PSA Certified

In 2017, Arm Holdings created Platform Security Architecture (PSA), a standard for IoT security. The standard builds trust between Internet of Things services and devices.{{cite web |last1=McGregor |first1=Jim |title=Not All Electronic Device Are Secure, But ARM's PSA May Change That |url=https://www.forbes.com/sites/tiriasresearch/2017/10/30/not-all-electronic-device-are-secure-but-arms-psa-may-change-that/#2f066dd3e0bb |work=Forbes |date=October 30, 2017}}{{cite web |last1=Takahshi |first1=Dean |title=Arm unveils security certification testing for IoT devices |url=https://venturebeat.com/2019/02/25/arm-unveils-security-certification-testing-for-iot-devices/ |publisher=VentureBeat}} It was built to include an array of specifications such as threat models, security analyses, hardware and firmware architecture specifications, and an open-source firmware reference implementation.{{cite web |title=Momentum Builds for PSA Certified |url=https://www.embedded-computing.com/guest-blogs/momentum-builds-for-psa-certified |publisher=Embedded Computing Design |date=March 30, 2020}} It aimed to become an industry-wide security component, with built-in security functions for both software and device manufacturers.

PSA has since evolved to become PSA Certified, a four-stage framework which can be used by IoT designers for security practices.{{cite web |last1=Khan |first1=Jeremy |title=SoftBank's ARM Makes Bid to Standardize IoT Security Industry |url=https://www.bloomberg.com/news/articles/2017-10-23/softbank-s-arm-makes-bid-to-standardize-iot-security-industry |publisher=Bloomberg |date=October 23, 2017}} The framework included different levels of trust, with each level contains a different level of assessment, with progressively increasing security assurances.{{cite web |last1=Condon |first1=Stephanie |title=Arm partners with testing labs to provide IOT security certification |url=https://www.zdnet.com/article/arm-partners-with-testing-labs-to-provide-iot-security-certification/ |publisher=ZDNet |date=February 25, 2019}}

In 2018, the first IoT threat models and PSA documents were published.{{cite web |last1=Williams |first1=Chris |title=Arm PSA IoT API? BRB... Toolbox of tech to secure net-connected kit opens up some more |url=https://www.theregister.co.uk/2018/10/17/arm_psa_iot/ |publisher=TheRegister |date=October 17, 2018}}

The certification of PSA Certified launched at Embedded World in 2019,{{cite web |last1=Hayes |first1=Caroline |title=Embedded World: Arm introduces fourth security element to PSA |url=https://www.electronicsweekly.com/market-sectors/internet-of-things/arm-introduces-fourth-security-element-psa-2019-02/ |publisher=Electronics Weekly |date=February 25, 2019}} where Level 1 Certification was presented to chip vendors. A draft of Level 2 protection was presented at the same time.{{cite web |title=PSA Certified–building trust, building value |url=https://www.eetimes.com/psa-certified-building-trust-building-value/ |publisher=EE Times |date=March 4, 2019}}

Six of the seven founding stakeholders created the PSA Certified specifications, which are now make up the PSA Joint Stakeholders Agreement. The stakeholders are Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure and UL. TrustCB became the seventh PSA Certified JSA member, acting as an independent Certification Body for the scheme. Out of the six other founding members, four are security test laboratories, which includes Brightsight, CAICT, Riscure and UL.

The first PSA Certified Level 2 certificates were issued to chip vendors in February 2020.{{cite web |title=The $6trn importance of security standards and regulation in the IoT era |url=https://www.iot-now.com/2020/03/16/101805-6trn-importance-security-standards-regulation-iot-era/ |publisher=IoT Now |date=March 16, 2020}}

The first PSA Certified Level 3 certificate was issue in March 2021.{{Cite web|title=Secure Vault achieves PSA Certified Level 3 status|url=https://www.newelectronics.co.uk/electronics-news/secure-vault-achieves-psa-certified-level-3-status/235520/|access-date=2021-04-10|website=www.newelectronics.co.uk}}

The PSA Joint Stakeholders Agreement outlines how members can create a worldwide standard for IoT security that enables the electronic industry to have an easy to understand security scheme. The security certification scheme documents enable a security-by-design approach to a diverse set of IoT products. The scheme starts with a security assessment of the chip and its Root of Trust (RoT) and then builds outwards to the system software and device application code. PSA Certified specifications are implementation and architecture agnostic so can be applied to any chip, software or device.{{cite web |last1=McGregor |first1=Jim |title=Arm Introduces Security Certification Testing For IoT |url=https://www.forbes.com/sites/tiriasresearch/2019/03/04/arm-introduces-security-certification-testing-for-iot/#7c4aa91d38eb |work=Forbes |date=March 4, 2019}}

PSA Certified aims to removes industry fragmentation for IoT product manufacturers and developers in a number of ways. The world's leading IoT chip vendors are delivering system-on-chips built with a PSA Root of Trust (PSA-RoT) providing a new widely available security component with built-in security functions that software platforms and original device manufacturers (OEMs) can make use of.{{cite web |last1=Speed |first1=Richard |title=Azure IoT heads spacewards to maintain connectivity at the edge, courtesy of Inmarsat |url=https://www.theregister.co.uk/2019/02/25/azure_iot_takes_to_space/ |publisher=TheRegister |date=February 26, 2019}}

A high-level set of APIs are provided by the PSA-RoT to abstract the trusted hardware and firmware used by different chip vendors. These APIs include:

• PSA Cryptography API
• PSA Attestation API
• PSA Storage API

Open source API test suites are available to check compliance for PSA Functional API Certification. An open-source implementation of the PSA Root of Trust APIs is provided by the TrustedFirmware.org project.

The first level of security certification for PSA Certified is Level 1, aimed at chip vendors, software platforms and device manufacturers. The certification consists of questions, document review and an interview by one of the certification labs. The completed answers are accompanied with explanatory notes, checked by the certification lab. According to the PSA Certified website, language and mappings align with other important IoT requirements, such as standards and laws. These include NISTIR 8259, ETSI 303 645 and SB-327.{{cite web |title=Level 1 |url=https://www.psacertified.org/security-certification/psa-certified-level-1/ |publisher=PSA Certified}}

The mid-level security certification involves testing by a security lab, focusing on source code review and the PSA Root of Trust (PSA-RoT), over the course of a month to attain the level 2 certification. This process focuses on carefully defined attack methods and utilizes a set evaluation methodology.{{cite web |title=Arm Releases New Infrastructure and Security Certifications for IoT Devices |url=https://www.allaboutcircuits.com/news/arm-releases-new-infrastructure-security-certification-iot-devices/ |publisher=AllAboutCircuits |date=February 25, 2019}} It also ensures hardware must support PSA-RoT functions and is therefore aimed at chip vendors.

According to Forbes, they believed Level 2 was likely to become the most common level for consumer IoT applications.

The final level extends the criteria of Level 2 to include protection against various physical attacks and side-channel attacks.

Since the launch of the standard, it has been adopted by a number of chip manufacturers and system software providers.

{{reflist|2}}

Category:Internet of things companies

Category:Internet security