There is no denying that security is the most critical issue facing the IoT industry. However, today there is a confusing array of security claims from a myriad of suppliers, making it hard to know how to implement security successfully. In October 2017, Arm announced the vision of Platform Security Architecture (PSA)
– a common framework to allow everyone in the IoT ecosystem to move forward with stronger, scalable security and greater confidence.
PSA aims to provide a holistic set of security guidelines for IoT security to enable everyone in the value chain, from chip manufacturers to device developers, to implement security successfully. When we launched PSA, we provided an overview of what it would aim to deliver to the industry, and we’ve been working hard to progress with that vision.
Threat Models: Establishing the “right” level of security
There are three key stages to the Platform Security Architecture: Analysis, Architecture and Implementation. Today’s announcement supports the first stage of the PSA journey, with the release of the first set of Threat Models and Security Analyses (TMSA) documentation. PSA advises that security implementation should always start with analysis, which considers the assets that need protecting and the threats that are considered in scope. Developers and manufacturers should start their security journey by creating their own TMSA or using existing relevant examples.
By publishing new TMSA examples
for some of the most popular IoT devices (a smart water meter, a web camera and an asset tracking device), Arm is delivering a starting point and robust guidelines for those looking to define the security requirements of their IoT product. We would like the industry to build on these examples and carry out similar security analyses for their next commercial IoT products.
Trusted Firmware-M: Making security more accessible
Arm wants to make security simpler and more cost effective, by making high quality reference code and documents accessible – as security becomes more complex, all developers need access to these resources. To this end, we are releasing the first open source reference implementation firmware that conforms to the PSA specification, Trusted Firmware-M, which is on target for delivery at the end of March 2018.
Arm will continue to have a team of software developers contributing to this project, delivering a Secure Processing Environment (SPE) suitable for connected microcontrollers. Over time we will add new security functions that are easy for non-expert security developers to use, enabling high quality, secure devices. Arm has a successful track record with open source security software, including solutions such as Arm Trusted Firmware for Cortex-A application processors and Mbed TLS (a popular industry solution connecting IoT devices to cloud based services).
What’s next for PSA?
A battle is raging to keep systems secure, as we race to realize the immense value data can bring, as recently outlined in the Arm Security Manifesto
. Our eyes remain firmly on the prize, securing the next trillion connected devices. The journey for PSA doesn’t end with the release of the TMSA documentation and Trusted Firmware-M, in fact, there is much more to come.
#1 – Trusted Base System Architecture-M (TBSA-M)
To help deliver this scalability, Arm is working hard to deliver the first PSA architectural document, the Trusted Base System Architecture-M (TBSA-M). This document, currently in active review with key partners, provides guidance on hardware security features for silicon designers. It will incorporate multiple templates for commonly used implementations and will propose a checklist of security features.
#2 – PSA Compliance & Certification Program
We’re working to define how we build a developer ecosystem around PSA. We want PSA compliant systems to come with a small set of easy-to-use, high-level security APIs that software developers and OEMs can depend on. We’re helping partners to establish the quality and robustness of their implementations, and prove these features to their respective value chains. We’re working to define a Compliance & Certification Program – which will a big step towards making security easier for developers and OEMs. We will be releasing new details on this in the future.
For more information on PSA, please go our resources.