PSA Certified
   HOME

TheInfoList



OR:

Platform Security Architecture (PSA) Certified is a security
certification Certification is part of testing, inspection and certification and the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements. It is the formal attestatio ...
scheme for
Internet of Things Internet of things (IoT) describes devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communication networks. The IoT encompasse ...
(IoT) hardware, software and devices. It was created by
Arm Holdings Arm Holdings plc (formerly an acronym for Advanced RISC Machines and originally Acorn RISC Machine) is a British semiconductor and software design company based in Cambridge, England, whose primary business is the design of central processing ...
, Brightsight, CAICT, Prove & Run, Riscure, TrustCB and UL as part of a global partnership.
Arm Holdings Arm Holdings plc (formerly an acronym for Advanced RISC Machines and originally Acorn RISC Machine) is a British semiconductor and software design company based in Cambridge, England, whose primary business is the design of central processing ...
first brought forward the PSA specifications in 2017 to outline common standards for IoT security with PSA Certified assurance scheme launching two years later in 2019.


History

In 2017,
Arm Holdings Arm Holdings plc (formerly an acronym for Advanced RISC Machines and originally Acorn RISC Machine) is a British semiconductor and software design company based in Cambridge, England, whose primary business is the design of central processing ...
created Platform Security Architecture (PSA), a standard for IoT security. The standard builds trust between
Internet of Things Internet of things (IoT) describes devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communication networks. The IoT encompasse ...
services and devices. It was built to include an array of specifications such as
threat model Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide d ...
s, security analyses, hardware and firmware architecture specifications, and an open-source firmware reference implementation. It aimed to become an industry-wide security component, with built-in security functions for both
software Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications. The history of software is closely tied to the development of digital comput ...
and device manufacturers. PSA has since evolved to become PSA Certified, a four-stage framework which can be used by IoT designers for security practices. The framework included different levels of trust, with each level contains a different level of assessment, with progressively increasing security assurances. In 2018, the first IoT threat models and PSA documents were published. The certification of PSA Certified launched at Embedded World in 2019, where Level 1 Certification was presented to chip vendors. A draft of Level 2 protection was presented at the same time. Six of the seven founding stakeholders created the PSA Certified specifications, which are now make up the PSA Joint Stakeholders Agreement. The stakeholders are
Arm Holdings Arm Holdings plc (formerly an acronym for Advanced RISC Machines and originally Acorn RISC Machine) is a British semiconductor and software design company based in Cambridge, England, whose primary business is the design of central processing ...
, Brightsight, CAICT, Prove & Run, Riscure and UL. TrustCB became the seventh PSA Certified JSA member, acting as an independent Certification Body for the scheme. Out of the six other founding members, four are security test laboratories, which includes Brightsight, CAICT, Riscure and UL. The first PSA Certified Level 2 certificates were issued to chip vendors in February 2020. The first PSA Certified Level 3 certificate was issue in March 2021.


Certification

The PSA Joint Stakeholders Agreement outlines how members can create a worldwide standard for IoT security that enables the electronic industry to have an easy to understand security scheme. The security certification scheme documents enable a security-by-design approach to a diverse set of IoT products. The scheme starts with a security assessment of the chip and its
Root of Trust In cryptographic systems with hierarchical structure, a trust anchor is an authoritative entity for which trust is assumed and not derived. In the X.509 architecture, a root certificate would be the trust anchor from which the whole chain of ...
(RoT) and then builds outwards to the system software and device application code. PSA Certified specifications are implementation and architecture agnostic so can be applied to any chip, software or device. PSA Certified aims to removes industry fragmentation for IoT product manufacturers and developers in a number of ways. The world's leading IoT chip vendors are delivering system-on-chips built with a PSA Root of Trust (PSA-RoT) providing a new widely available security component with built-in security functions that software platforms and original device manufacturers (OEMs) can make use of.


Functional API certification

A high-level set of APIs are provided by the PSA-RoT to abstract the trusted hardware and
firmware In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computer, computing machinery. It includes the study and experimentation of algorithmic processes, and the development of both computer hardware, h ...
used by different chip vendors. These APIs include: * PSA Cryptography API * PSA Attestation API * PSA Storage API Open source
API An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...
test suites are available to check compliance for PSA Functional API Certification. An open-source implementation of the PSA Root of Trust APIs is provided by the TrustedFirmware.org project.


Level 1

The first level of security certification for PSA Certified is Level 1, aimed at chip vendors,
software platform A computing platform, digital platform, or software platform is the infrastructure on which software is executed. While the individual components of a computing platform may be obfuscated under layers of abstraction, the ''summation of the requi ...
s and device manufacturers. The certification consists of questions, document review and an interview by one of the certification labs. The completed answers are accompanied with explanatory notes, checked by the certification lab. According to the PSA Certified website, language and mappings align with other important IoT requirements, such as standards and laws. These include NISTIR 8259, ETSI 303 645 and SB-327.


Level 2

The mid-level security certification involves testing by a security lab, focusing on source code review and the PSA Root of Trust (PSA-RoT), over the course of a month to attain the level 2 certification. This process focuses on carefully defined attack methods and utilizes a set evaluation methodology. It also ensures hardware must support PSA-RoT functions and is therefore aimed at chip vendors. According to
Forbes ''Forbes'' () is an American business magazine founded by B. C. Forbes in 1917. It has been owned by the Hong Kong–based investment group Integrated Whale Media Investments since 2014. Its chairman and editor-in-chief is Steve Forbes. The co ...
, they believed Level 2 was likely to become the most common level for consumer IoT applications.


Level 3

The final level extends the criteria of Level 2 to include protection against various physical attacks and
side-channel attacks In computer security, a side-channel attack is a type of security exploit that leverages information inadvertently leaked by a system—such as timing, power consumption, or electromagnetic or acoustic emissions—to gain unauthorized access to ...
.


Industry adoption

Since the launch of the standard, it has been adopted by a number of chip manufacturers and system software providers.


References

{{reflist, 2 Internet of things companies Internet security