Arm announced the joint launch of the PSA certified project with brightsight, Taier terminal Laboratory of China information and Communication Research Institute, rissure, UL and other independent security testing laboratories, as well as the consulting agency prove & run, to support the large-scale deployment of secure IOT solutions based on the platform security architecture (PSA) framework. Five months later, arm held a seminar on armpsa security architecture technology in Beijing, inviting major partners from test laboratories, certified chips, modules, solutions, cloud services, etc. to jointly demonstrate the process and effectiveness of PSA from threat model and security analysis, architecture specification design of hardware and firmware, implementation of security system to PSA security testing and certification.
Obstacles to the development of Internet of things: lack of security standards
According to rob Coombs, director of arm emerging business unit, there are 8 billion IOT devices in the world. With the vigorous development of IOT industry, IOT devices are expected to reach 24 billion in three years. In the next six years, the Internet of things will usher in a very big business opportunity in the fields of chip, software and product equipment. Arm believes that with the rapid development of Internet of things, 5g and AI technology, the world’s fifth wave computing era will usher in great opportunities. Arm’s vision is to realize 1 trillion Internet of things devices by 2035.
Trillions of networking devices bring massive information data, which can bring real value to enterprises and individuals, and help us make some key decisions. In order to realize the large-scale deployment of the Internet of things, it is necessary to ensure that the devices are reliable and the generated data are reliable. By ensuring that each device has a reliable basic security function and the corresponding security level to meet the market demand, the security is guaranteed, so as to achieve trust.
Many surveys and reports point out that the lack of trust in the Internet of things is one of the main reasons that hinder its widespread adoption. With the diversification of security, it is often difficult or even impossible to meet the security requirements of different IOT scenarios when designing IOT products, devices or services. The lack of security standards leads to the fragmentation of the Internet of things industry, making the selection of appropriate security solutions a complex and time-consuming process.
Only equipment security can guarantee data security
In order to lead the whole ecosystem to establish a set of basic principles to reduce the development cost, time and risk when dealing with the security problems of the Internet of things, arm launched the platform security architecture (PSA) in 2017, and cooperated with the ecosystem partners, hoping to lay a credible foundation for the Internet of things. In February 2019, arm and several independent security testing laboratories and consulting agencies jointly launched the PSA certification project to support the large-scale deployment of secure IOT solutions based on the platform security architecture (PSA) framework.
PSA certification provides multiple security levels of certification, equipment manufacturers can choose the corresponding chip and software according to the security requirements of products. In order to prove the security of the security device, the PSA certified device contains the certification statement associated with reaching the PSA certified security level. Service providers can make risk control decisions on the connected devices and the data generated by the devices according to the authentication marks.
PSA and PSA certification
Platform security architecture PSA is a whole composed of threat model, security analysis, hardware and firmware architecture specification. It provides a set of common basic rules and more economical methods for chip manufacturers, device developers, cloud and network infrastructure providers and software suppliers to build more secure devices. The purpose of PSA is to realize the security foundation of Internet of things with controllable cost, easy implementation and low risk. PSA can be divided into four key stages: analysis, architecture, implementation and certification.
Four stages of platform security architecture
The first stage is analysis. Based on the use mode and use scenario of their own products, the system manufacturers sort out the specific equipment security requirements according to the potential attack risk, and use the existing threat module to make modifications to make the use mode in line with their own products;
The second stage is architecture. Arm provides open hardware and firmware design specifications for firmware and chip designers, including the security requirements necessary for designing security devices.
The third stage is implementation. Arm provides the open source reference firmware code running in the security area, and the chip manufacturers transplant the source code to their own platform.
The last stage is PSA certification, which provides a simple and comprehensive security testing method. The certification consists of two parts: a multi-level security and robustness scheme and an API test suite designed for developers. The security test is evaluated by a third-party laboratory, which independently checks the common parts of the Internet of things platform, including PSA trust root, real-time operating system and the device itself.
Because it is difficult to know how robust a product or device is, to what extent it can resist attacks, or how thorough these security tests are, it is difficult to decide which product or device to use. Many Internet products do not have independent evaluation, which may lead to the unreliability of Internet devices and their data. This is the challenge PSA certification is to solve: to effectively test the security of IOT devices and overcome the huge obstacles hindering the growth of IOT. PSA certification provides evaluation solutions for chips, software and devices using PSA architecture and PSA rot. It will help to solve the fragmentation of the industrial chain and simplify the marketization process of chip suppliers, operating systems, middleware developers, OEMs and system integrators.
PSA certification program can help equipment manufacturers analyze the threats faced by application scenarios. It provides three security levels based on security laboratory evaluation. All of these levels examine different aspects of security implementation, and authentication levels help build trust in devices and services that depend on their data. This enables equipment manufacturers and customers to clearly understand the safety features of products and help them choose the right products.
PSA security certification level
The next step of PSA certification
Arm pays great attention to controlling the extra cost of partners. PSA certification level one test basically only takes one day, which is a very lightweight process. Manufacturers can get the first level certification in one day at a very low cost. In addition, open source firmware can be used immediately, which reduces the cost of developing and adding security firmware.
At present, PSA certification is mainly aimed at chip manufacturers. Because of their large shipment volume, they have the ability to pay the necessary costs brought by security functions. For the solution providers and equipment providers in the downstream of the industrial chain, the cost will be relatively small.
At the same time, arm will choose to cooperate with local laboratories in different geographical markets. For example, in China, tal laboratories is chosen to promote the localization of PSA in China, and other cooperative laboratories cover the largest markets in Europe and the United States. For the Chinese market, rob was very pleased to say: “the whole industry chain in China has a strong acceptance of security and willingness to try. Many brand manufacturers and solution providers are willing to participate in PSA certification, so we began to think about how to let more brand manufacturers, OEM and solution providers in the ecosystem join this project to make the security of the Internet of things more secure It’s very popular. At present, we have a localized team responsible for cooperating with upstream and downstream manufacturers in China’s ecological chain to discuss security issues and promote the introduction and development of PSA projects. “
Rob introduced: “the starting point of PSA development is to meet the security requirements of the most basic layer, so we hope to cover 80% of the applications of the Internet of things, and different Internet of things can have common security requirements. After covering 80% of the basic safety requirements, we will communicate and cooperate with some certification organizations related to vertical industries, such as industry or medical applications, to see how to make them refer to PSA certification, which is what we are doing at present. “
At the same time, rob also emphasized that PSA is an independent testing and certification program, which is completely open. It has nothing to do with CPU architecture, and does not limit the products to be certified to adopt ARM processor architecture. In the future, arm will be more standardized, and professional certification managers will handle these certification applications. Arm also plans to work with global standards organizations to make the whole PSA a standardized platform and operate in a more independent and open way.