Why Certification is Essential for Digital Security

Geof Wheelwright: Welcome back to the Arm Viewpoints podcast. Today, we’re going to talk about something that users of technology are increasingly concerned about, Security. In this case, we’re looking at an important security initiative called PSA Certified. PSA stands for platform security architecture. Our guest today is David Maidment who will explore PSA Certified and the conclusions of a recent report that discusses why 2022 will be the year of change for security in the internet of things or IoT technology.

David is Senior Director for secure device ecosystems at Arm, and Arm is a co-founder of PSA Certified. He has more than 25 years of experience in the embedded and connectivity industry. He specializes in the intersection between security and the internet of things and in his role at Arm, David looks at the emerging device security technology landscape, including the PSA Certified initiative. Great to have you on the podcast, David.

David Maidment: Geof, thank you. Yeah, it’s really great to be here. Really appreciate it. Thank you.

Geof Wheelwright: So David, we previously had, Richard Grisenthwaite on the podcast to discuss cybercrime and what’s being done within the tech industry to prevent it. During our conversation he touched on PSA Certified, an area you’re closely involved in. So can you explain why Arm founded PSA Certified and what the mission is?

David Maidment: Yeah, absolutely. Really happy to do that. And thank you for the great introduction and explaining as well to the listeners what PSA stands for. So basically I head up the secure devices ecosystem actually within Richard’s group. So in the architecture and technology group within Arm, and we are the sponsoring group in Arm for what started off as PSA. So platform security architecture back in 2017.

Arm, by virtue of where we are in the supply chain and by virtue of our technologies and our partners, we’re at the forefront of seeing security innovation in the market and actually noticing what needs to happen in order to sort of fuel the best practice in the industry and to drive effectively what we’re seeing now, which is this huge ramp of digital transformation that’s taking us across all industries.

So back then in 2017, we could see that security was important. We could see certain areas in the market where it was being addressed but others where it was being skipped. And I think Arm and its partners collectively recognized that security is something that needs to be at the heart of designs.

It needs to be an ecosystem approach and it needs to be within the heart of every device that’s going to be connected. So to help fix those problems we actually created PSA Certified. We went through a phase of founding that with founding members and then we reached a point three years ago where the market actually gave us feedback that we needed to create a certification scheme.

And that gives you effectively a measure of compliance against security. What we found is that there’s been huge fragmentation in the market. There is very differing requirements and understanding of just what security means actually. We’re kind of using this phrase but we haven’t really well-defined it.

PSA Certified was founded in 2019. We’re just about to hit our third birthday and during that time we’re really happy to say that we’ve achieved close to a hundred PSA Certified products. We have over 50 companies that, that are now participating in that and momentum is growing rapidly.

What that’s telling us is that the collaboration model, the joining an initiative where the industry comes together is really important and really critical and Arm as our founding member has been really pivotal in that. So it’s been a very exciting journey to get to this point.

And really we’re just at the beginning of what that’s going to look like. As part of that process we’ve founded it with leading cyber security labs, we’ve been working with industry bodies and we’ve been aligning with government regulation and standards and we’d been working with leaders in the IoT space in order to align what PSA Certified can do and what it delivers to the market.

So a huge breadth basically of what we’re covering and I’m very excited to drill into it a little bit more and explain that to you today.

Geof Wheelwright: Well happy almost third birthday. We know that certification’s huge in many industries. Underwriter Labs for example, is well-known for its safety standards for electronic products and medical devices. But how important is certification and verification in the overall push to improve security within this industry?

David Maidment: To explain a little bit about PSA Certified. It’s actually founded with four of the world’s leading cyber security labs. So PSA Certified is an independent organization. It’s co-founded by Arm but it’s actually something that’s deliberately been set up to be independent. So we have UL, CAICT in China, we have Riscure and SGS Brightsight as all founding members and they’re all security labs. And what’s important is that they’re all independent and they represent independence.

So what we don’t want as an industry is to mark your own homework. You want to be able to show that that, you’re meeting a certain level of security but you’re not the one that’s saying actually “yeah my security is great but how do I prove it?” So it’s all about proving in an independent way that you’re meeting the necessary sort of industry norms.

Since then, we’ve welcomed two more labs into PSA Certified. So we have Applus+ and ECSEC (Electric Commerce Security Technology Research Association) that have also joined. So we have six labs now, which brings great breadth to how partners get certified. And we really certify what we call the roots of trust. I spend a lot of my time describing what a root of trust is as an easy way for your listeners to understand it.

It’s effectively every secure operation on an SoC (System-on-Chip), every secure operation will happen within a root of trust. If you trust the device, you trust the service that’s on top of that device and you need to be able to trust that root of trust is integral to your service.

So that’s what we’re doing. We’re certifying the root of trust, we’re also certifying the system software that sits on top and we’re certifying the end OEMs that work to bring all of that technology together. And I think what’s interesting is that as well as running that security scheme, we’re also in an incredible place in the industry where we can kind of get that feedback and that sort of a litmus test and the pulse of the industry.

As you kindly said at the beginning, we create a PSA Certified security report each year. We go out and we talk to over a thousand of leading decision makers in the electronics industry and we get feedback from them in terms of how they view security. We’re noticing this turning point in 2022 where security is really seen as something that’s no longer optional, it’s really no longer a secondary concern.

It’s something that companies have to take seriously and the reason for that is because those digital devices that are connected, they support services, they support businesses. There’s value behind that. And if you have bad actors that compromise those devices, then obviously that impacts your brand, that impacts the bottom line of your company. Sometimes it even has legal implications.

We see that the majority of companies are now recognizing that it needs to be part of you know their top care about but we’re also noticing that they they’re struggling in terms of the expertise that they have in-house. So that’s why looking at an organization like PSA Certified, a scheme, like PSA Certified allows them to, you know, effectively understand the measure of security and make sure that it meets their needs and their go to market. So it’s a very long answer to a very simple question, but actually that’s the point. I think the point is that having independence, having a measure, having a way of understanding what you’re putting in your product in the end, that’s what we’re doing. And so that’s, you know, in a nutshell, that’s really the mission that we’re on and that’s what the industry is looking at.

Geof Wheelwright: So David, you mentioned OEMs. Can you tell me a little bit more about their involvement?

David Maidment: Yeah, absolutely. Absolutely, Geof. So OEMs are crucial in the security journey that we’ve been talking about.

So if you think about the role of an OEM, they would develop effectively a product and then ship it into a market. And that product will connect to a service and provide a function in the market. I kind of deliberately talk about it in a very generic way, that product could be a smart speaker or it could be a sensor in a smart factory so there’s a whole breadth in terms of where OEMs would serve from a security point of view.

Really what’s important is if when you think about what they’re doing, they are taking a system-on-a-chip, a processor, an Arm based processor, right? I see they’re putting onto their software, so a lot of that software they will take from, you know there will be a communication stack. They’ll take an operating system, they’ll put all of that on there. They will then put their own application software on top they’ll then kind of modify and develop their hardware and they will turn that into a product.

So there’s a lot of things coming together there now from what we know, that that system-on-a-chip has a hardware root of trust. So inside there it would have the ability to boot securely. It would have secure storage, it would have crypto (cryptography). What the OEM needs to make sure is that they don’t break any of that security model as they go through developing their products.

The crypto would have to be used for as an example, secure communications, you’d need to use your crypto for a secure update in order to validate that you’re not receiving any malware. There’s lots of use cases that would make use of that root of trust.

What we do at PSA Certified, we certify the OEM to make sure that they are bringing together that complicated system software with that Silicon that has a root of trust and not breaking that security model. They actually meet what we described as the 10 security goals that we outlined in PSA Certified.

And then obviously that goes through and it’s reviewed by the lab and they then have their appropriate PSA certification at the OEM level. And so the OEM can pass through that compliance to their end market which is crucial. And actually some of the work that we’re doing in PSA Certified at the moment is to map the certification with regulations so when the OEM delivers that product, you could say, “okay, I am PSA Certified, tick, but actually by being PSA Certified, I’m also NIST 8259A compliant, I’m ETSI 3030645 compliant.”

We have partnerships with other scheme so we’d been working a little bit with ioXt as well in the industry and they certify end products and there’s recognition as well between the two schemes. So, it’s a hugely complicated world for the OEMs depending on which market they ship. Which region, which end market, which use case which purchaser, and so what we’re doing with PSA Certified is trying to simplify that process. So it’s really crucial for the OEM to be able to bring those components together, not break the security, and actually prove to their end market that they have met best practice security. There’s a lot of things happening there but the OEMs are really critical part of that chain.

Geof Wheelwright: And know, I know that PSA Certified founders recently published this report and discussed how 2022 is supposed to be the year of change and a turning point for the IoT security sector. Maybe you can tell us a bit more about the report and the findings?

David Maidment: It’s been a great journey, getting that report together and going through the findings and as I said, over a thousand decision-makers, it’s a great insight into the electronics industry but also the wider supply chain. What we see is that I would say over a third of those decision makers believe that digital transformation is moving quicker than IoT security.

So if you like, that’s the kind of a problem statement. What we can’t afford to do is connect devices quicker than we’re securing them. If we kind of look at some of the statistics that are out there, by 2025 there will be over 55 billion connected devices. I mean that’s a mind-blowing number, you know, so over 55 billion connected devices.

But from that, it’s anticipated that there would be around $10 trillion of cybercrime damages. As an industry, creating this sort of connecting without securing would create a digital debt effectively that we can’t afford to grow. And I think that it kind of stood out very clearly in the report that companies are recognizing that which is why it comes back to that kind of headline that this is at turning point where we see a broad range of respondents that are recognizing that, it’s very important to put security first.

I think the other thing that’s interesting is that around a third of the companies that we spoke to see that the risk of IoT hacks has risen during the pandemic.

We’ve been through a forcing function if you like, as a global economy of how to work remotely. And we think about working from home and the remote operation that we have here but also obviously factories have had to be operated in a way with less staff, offices have been managed remotely and it’s kind of forced the thinking of how we work in a distributed mode and that’s driven the accelerated adoption of digital transformation in order to allow that to happen.

So around one in five of those companies have been victims of hacks and that feeds into that kind of really huge $10 trillion damages number that I quoted by 2025. And we work as part of PSA Certified with some of the major cybersecurity underwriters as well. And they really look for evidence as well that devices are deployed with best practice.

Geof Wheelwright: So are we starting to see companies taking security even more seriously now?

David Maidment: I guess the big response is 90% of those tech decision makers have increased the prioritization of security. It’s not surprising given the story we’re telling here, the rapid acceleration of connected devices. The growth of cybercrime damages. And so they’re putting it to the top of their business concerns which we see as very positive because traditionally it’s been a market that’s been driven by the companies that have the security expertise.

They’re the ones that lead but actually we’re looking for evidence and going through this kind of democratization phase where actually everybody in the electronics industry needs to take this seriously no matter where you are in the value chain. If you’re developing a secure system on a chip, if you’re developing system software that goes on it, if you’re building a connected device, actually even if you’re for example, working as a procurement manager in an organization purchasing equipment, you know, understanding what to look for and how to assess that risk is important.

So we get very clear feedback in terms of growing awareness and making it a business concern. 96% of companies actually are saying that if they take security seriously, it actually positively impacts their bottom line that they’re making money out of this as well which is a nice kind of side effect.

It builds confidence. These two things go together. We often talk about trust and security in the same breath, you have to trust the device and then you can trust the service that you’re building onto it. So seeing that companies are able to monetize this is really important.

There has been a bit of a cost dilemma where there can be a cost associated with implementing security. And I think if companies build the confidence that they can build security in and it won’t hit their bottom line, then we’ll see broader adoption of it as well in the future.

So a lot of really exciting data I think is coming back and if you couple that with effectively the fact that we’re getting to a hundred certified products and we see that ramping quickly, we’re seeing the majority of decision makers now placing security as a top priority.

I think we really are 2022 is a year where we have a language in a way of discussing this and actually a much broader awareness of what security means to companies.

Geof Wheelwright: Yeah. And I think as you walk through that, I’m struck by the fact that over and over again when it comes to security there is a concept that it kind of shines through and that’s accountability. So as you look at the role of regulators and policymakers and security, how do you view accountability?

David Maidment: Yeah, this is really important. And at the end of the day, what we’re talking about is effectively anchoring a device on a root of trust and that that device supports a service.

You know we’re of in an era of digital transformation and connected devices. I think we kind of understand with our devices around us, if you look at a smartphone, actually that smartphone represents a service platform. You have your video streaming service on there, or your banking app or whatever you, you trust the hardware underneath. We’re conditioned as consumers to trust what’s underneath there.

We’re going through that curve on IoT. We talk a lot about the sort of massive distribution of connected devices but what we have to remember is that those devices support services and those services represent. Huge economic value, huge business value and probably almost certainly a huge reputational value as well.

So having that accountability, is really important and in PSA Certified, we’re, we’re passionate about that. So we work to align with regulators. We work for example, with NIST in the U.S. and we’d been working with, with ETSI in Europe. We work with other schemes as well to kind of de-fragment and align on requirements and standards.

We work with these independent security labs. So Arm is a co-founder, but actually Arm does not certify devices. We’re a co-founder but if you want to certify your device, you’d go along to a lab and you get it certified and it’s totally independent. It gives you an audit trail of compliance in order to build what we call a chain of trust.

And if you kind of link it together, you’ve got a piece of silicon with a root of trust on there, you’ve got the software, then it connects to the cloud. Then it connects to a service. You build a chain of trust all the way from kind of chip to cloud. So we develop a security framework around that to allow partners to develop and measure best practice.

And that covers things like “does my device boot securely?” “Can it support secure updates?” “Does it have the right level of isolation?” “Can it prevent anti rollback?” quite basic things actually but things that bad actors exploit, you can actually prevent a lot of the attacks by taking care of these basic aspects. All of that underpins what we, what we embrace.

And obviously what we hold very deeply within Arm as well is collaboration. So PSA Certified is a partnership in itself. It’s a collaboration model and 96% of the people we surveyed welcomed collaboration into security for the reasons I’ve described. It’s a complicated supply chain where you need to deliver trust.

The people that are providing the services need to trust the devices that those services are running on. So that’s the cloud vendors, that’s the OEMs, there’s a long chain. So it is actually a unique moment really in terms of how the electronics industry comes together and collaborates in order to solve this security challenge whilst obviously differentiating around that. But it’s really critical.

To kind of loop all the way back to this accountability word if you’re certified and you are holding your certification. You have an audit trail of compliance where you have understood and followed best practice, and you’ve been measured against it in an independent way, and you can prove it. So that accountability is then critical to the next person in the supply chain. Who is then using that equipment and so that’s a really critical step and as I said, something that is really crucial to what we’re doing at PSA Certified.

Geof Wheelwright: So you’ve been doing a great job of kind of looking ahead. So what else do you see that’s going to be required for success as we look out throughout this year and beyond?

David Maidment: You probably pick up from my previous answer actually is collaboration, collaboration, collaboration, collaboration. I think that we’re really excited about how this collaboration model is building.

It’s a catalyst for digital transformation and this kind of journey to over 55 billion connected devices. It’s mind blowing and really super exciting. But part of that collaboration is education. It’s a little bit like what we’re doing at the moment where we have to educate as an industry what security means and why it matters in a way that it’s not only the kind of the black belt cyber Ph.D experts that understand it.

It needs to be the broad industry and the supply chain, the purchasers, the consumers of these products need to understand it as well. So I think education and collaboration is really important. And again it’s something that we we’re quite passionate in the way that we drive that with PSA Certified. We see through our report that the partners that are working in the electronics industry, they need to resource their teams correctly and cultivate that expertise and get the right level of knowledge.

You know you don’t need hundreds of cybersecurity experts in every company in order to build compliant products. I think that’s not a scalable model and so the ability to purchase Arm-based secure system-on-a-chip that is certified and to drive that through your supply chain is really crucial.

And coupled to that is best practice guidelines so you know how we build that common language and even the language, for example, I’ve mentioned a root of trust, I talk about different assurance levels, having a common language we found already to be really powerful and work with other organizations in order to try and sort of balance that message. So levelling the playing field is a term we use a lot but I really passionately believe in it that we democratize security and we make it accessible for everybody in the electronics industry so that we can scale the digital transformation without building this technical debt where devices are not secured.

And then I think the final part, which kind of gets a little bit hidden sometimes is around sort of very broad interoperability and the ability to procure secure devices and understand what they will support and how that works. If we were not working in a collaborative way, if you took 10 companies, they would all describe it in 10 different ways and that’s really complicated.

To give you an example, we’re very proud to have done a great piece of work with Amazon AVS, which is the Alexa voice services and they now recognize PSA Certified within their products which is great. So they ask their partners to be PSA Certified Level One or equivalent.

One of the reasons they did that is this common language and the ability to have that baseline understanding of what security means and taking that model and scaling it is really important. So interoperability at many levels, the language we’re using, the way we measure it, the way that the supply chain picks it up is really crucial.

So a lot of work ahead, I think is probably the executive summary on that one, but super-exciting and as part of the education piece that we were talking about, I’m really excited to share with you that PSA Certified is actually running its own podcast which I host.

We call it “Beyond the Now,” and it’s a series of podcasts that are designed to educate the market and talk about both the kind of the intersection of security and use cases. We talked to a number of really great guests across the industry, we’ve spoken to Amazon to Microsoft. We’ve spoken to OSRAM the light designers, we’ve spoken to FLEX and Arrow, who are really huge in the services and manufacturing industries and these insights are fascinating.

I just wanted to share with the listeners that you can listen to “Beyond the Now” on Apple Podcasts and Spotify. And you can also follow us on Twitter, which is at PSA Certified and also the web page, which is PSAcertified.org in order to get more information.

Geof Wheelwright: Thanks, David. I am feeling a little more secure about the safety of the world’s IoT infrastructure now, and I know you’ve given our listeners a much better idea of the challenges ahead and some of the strategic ways to tackle them. To get the report that David mentioned, PSA Certified 2022 Security Report: The Turning Point for IoT Security Online, go to report.psacertified.com.

Thanks to everyone for listening today. We hope you enjoyed it. And look forward to seeing you again soon on the next episode of Arm Viewpoints.