ARM reveals security certification for IoT devices

Security remains a top concern for IoT adoption, but Arm is looking to regain customer trust.
27 February 2019

Hailed by some as the most promising emerging technology of our time, Internet of Things (IoT) technology— the name given to the interconnection of devices and gadgets to collect, transmit and store data— has vastly changed how many businesses now operate and gain insight into processes.

Today, an ever-growing number of enterprises— working in logistics, retail, automotive, manufacturing, construction or otherwise— are investing in the technology. But despite rapid cross-sector adoption, challenges remain, and none more so than security.

Some 42 percent of medium to large businesses cited security as a key barrier to IoT adoption last year, and that’s an issue that computer Arm is looking to chip away at in launching certification testing for the ecosystem of Arm-based devices using its Platform Security Architecture (PSA).

Partly a hangover from the Mirai botnet attack in 2016 that was able to turn networked Linux devices into remotely-controlled ‘bots’ to facilitate large-scale network attacks, customers have a thin level of trust into the security offered by IoT vendors.

In partnering with several independent test labs, including Brightsight, CAICT, Riscure, and UL, Arm’s PSA Certified program will offer independent security testing so that IoT developers and device makers can establish the security and integrity of data collected across devices.

“PSA gave the industry a framework for standardizing the design of secure IoT devices, and PSA Certified brings together the leading global independent security testing labs to evaluate the implementation of these principles,” said Paul Williamson, vice president and general manager, Emerging Businesses Group, Arm.

According to the group, its customers have shipped 130 billion chips to date, while 70 percent of the world’s population use its devices, whether in sensors, smartphone or supercomputers. The new framework is seeking to build trust in those devices and their data, as well as in the deployment of these devices at scale as Arm looks to realize a world of “a trillion connected devices”.

The standard is available for silicon vendors, operating system vendors, and original equipment manufacturers (OEMs) and, according to the group, several are already certified at level one now. “Trust is going to be essential for digital information,” said Chet Babla, Arm VP of engineering.

Security testing is based on a third-party lab-based evaluation of the generic parts of an IoT platform, including PSA Root of Trust (the source of integrity and confidentiality), the real-time operating system (RTOS), and the device itself.

Following a four-stage framework that guides IoT designers through the journey of creating a secure connected device, PSA Certified enables devices makers to achieve the security required for their use case through three progressive levels of security assurance which are assigned by analyzing use case threat vectors.

For example, a temperature sensor in a remote field may require different security robustness (level 1) than a sensor in a home environment (level 2) or in an industrial plant (level 3).

Following testing, all PSA Certified devices will have electronically signed report cards (attestation tokens) for determining which level of security has been achieved, allowing businesses and cloud service providers to make risk-based decisions.

“This trust is critical for the IoT to succeed,” said Brightsight CEO, Dirk-Jan Out. “The multi-level approach of the scheme is designed to help the customers get the exact level of security they need, appropriate to the specific use case and threat model.”