Few of us would consult with a doctor who did not have some kind of medical certification, give our child a toy that hadn’t passed basic safety standards or install a water heater that had not been certified to meet industry regulations.
Yet every day, companies of all sizes are designing, deploying, and trying to manage thousands of Internet of things (IoT) devices without common standards, regulations, or a consistent approach to IoT security.
Who hasn’t heard of the hackers who stole the details of a casino’s high-roller database through a
poorly protected thermometer in the lobby’s fish tank? Or researchers who
discovered a way to access a robot-connected vacuum cleaner and spy on the homeowner
through its onboard camera and microphone?
IoT devices—from intelligent edge gateways to ultra-constrained sensors—are permeating every aspect of our lives and transforming entire industries. IoT security has to be uniformly and effectively addressed to build trust, and with trust the IoT can scale and deliver value to new and emerging services across multiple markets.
Internet of Things security is a growing challenge
As the challenges of
IoT security grow and IoT security trends become more complex, everything from
cars to baby monitors to pacemakers to lightbulbs are at risk of being
compromised, exposing confidential or private data or surrendering control of a
wider system as the new weapon of choice in malicious attacks. At worst, whole
swathes of IoT devices could be compromised to form a giant botnet capable of
taking down high-profile targets.
So how do manufacturers
and businesses know how to protect their IoT deployments, and what are they
protecting them from?
Today, very few IoT
devices are subjected to any security testing, let alone the kind of independent
testing that can instil the same level of trust and peace of mind that we get
when we visit a licensed medical professional or buy a baby’s toy.
In the Arm 2018 Security
Manifesto, Yossi Naar,
chief visionary officer and co-founder of cyber security company Cybereason,
explained that “in too many cases security features are considered toward the
end of the design process when making a product more secure can mean reducing
or eliminating features, or even delaying a product release – outcomes that can
hurt sales. It’s a situation that can end without any winners, with devices
released that are inherently insecure.”
The reasons for this
are clear: developers often lack security expertise and access to simple,
consistent frameworks that enable them to build on the security capabilities of
devices. Combined, these kinds of challenges are reinforcing a lack of trust
and slowing uptake in the Internet of Things.
Certification helps build trust
The good news is that many industry organizations and consortia are beginning to promote IoT standards, and regulators are waking up to the need for strident IoT security. However, there’s still too much fragmentation; in a landscape of immature and fragmented markets with diverse requirements and massive data challenges, there remains a huge need for a consistent and inclusive approach.
short, only industry-wide
certification can help to build trust in devices and create value in existing
and emerging use cases.
Consider that the
vision for IoT is the deployment of massive numbers of connected devices, all
generating a huge volume of data. For businesses, that data is then processed
locally, at the edge or in the cloud, to generate business insights and drive
However, the validity
of those business insights is predicated on those devices and their data being
trusted. This trust can only be established by having the right level of
security for the given use case. And only independent security certification can
establish the trust necessary for IoT to deliver business value.
Multi-level assurance and robustness
In working closely with our partners to help mitigate these risks and challenges, we recognised that if the reality of a trillion connected devices is to be met, we needed to develop a trusted framework for IoT security that the industry can follow to build-in consistent security from the ground up. The result was the Platform Security Architecture, or PSA – an architecture-agnostic framework that many manufacturers are already using to implement the right level of security for their IoT projects.
PSA has four key elements: analysis, architect,
implement and certify. Arm has freely published the specifications, threat
models, and reference firmware related to PSA, and PSA has received wide
industry support as a cost-effective and consistent security initiative.
To complement PSA, in February 2019 PSA
Certified was launched. PSA Certified is an independent certification scheme that enables silicon vendors, OS vendors, and
OEMs, to build trust in devices and the services that rely on them.
PSA Certified was
developed in partnership with leading test laboratories
and security consultants
to ensure independence and the
broadest market enablement. These labs include Brightsight, CAICT, Riscure and
UL, and external security consultants Prove and Run.
Through the close collaboration of industry experts, all with the common goal of raising the security bar, PSA Certified has been designed as a multi-level assurance and robustness scheme. Several leading silicon vendors are already PSA Certified at Level 1. A multi-level scheme is important because clearly a one-size fits all approach to IoT security doesn’t meet the breadth of business or IoT use case needs.
Scale IoT with PSA Certified
The multi-level nature
of PSA Certified allows companies to determine and then independently verify
the right level of security for their use case.
Once the right level of assurance and robustness is reached, trusted
service deployment at scale can be achieved.
If the reality of a trillion connected devices is to be met, many of which will spend years in the field, we must build trust into those devices through simple, independent multi-level IoT security certification and consistent developer APIs. Only then can consumers rest easy that they made the right choice, and businesses realize the full potential of IoT.
Platform Security Architecture and the PSA Certified scheme is already helping to secure and scale the Internet of Things (IoT). Discover more at www.psacertified.org.