Anyone who has ever bought a toaster, a coffeepot, or most any electrical appliance has surely noticed that little UL symbol on the underside. It signifies Underwriters Labs, and it’s intended for you the consumer as assurance that when you plug this thing in, it’s not going to burn up and endanger people and property.
It’s your certification that this appliance’s design has been tested and proven safe, and that you can be sure of what you’re buying.
That little symbol goes back 125 years, to a time when electrical appliances were something newfangled, and consumer confidence in plugging things into wall sockets wasn’t all that high. By having an objective third party evaluate appliances and certify them, it helped assure customers that they were safe and helped speed the adoption of appliances in a relatively new market. Now the UL designation appears on almost anything electrical, both commercial and consumer products.
It was UL that paved the way for our current move to introduce that same certification for processors and silicon to serve as a stamp of approval for IoT devices.
Platform Security Architecture, or PSA, is an industry move to certify that the core equipment in IoT sensors and devices is secure and trustworthy and address any security shortcomings. Several major industry players, including ARM, Brightsight, CAICT, Riscure, Prove&Run – and even Underwriters Laboratories, which knows quite a bit about certifications – are jointly creating the PSA Certified designation.
It’s a natural step in the evolution of PSA, because trusted, independent security testing is critical to enabling the development and deployment of IoT devices on a massive scale.
PSA Certified aims to accomplish these three objectives:
- Improve the security of IoT devices through independent testing. This builds trust into the devices and services that rely on them. And by extension, it offers the assurance that the services based on these devices are also trustworthy.
- Create a multi-level security certification regime that is cost-effective, quick to market, ready in multiple markets, and which helps ensure companies get the level of security they need. PSA Certified designates that the processor or device has passed a rigorous testing process.
- Build a developer ecosystem through consistent, easy to use software interfaces to the PSA Root of Trust, or PSA-RoT.
The PSA Root of Trust is intended as a fundamental security building block for IoT devices that can provide essential security services. Trustworthiness and security are a hand in hand concept. If you don’t know the firmware/hardware is trustworthy, the code will be untrusted. If you can’t trust the code that creates data, you can’t trust the data.
Through an open source reference implementation, APIs and freely published architectural documents, the idea is that this will become a standard feature of tested and assembled IoT components and devices such as wireless connected sensors.
This will enable chip vendors to demonstrate the security features of the chip to OEMs and have them valued by the ecosystem. For real-time operating system vendors, they will be able to integrate the PSA Developer APIs and then easily port security features across chips.
Original equipment manufacturers will be able to choose the requisite level of security and have common security features and APIs across chipsets. And finally, service providers will be able to easily identify the security level of the connected device and make risk-based assessments.
Any chip can apply
This certification is accomplished through the kind of independent testing that UL has done since Grover Cleveland was president. Today, companies have to take it on good faith with their silicon and processor partners and suppliers that everything will work as advertised. With PSA Certified, it offers immediate assurance that this is the case.
Obviously, security testing by independent experts builds trust for the value chain. The PSA Certified model has a multi-level scheme with a good-better-substantial rating system that is easy to understand and which allows device makers to select an appropriate level of security for their application.
With ARM’s involvement in this group, it raises the question of whether this applies only to ARM processors. The answer is a simple no. Any suitably designed chip can be PSA certified; “suitably designed” means that it is a chip that is designed to perform a task of value and which has some substrate, an operating system, and some backend functionality.
One of the first companies to accomplish Level One PSA certification is NXM Labs, a Sprint partner. Soon you can start watching for IoT systems and services that have a PSA Certified designation, whether in the form of a sticker or other means. There aren’t a lot of companies certified yet, since this whole movement is so new. But it’s something you will want to pay attention to.
In the big picture, this is part of the ongoing effort to mold the future of IoT and the security of the equipment that makes it possible. This equipment ranges from sensors and actuators all the way to autonomous vehicles, which become IoT devices in their own right by virtue of being connected to the internet.
And if something is on the network, there’s the risk that anyone out there could connect to it if adequate security isn’t in place. Without security, there isn’t trust, and without trusted data, all of this complicated system we are building falls apart. PSA Certified is an answer to that.