CONNECT WITH US

Arm advocates PSA certified as cornerstone for complying with IoT security regulations

News highlights

Rob Coombs (left) and Anurag Gupta (right)

According to statistics, the global number of connected devices reached 16 billion by 2023, more than double the global population! However, there are many device manufacturers who have yet to adopt security by design principles leading to hacking and privacy risks at the population level. To protect consumers many governments consider device security as a crucial national security issue and are in the process of legislating for its implementation. This trend will impact the entire electronics industry, from IP, chips, software and end devices, posing a challenge for stakeholders to comply with various security regulations and laws.

In response, Arm has incorporated cybersecurity requirements mandated by different regulations, including those from the EU and the UK, into the new version of PSA Certified Level 1 v3.0 document. Leveraging its large security ecosystem, Arm assists stakeholders in preparing early for compliance.

Irresistible Legislative Trends for Stakeholders

PSA (Platform Security Architecture) Certified, initiated by Arm in 2018 to address various underlying security issues, has become a common security platform in the IoT industry, with a total of 200 PSA Certified products globally.

Regarding the latest legislative trends in security, Rob Coombs, Security Director, Arm & PSA Certified (PSA JSA) Chair, mentioned that in Europe, governments are formulating baseline cybersecurity regulations. For Taiwanese companies operating in the European market, preparing before the laws are enforced is crucial.

The UK's Product Security Telecommunications Infrastructure (PSTI) Act is the fastest approaching regulation, set to come into effect this April. Additionally, the EU's Radio Equipment Directive (RED) has cybersecurity requirements that will come into force in August 2025. A couple of years further out is the Cybersecurity Resilience Act (CRA) that is currently under legislation. In the United States, state laws have already banned default passwords, such as California's SB-327. PSA Certified brings all of these requirements together in a new section of PSA Certified Level 1. OEMs can answer the Level 1 requirements to see if they comply or assess the gap that needs to be fixed. They can optionally get a third party assessment from a test laboratory to get an impartial assessment.

"For PSTI, manufacturers can use the PSA Certified Level 1 certification to document whether their submitted chip/device/software designs comply with the security requirements, allowing third-party labs to review their answers. As for EU's RED and CRA, the new version of PSA Certified Level 1 document also includes the draft requirements from regulations, enabling companies to prepare this year without waiting for the regulations and standards to take effect. As PSA Certified is widely accepted in the industry as a security solution, using it as a design foundation will help companies address upcoming security regulatory issues in a more cost-effective and simpler manner."

Assisting OEMs in Overcoming Challenges to Security Design

In addition to various security standards, OEMs now face new regulatory issues, making security design for IoT devices more challenging. Rob Coombs believes that regulations will be a more significant concern for stakeholders because this involves whether products can be sold. Therefore, whether products can adhere to security principles from the outset will be the starting point for the design challenges that stakeholders face.

However, on the other hand, the complexity of the entire OEM value chain is even more challenging. Chip manufacturers are responsible for providing Hardware Root of Trust (RoT), which includes security functions such as encryption and keys. The software layer, such as FreeRTOS LTS or one of the Linux platforms, is responsible for executing OTA updates and secure communication. Typically, OEMs combine the software platform of their choice with a main System on Chip (SoC), then add their own application code. It is challenging for OEMs to answer product level security requirements when they have not designed the chip or platform software.

To overcome this issue, PSA Certified uses composition which means that the OEM can reuse a pre-certified chip or software platform. They only have to answer a smaller set of security questions that focuses on their device application code. Growing cybersecurity regulation will force all device makers to adopt security by design practices, PSA Certified makes that as easy as possible by dividing up the problem into chip + system software + device

One way that security is better on Arm is the availability to chip vendors of open source trusted firmware for MCUs and MPUs. This provides a consistent set of crypto and secure storage APIs available to OEMs from many chip manufacturers. Providers of key middleware components such as Other The Air (OTA) updates and Transport Layer Security (TLS) can use these standardized interfaces to the chip's hardware security to better protect devices and services.

Rob Coombs likened it to, "Just as PCs have BIOS and TPM, chips based on the Arm architecture have a PSA Certified RoT to achieve secure boot and PSA Crypto API to standardize crypto functions."

Building a Strong Security Ecosystem Starting from the Root of Trust (RoT)

Anurag Gupta, Director Business Development, Platform Security Architecture at Arm, added that PSA Certified has three different levels of certification for the chip. PSA Certified Level 1 indicates that the chip has a hardware RoT and the chip vendors written assessment responses were passed by the lab. PSA Certified Level 2 involves chip testing in the lab for basic software attacks and is suitable for most connected devices. PSA Certified Level 3 demonstrates protection from substantial physical and software attacks on the RoT, assessed in the lab by passing penetration testing.

Therefore, OEMs can choose the appropriate security level according to their needs, whether it only needs to pass software attacks or needs to pass both software and hardware attacks. "This is the first time in the industry that there is a common language for OEMs to tell chip manufacturers what security level chips they need, which is a significant step forward for security design."

Moreover, since many software engineers are not familiar with hardware security technologies, defined PSA Certified APIs make it easier for developers to leverage the security features provided in chips. Developers who choose a chip that supports PSA Certified APIs can use hardware security functions on different chips with the same code, greatly simplifying product development.

Rob Coombs stated that PSA Certified is independent of architecture, and certification is not exclusive to chips based on the Arm architecture; it is applicable to other architectures as well. However, Arm's various security offerings, such as TrustZone technology and availability of optimized trusted firmware with common APIs have been optimized for PSA, making chips based on the Arm architecture best suited to a security by design approach and PSA Certified.

Therefore, under Arm's promotion for many years, PSA Certified has not only been adopted by leading chip manufacturers but has also been widely expanded to many software and device manufacturers, constructing a powerful security ecosystem.

At the same time, Arm continues to strengthen its security technologies. In addition to adding Memory Tagging Extension (MTE) protection methods to newer Arm processors, which effectively reduce serious security errors such as memory security violations and memory corruption, significantly reducing the chances of being attacked, Arm will also later this year transition to Long Term Stable for Trusted Firmware, making security solutions on the Arm architecture even more attractive.

*Visit the PSA Certified website: https://www.psacertified.org/
*Download the 2023 PSA Certified Security Report - Regulations and Security: The Multiplier Effects, to understand the insights from PSA Certified founders and partners on the security of connected devices amidst increasing security investment costs due to rising security demands.
*Watch the video of the "Arm Security Summit 2024" to understand how Arm assists industries in designing a more secure world on Arm.
*To learn more about certifying products, visit: https://www.psacertified.org/development-resources/certification-resources/

The 2023 PSA Certified Security Report - Regulations and Security: The Multiplier Effects

The 2023 PSA Certified Security Report - Regulations and Security: The Multiplier Effects