physical replacement of the external memory of the data and code stored at the external non-volatile\volatile memory.[2] EMVCo - https://www.emvco.com/about-us/overview-of-emvco/[3] Security IC Platform Protection Profile with Augmentation Packages : https://www.commoncriteriaportal.org/files/ppfiles/pp0084b_pdf.pdf• Preventing the ability of replay commands, the write, erase or responses to the read commands between the security component and the external memory, to affect the freshness of the content read from or written to the external memory. Preventing Unauthorized rollback of content.• Preventing the attempt to read the content of the external memory, record it, and later write it back to the external memory after the original content was updated by the Security component.• For SoC architecture that uses Secure Memory, the interface between the secure memory and the secure component should be protected from being blocked or intercepted by an attacker eavesdropping on the interconnection bus (e.g., by a man-in-the-middle attack), to disclose the user data and/or code data being written to or read from the secure external memory before security services are executed or finalized by the secure external memory.SoCs with integrated security functions appeared in the market and the security evaluation was done in a way of a mixture of PP0084 or part of it with extended requirements which might reflect the newly innovated device. No unified requirement. The challenge was to define all aspects of using and protecting the security functions when it is being integrated into the SoCThe methodEurosmart took the challenge and established a technical working group under its domain, ITSC. The subgroup includes Eurosmart members from the industry: semiconductor companies, software companies, ITSEF involved in evaluating security devices, Certification bodies, and consultants in this field.The national certification bodies were invited to the working group even though they are not Eurosmart members.On top of it, a liaisons\sharing was established with stakeholders who are referring \ interested \using this Protection Profile:A. Peers working groups: JHAS and ISCI-WG1.B. Organizations that reference the PP: FIDO, GlobalPlatform, GSMA.C. ENISA – for the alignment with CSA-EUCC which will be the scheme for this PP once the act will be implemented.The resultPP0117, Secure Sub-System in System-on-Chip (3S in SoC) Protection Profile includes the following:The TOE (Target of Evaluation) is "a Secure Sub-System (3S) implemented as a functional block of a System on Chip (SoC). The TOE implements a processing unit, security components, I/O ports and memories to provide a range of security functionalities covering a defined set of security objectives. The TOE provides its security features and security services isolated from the remaining SoC components, based on physical and/or logical isolation mechanisms. The TOE may rely on external memories to store content (data, code or both)."Figure 3: The Target of Evaluation (TOE)The TOE can be delivered as hard macro and/or programable macro, PL macro, as was defined in the team objectives.On top of it, the usage of external memory in different stages of the life cycle should be considered as well.The team strives to develop as generic as possible life cycle and highlight the new aspects of this architecture. It was clear that the new life cycle requires elaboration. With the cooperation with ISCI-WG1 a supplement guidance document, "Life-Cycle Model (LCM) Related Evaluation Aspects" was developed with more explanations related to the aspects that need to be fulfilled and assessed in the different phases of the life cycle.Figure 4: TOE Life CycleThe Protection Profile was structured with a base package of minimum requirements for any Secure Sub-System in a SoC, plus optional packages to address additional industry-specific needs arising from the architecture:• External Memory packages (Passive and Secure, volatile and non-volatile memory) – The restrictions related to the security of the data and code that are stored in the external memory.• Loader Package – The restrictions in loading functionality of the TOE Software or Composite Software from external memory.• Crypto Package - Framework for the integration of various cryptographic algorithms supported by the TOE. For addressing the need to be a generalized PP, this package, contrary to PP0084, doesn't define specific algorithms to implement but general instructions regarding the usage of recognized cryptographic algorithms.• Composite Software Isolation Package - The isolation features enable the separation between different software packages which may be delivered by different developers.Figure 5 PP Packages structureThe Security Problem Definition (SPD) which includes the assets to be protected, the threats, policies, and assumptions was developed in light of the collaboration with the JHAS group.In the Security Objectives section, dedicated objectives were defined related to the new approach of the TOE form (hardmacro\ PL macro).The base package of the Security Functional Requirements (SFRs) includes the PP0084 SFRs but for fulfilling the TOE need to be a Root of Trust, additional requirements for unique identification were included.The integration of the security sub-system in a non-secure SoC leads to the need to define the TOE as a way it provides its services isolated from the other SoC components based on physical and/or logical isolation mechanisms.The challenge in enabling integration of certified sub-systems in a non-secure system required new practices to be done by the developer and to be assessed by the ITSEF – the developer should instruct in which conditions the integration should be done and the ITSEF should verify that the integration was followed and no compromising of security was inspected during this process.Dedicated refinements related to the integration were added to the Security Assurance Requirements (SARs) for the ITSEF to verify the process was defined and done with no compromises.The evaluation was done by SGS with the supervision of BSI.SummaryPP0117 represents a significant advancement in cybersecurity certification for integrated systems. By providing a unified, flexible framework, it bridges the gap between traditional discrete certifications and modern integrated solutions, ensuring robust protection for sensitive data in an increasingly interconnected world.Winbond supports PP0117 by offering the W75F Secure Memory, which fulfilled the Secure External memory package. With Winbond EAL 5+ certified secure Flash, PP0117 can be claim in a composition with Winbond device and offer trusted external memory solution within SoC architectures. For more information, please visit Winbond website or download the latest Hardware Security White Paper.

In the evolving landscape of cybersecurity, industrial organizations play a pivotal role in establishing robust specifications and standards. These entities bridge the gap between industry needs and regulatory frameworks, ensuring the creation of secure, interoperable, and scalable solutions. Among the most influential players in this domain are Eurosmart, GlobalPlatform, and the Trusted Computing Group (TCG). Additionally, organizations like the European Telecommunications Standards Institute (ETSI) and the International Electrotechnical Commission (IEC) contribute significantly to shaping global cybersecurity frameworks. Together, these organizations form a cohesive ecosystem to address the multifaceted challenges of cybersecurity.Eurosmart: Advocating for secure digital solutionsEurosmart, an association dedicated to fostering security in digital interactions, has long been a key player in shaping cybersecurity specifications. Focused on secure elements, identity solutions, and security subsystems in Systems on Chips (SoCs), Eurosmart promotes standards that address emerging threats and technological advancements.Key Contributions:• Standardization of Secure Elements: Eurosmart develops specifications for secure elements used in smart cards, e-passports, and secure SoC subsystems. These standards ensure data integrity and protection against unauthorized access.• Engagement with Regulatory Bodies: By collaborating with EU regulators, Eurosmart aligns its specifications with legislative requirements like the EU Cyber Resilience Act (CRA). This ensures that security measures meet both industry and governmental expectations.• Focus on Secure Subsystems: Eurosmart plays a significant role in defining cybersecurity specifications for secure SoC subsystems, Focuses on embedded security functions within SoCs, including external secure NVM, secure boot, data integrity, and cryptographic functionalities. These ensure robust protection against sophisticated threats, making SoC subsystems integral to secure digital infrastructure.Eurosmart's contributions extend beyond technical specifications. Its advocacy for certification frameworks ensures that products meet high-security benchmarks, enhancing consumer trust and market reliability.GlobalPlatform: Enabling interoperability and securityGlobalPlatform focuses on the standardization of secure digital services and devices, with an emphasis on enabling interoperability. This organization's specifications are widely adopted in the mobile, IoT, and payments industries, making it a cornerstone of secure device communication.Key Contributions:• SESIP Certification: Through the Security Evaluation Standard for IoT Platforms (SESIP), GlobalPlatform provides a streamlined certification process tailored to IoT products. This approach reduces complexity while maintaining high-security assurance levels.• Secure Component Standardization: GlobalPlatform defines standards for secure elements, trusted execution environments (TEEs), and mobile platforms. These standards ensure compatibility and security across devices and services.• Collaborative Technical Working Groups: GlobalPlatform engages with technical working groups to address specific industry challenges, ensuring its standards remain relevant and comprehensive.GlobalPlatform's emphasis on interoperability ensures seamless integration across devices and networks, enhancing both user experience and security.Trusted Computing Group (TCG): Building Trustworthy SystemsThe Trusted Computing Group (TCG) specializes in developing open standards for hardware-based security. Its specifications provide foundational trust mechanisms for a wide range of devices, from PCs and servers to embedded systems.Key Contributions:• Trusted Platform Modules (TPMs): TCG's TPM specifications establish a hardware root of trust, enabling secure boot processes, encryption, and key management. TPMs are integral to safeguarding critical data and system integrity.• Embedded Systems Security: TCG extends its standards to embedded systems, addressing the unique challenges of securing constrained devices. Its specifications are widely used in industrial automation, automotive, and healthcare sectors.• Collaboration with Technical Groups: TCG works closely with groups like ISCI to enhance standards for industrial control systems and critical infrastructure security.TCG's focus on hardware-based security provides a strong foundation for building resilient systems capable of withstanding sophisticated cyber threats.ETSI: Shaping telecommunications securityThe European Telecommunications Standards Institute (ETSI) is a global leader in creating standards for telecommunications, including cybersecurity. ETSI's work ensures secure communication protocols and infrastructure.Key Contributions:• Development of Cybersecurity Standards: ETSI's EN 303 645 serves as a baseline for IoT security, outlining requirements for device integrity, data protection, and vulnerability management.• Support for Telecommunications Security: ETSI has developed specifications to secure 5G networks, addressing threats like unauthorized access and data breaches.• Collaboration with Industry: By working with network operators, manufacturers, and regulators, ETSI ensures its standards meet the dynamic needs of the telecommunications sector.ETSI's focus on telecommunications security ensures that global communication networks remain robust and resilient.IEC: Global safety and security standardsThe International Electrotechnical Commission (IEC) develops standards for electrical and electronic systems, integrating cybersecurity into its frameworks. Its work spans industries like energy, healthcare, and industrial automation.Key Contributions:• Industrial Control System Security: IEC 62443 provides comprehensive guidelines for securing industrial control systems, mitigating risks associated with cyber-attacks on critical infrastructure.• Healthcare Device Security: IEC collaborates with ISO to create standards for medical device security, ensuring patient safety and data protection.• Integration with Cyber-Physical Systems: IEC's standards address the cybersecurity challenges of interconnected systems, including smart grids and autonomous vehicles.Collective impact on cybersecurityEurosmart, GlobalPlatform, TCG, ETSI, and IEC collectively contribute to a cohesive cybersecurity landscape. Their specifications ensure:• Enhanced Security: By addressing vulnerabilities at both hardware and software levels, these organizations provide comprehensive protection against cyber threats.• Global Interoperability: Standardization efforts promote compatibility across devices and systems, fostering international collaboration and trade.• Market Confidence: Certification programs and adherence to high-security benchmarks enhance consumer trust in products and services.Challenges and future directionsDespite their significant contributions, industrial organizations face challenges such as:• Keeping Pace with Technological Advances: Rapid innovation demands continuous updates to specifications and standards.• Global Harmonization: Aligning standards across regions requires extensive collaboration and negotiation.• Balancing Security and Usability: Striking the right balance between robust security measures and user convenience remains a critical task.Looking ahead, the role of industrial organizations will expand to address emerging technologies such as quantum computing, AI, and blockchain. By continuing their collaborative efforts, these organizations will ensure that cybersecurity specifications remain relevant, effective, and universally adopted.ConclusionIndustrial organizations like Eurosmart, GlobalPlatform, TCG, ETSI, and IEC are at the forefront of defining and implementing cybersecurity specifications. Their efforts underpin the secure operation of digital services and devices worldwide. By addressing current and future challenges, these organizations ensure that the global digital ecosystem remains resilient, secure, and trustworthy.Winbond actively participates in key industry organizations such as GlobalPlatform and Eurosmart, contributing to the development of new cybersecurity standards and ensuring alignment with evolving regulatory requirements.All Winbond Secure Flash products meet modern cybersecurity regulations and requirements, supporting industry standards and certification processes. They are pre-certified with various cybersecurity frameworks, easing the certification burden for customer platforms. Additionally, Winbond provides a complete turnkey solution, including pre-certified devices, software, and conformance documentation, tailored to regulations such as the EU Cyber Resilience Act (CRA) and the EU Radio Equipment Directive (RED).For more details on how Winbond can help secure your supply chain and simplify compliance, visit Winbond's website or contact Winbond directly, or download the latest Hardware Security White Paper.

In an era of rapid technological advancement, standards form the backbone of secure, reliable, and fair practices across industries. Standards are essential for ensuring consistency, quality, and safety, particularly in domains where data protection and cybersecurity are critical. This article explores why standards are indispensable, the scope they cover, and how regulations enforce them effectively. The article specifically addresses standards, such as ISO/IEC27001, ISO26262, ISO/IEC 15408 Common Criteria, SESIP, EU Cyber Resilience Act (CRA) and the EU Radio Equipment Directive (RED).Why Are Standards Required?Standards provide a structured approach to managing complexity and ensuring quality. They serve as universal guidelines that align practices, enabling compatibility, safety, and trust. Their role in protecting and securing data is paramount, ensuring that sensitive information is not only safeguarded but also managed ethically and efficiently.Data is a valuable asset that requires stringent protection. Standards like ISO/IEC 27001 for information security and ISO 26262 for functional safety in automotive systems ensure robust measures to protect data, infrastructure, and human safety. These frameworks establish best practices for encryption, secure access controls, and ethical handling of information. By adhering to these standards, organizations demonstrate their commitment to security and build a resilient foundation for technological advancement.Moreover, standards are pivotal for fostering international collaboration and interoperability. For instance, the seamless exchange of data between global organizations relies on shared protocols and secure practices defined by standards. This harmonization reduces trade barriers, boosts innovation, and ensures that technological progress benefits a broader spectrum of society.Standards also play a crucial role in shaping consumer trust. When products meet established safety and quality benchmarks, consumers gain confidence in their reliability. This is particularly significant in industries such as healthcare and finance, where trust in systems and devices is essential. For example, medical devices that comply with ISO 13485 demonstrate adherence to stringent safety requirements, ensuring their efficacy and reliability.What Do Standards Cover?Common Criteria, SESIP Standards address diverse industry and societal needs, ensuring compatibility, safety, and operational excellence across various domains. In cybersecurity and data protection, standards like ISO/IEC 15408 and SESIP provide frameworks for assessing IT security features and IoT device resilience. Similarly, ISO 26262 ensures functional safety in automotive systems, reducing risks associated with advanced electronic technologies.Cloud Security Emerging technologies also benefit from standards, which provide ethical and operational benchmarks for developments like AI, blockchain, and quantum computing. By embedding robust security measures, these standards mitigate risks, foster trust, and encourage technological advancement. For instance, ISO/IEC 27017 focuses on cloud security, while the EU RED directive sets clear guidelines for wireless communications, ensuring safer and more reliable technologies.Sustainability Another area where standards prove indispensable is environmental sustainability. Standards like ISO 14001 guide organizations in reducing their environmental impact, ensuring that businesses operate responsibly while minimizing their carbon footprint. This dual focus on innovation and sustainability underscores the multifaceted role standards play in modern society.Safety Moreover, standards influence consumer safety in industries such as healthcare. Devices adhering to ISO 13485 demonstrate stringent safety requirements, ensuring efficacy and reliability. Similarly, in aviation, ISO 45001 supports occupational health and safety management systems, creating safer working environments for crew and staff. These diverse applications illustrate the universal relevance of standards in promoting trust and safeguarding well-being.How Are Standards Enforced?While standards establish the framework, enforcement ensures their practical application and impact. Legislative tools remain the most powerful enforcement mechanism. Regulations such as the EU Cyber Resilience Act (CRA) and the EU Radio Equipment Directive (RED) mandate compliance with stringent cybersecurity and safety benchmarks, especially for products with digital and wireless communication elements. These regulations demand adherence to established standards, ensuring robustness against evolving threats.Certifications Certification requirements further validate compliance. Standards like ISO/IEC 15408 (Common Criteria) and SESIP for IoT devices involve rigorous third-party evaluations to confirm adherence. Regular audits and inspections maintain ongoing compliance, fostering trust among stakeholders. For example, SESIP evaluations assess the security posture of IoT devices across various implementation contexts, ensuring they meet predefined security baselines.Penalties Penalties for non-compliance, such as fines and operational restrictions, act as significant deterrents. Collaboration between public authorities and industry stakeholders ensures enforcement mechanisms remain practical and adaptive. Advanced technological tools, including AI-driven compliance monitoring systems, streamline enforcement, making adherence more efficient.Self-Assessment Additionally, industry self-regulation plays a vital role in the enforcement of standards. Many organizations adopt voluntary compliance measures, recognizing that adhering to high standards not only ensures safety and quality but also enhances their competitive edge. Collaborative industry initiatives, such as the GlobalPlatform SESIP certification program, exemplify how collective efforts drive the enforcement of standards across sectors.Challenges and Future DirectionsBalancing compliance with innovation is a significant challenge. Overregulation can hinder creativity, while under regulation exposes vulnerabilities. Adaptive standards that evolve with technological progress are essential. For instance, ensuring that frameworks like ISO 21434 for automotive cybersecurity remain relevant to advancing vehicle technology is critical. Additionally, global harmonization of standards facilitates international trade and collaboration.Enhancing enforcement mechanisms, including leveraging advanced tools and public engagement, ensures comprehensive compliance. Continuous improvement through regular updates keeps standards relevant, addressing emerging challenges effectively. For example, campaigns aimed at educating citizens about data security not only empower individuals but also foster a collective commitment to maintaining high standards across industries.Another future direction is the integration of standards into emerging digital ecosystems, such as smart cities and autonomous vehicles. These environments require robust, interoperable standards to manage the complexity of interconnected systems while ensuring safety and security. The development of new standards for AI ethics, IoT security, and blockchain interoperability is a testament to the ongoing evolution of standardization efforts.ConclusionStandards are the cornerstone of a secure, reliable, and innovative global landscape. Enforced through powerful legislative tools, such as the EU CRA and RED, and complemented by public awareness, they protect data, ensure safety, and foster trust. Examples like ISO/IEC 27001 and ISO 26262 highlight their critical role across sectors. By integrating emerging technologies with adaptive standards, the future promises a harmonious blend of innovation and security. Continuous public education and engagement will further bolster these efforts, ensuring a sustainable and secure technological ecosystem for generations to come.As technology advances, the role of standards will only grow in importance. From protecting sensitive data to fostering international collaboration, standards provide the foundation for progress. By embracing adaptive standardization and robust enforcement mechanisms, society can navigate the challenges of the digital age with confidence and resilience.In an era where system vendors must navigate diverse cybersecurity regulations across different regions, Winbond alleviates these challenges by providing pre-certified products that streamline compliance efforts. Winbond Secure Flash products are pre-certified with various cybersecurity standards, easing the certification process for customer platforms. Additionally, Winbond offers a complete turnkey solution, including pre-certified devices, software, and conformance documentation tailored to regulatory requirements such as the EU Cyber Resilience Act (CRA) and the EU Radio Equipment Directive (RED).For more information on how Winbond can support your security and compliance needs, visit Winbond's website or contact Winbond directly, or download the latest Hardware Security White Paper.

Taiwan's role in the global supply chain has changed dramatically due to the importance of the semiconductor industry in technological development and its critical position at the core. In view of increasingly complex geopolitical situations, how we could maintain our operational resilience and help to deepen regional economic cooperation are topics of ever greater interest. Intensifying competition between China and the US, resulting in the rise of Asia's global status, climate change, carbon footprint, etc. are also driving changes in industry structures and corporates' business models.DIGITIMES will be hosting the "Supply Chain Summit" on 27-28th September 2022 in Taipei, Taiwan (Hybrid Event). Over 50 leading companies/brands will be present, along with Taiwanese and international experts, to share their perspectives on how to manage global supply chain risks, maintain resilience, and deliver sustainable growth.The event will lead experts to discuss the hottest topics, focusing on regionalization, digitalization, and ESG issues in the electric vehicles, semiconductors, and smart manufacturing industries. Renowned speakers include the Harvard Business School's Professor Willy C. Shih (impact of supply chain decarbonization on logistics and global trade), the Wall Street Journal's chief economics commentator Greg Ip ("supply chain policymakers' response to inflation and economic disruption"), and the Hinrich Foundation's research fellow Alex Capri ("impact of geopolitics on supply chain risk management").In addition, Tata Motors will lead KPMG, AWS, Schneider Electric, Chunghwa Telecom, Winbond Electronics Corp., and Advantech Co., to offer their views on supply chain management. We aspire to drive forward our industry's overall development through knowledge and experience sharing.We cordially invite you to invite you being part of the "DIGITIMES - Supply Chain Summit" which is a unique opportunity to understand the latest thinking, strategy, plans, and technologies in our industry. Beyond physical on-site participation, conference attendance will also be available online, with bilingual translation provided. Please sign up on our event site as soon as possible, limited places are available.Register now: https://pse.is/4f8ux9For more information please visit the event site: https://bit.ly/3CGBJt1Media Contact: Michelle Lee Michelle.lee@digitimes.com +886-2-87128866 #832DIGITIMES - Supply Chain SummitAbout DIGITIMES:DIGITIMES was established in 1998 as the leading professional media platform in Greater China that reports development in the technology industry's global supply chain, regional competitive landscape, applications, and market evolutions. Our research teams provide research, production, and sales data, and professional analyses from upstream to midstream, downstream, and end markets. We also bring ideas and views on industry trends as well as forward-looking perspectives to our clients through our consulting practices.

Winbond Electronics Corporation, a leading global supplier of semiconductor memory solutions, microcontroller manufacturer Nuvoton and security software developer Qinglianyun has introduced a fully integrated reference design for secure over-the-air (OTA) firmware updating of IoT devices which is secured from the cloud to the device's code storage memory.By providing a proven way to implement secure firmware updates on a secure and certified hardware and software, the Winbond/Nuvoton/Qinglianyun solution reduces the time it takes to develop new IoT devices, and helps OEMs to get to market faster with products for smart city, smart home, metering, industrial control, and other security-conscious applications.The reference design is based on the Nuvoton M2351SF IoT Security MCU, a multi-chip module consisting of the M2351 IoT Security microcontroller and Winbond's W77Q TrustME secure Flash memory IC. The M2351 microcontroller is based on the Arm Cortex-M23 secure processor core with TrustZone technology. The module's W77Q secure Flash device is connected to the M2351 via an encrypted serial peripheral interface which resists sniffer attacks on data transferred between the two chips.To provide a trusted execution environment (TEE) for secure OTA firmware updating operations and communications with the cloud, the M2351 runs Qinglianyun's TinyTEE secure software stack in TrustZone-protected hardware. Using the 32Mbit secure storage provided by the W77Q, the reference design provides for:*Storage of secure and non-secure firmware and data *Authenticated access control to ensure the integrity of firmware and data *Rollback protectionThe TinyTEE software on the M2351 connects to Qinglianyun's secure cloud service, which provides a full suite of IoT device management capabilities, such as device authentication, secure storage, encryption engine, and true random number generator, comply with Global Platform TEE standard interface.This system thus provides a secure chain of trust for the provision of OTA firmware updates from the cloud all the way to the W77Q Secure Flash memory, with no vulnerability to remote attack or exposure of private data.The solution provides a comprehensive set of security essentials. The W77Q helps ensure robust, end-to-end security in IoT devices by enabling:*Secure storage *Secure boot and root-of-trust *Authenticated and encrypted data transfer between the Flash device and the host *Secure Execute-in-Place (XiP) of boot and application code *System resilience, supporting the key security functions of protection, detection and recoveryThe M2351 microcontroller also offers multiple security capabilities including:*Secure bootloader*Hardware cryptographic accelerators *Execute-only memory *Tamper detection pinsFor more information about the Winbond/ Nuvoton/ Qinglianyun solution for secure OTA firmware updating, contact your local Winbond sales office or authorized distributor.Winbond/Nuvoton/Qinglianyun solution