In recent years, the Internet of Things (IoT) has been rapidly developing, with consumers and businesses adopting an increasing number of IoT devices. However, this has also made IoT devices a target for hacker attacks, making the security of IoT devices a significant concern for consumers and businesses. This article will introduce you to the challenges faced by current IoT applications, relevant legal regulations, and present solutions from Arrow Electronics and ST Microelectronics.
The challenges in the IoT caused by the lack of cyber security
According to statistical data, the primary challenges faced by current IoT technology stem from IoT device developers rushing to create not properly secured products. Another challenge is the lack of data analysis specialists, preventing businesses from fully benefiting from the IoT. Additionally, there is an abundance of easily attackable IoT products in the market, and coupled with consumers' reluctance to update firmware, IoT security faces significant challenges.
Reports of hackers exploiting vulnerabilities in IoT devices, exposing user accounts, are frequent. User data often falls into the hands of fraud groups, who use it for deceiving consumers into financial scams. Moreover, some IoT devices are breached by hackers, leading to privacy breaches. Through compromised cameras, users' lives are intruded upon, resembling a scenario from 'The Truman Show.'
As IoT devices transmit and process large amounts of data, which may include sensitive information, ensuring the security of IoT systems and user privacy becomes a critical challenge. Risks such as malicious attacks, data breaches, and unauthorized access need to be addressed.
The lack of cyber security can result in a series of severe problems affecting individuals, organizations, and entire societies. These include data breaches, financial losses, damage to business reputation, threats to infrastructure, ransomware, and national security risks. To address these issues, both organizations and individuals should enhance cyber security measures, including regular software updates, the use of strong passwords, implementation of multi-factor authentication, periodic security reviews, and employee training to raise security awareness, avoiding costly data and intellectual property (IP) leaks, damaged company reputation, slower time to market, and even litigation and fines. Additionally, governments should advocate for relevant regulations and policies, encouraging and overseeing businesses and organizations to strengthen their cyber security systems.
Different countries are implementing regulatory measures to enhance cyber security
At present, there are numerous cybersecurity standards and regulations aimed at providing guiding principles for organizations and industries to ensure information security. Different countries and regions have developed their own relevant cybersecurity standards, including ETSI EN 303 645 led by the European Union, the U.S.-led UL 2900-1 standard, as well as certification bodies for IoT devices such as CTIA and IoXt.
One notable standard introduced by the European Telecommunications Standards Institute (ETSI) is EN 303 645. It is the first global cybersecurity standard applicable to consumer IoT devices. The standard establishes baseline requirements for consumer IoT, aiming to integrate technical and organizational measures to achieve good practices in cybersecurity and data protection. It includes 33 mandatory provisions and 35 recommendation provisions across 13 aspects of cybersecurity and data protection.
ETSI EN 303 645 mandates secure storage of sensitive security parameters in hardware, secure communication, minimizing the exposed attack surfaces, ensuring software integrity. In terms of software/firmware, it requires the avoidance of universal default passwords, ensuring the security of personal data, enabling system resilient to outages, and validating input data. On the company policy front, it necessitates the implementation of a method for managing vulnerability reports, keeping software updated, checking system telemetry data, allowing users to easily delete their data, simplifying installation and maintenance, clearly explaining what personal data is collected and for what purpose, to ensure that IoT devices comply with the required security standards.
PSA Certified for compliance with cybersecurity regulations and standards
To ensure compliance with IoT products, PSA certification can be pursued. PSA Certified is a security certification program designed specifically for IoT devices, initiated by Arm, a leading semiconductor and software design company, in collaboration with other industry partners. The primary goal of PSA Certified is to establish a globally recognized framework for assessing and certifying the security of IoT devices. The program provides a set of security guidelines, evaluation criteria, and testing methodologies to ensure that IoT devices meet minimum security requirements.
PSA Certified defines a comprehensive security framework for IoT devices, covering various security aspects, including device identity, secure boot, secure communication, firmware updates, and cryptography. It offers a standardized approach to addressing security challenges throughout the lifecycle of IoT devices. The program includes independent security evaluations conducted by accredited laboratories, evaluating the security features and implementation of IoT devices based on PSA Certified security requirements. The independence of these evaluations enhances the credibility and confidence in the security claims of certified devices.
PSA Certified offers different levels of certification based on the security capabilities of IoT devices, ranging from Level 1 (Baseline) to Level 3 (Advanced). Each level represents an increasing level of security assurance. Organizations can choose the appropriate certification level based on their specific security requirements and the intended use of IoT devices.
For IoT product manufacturers, achieving PSA Certified allows their IoT devices to serve as trust anchors in the system trust chain. As regulations continue to evolve and strengthen, new designs must be futureproofed, meeting requirements in Europe, North America, the Asia-Pacific region, and aligning with industry best practices for product development.
According to a recent survey of chip suppliers, the primary obstacle for customers in developing secure products is the lack of in-house security expertise. Since end customers demand this, product manufacturers need to build/develop trusted products and reduce risks and liabilities during product development.
PSA Certified includes independent security assessments conducted by accredited laboratories, evaluating the security features and implementation of IoT devices based on PSA Certified security requirements. Through these evaluations, organizations can obtain an objective assessment s of the security features of their devices, demonstrating compliance with regulations and standards.
PSA Certified aligns with existing cybersecurity regulations and standards, such as the EU's Network and Information Systems (NIS) Directive and the UK's Consumer IoT Security Best Practice Guidelines. By adhering to the security principles and requirements defined by PSA Certified, organizations can ensure compliance with these regulations, demonstrate their commitment to security, and build trust with customers, partners, and regulatory authorities. It provides a structured approach to meeting specific cybersecurity regulations and standards for IoT devices, enabling organizations to more effectively address the complex landscape of IoT security requirements.
Obtaining PSA Certified signifies compliance with industry regulations. PSA certification actively aligns with upcoming regulations and standards, including EN 303 645, NIST 8259A, SB-327, UK DCMS, ENISA (WIP), IEC 62443 4-2, CSA-311, and collaborates with organizations such as UL, ioXt, SESIP, DLC, Amazon Alexa, Munich RE, Matter, fostering collaborating and enabling reuse.
Arrow and PSA Certified assist in advancing your design
The steps of the PSA Certified framework include analyzing security requirements, architecting secure design, creating design, and verifying secure design. The PSA Certified Level 1 IoT security framework for OEMs has ten featured objectives, including unique identification, security lifecycle, attestation, secure boot, secure update, anti-rollback, isolation, interaction, secure storage, and cryptographic/trusted services, providing a pathway for independently validated IoT security assessments.
Arrow Electronics is collaborating with PSA Certified Level 1 applications, allowing OEMs to use it as a basis for their connected security designs. OEMs can adopt reference designs, layer their IP, and complete the entire application through an accelerated certification process, enabling them to confidently, rapidly, and securely bring products to market.
PSA Certified, in collaboration with Arrow Electronics, will help end customers create unique security collaboration solutions specifically for the IoT. This collaboration aims to unleash new business opportunities for the entire ecosystem, provide end-to-end solutions with built-in security, meet critical standards and regulations, reduce the investment cost of developing security features, extend supply chain and logistics business management, and obtain assurance through third-party certification.
Arrow Electronics has introduced the STM32U5 Secure Embedded Development Kit, which includes support for TrustZone, WiFi, and Bluetooth connectivity, as well as multiple sensors. Utilizing the STM32U5 microcontroller from STMicroelectronics, which features a low-power Arm Cortex-M33 core, this secure development kit aids in integrating security, a complex task for IoT developers. Arrow Electronics' reference design is suitable for secure embedded applications and has received PSA Certified Level 1, ensuring seamless collaboration with leading cloud providers such as Amazon Web Services (AWS) and Microsoft Azure.
On the other hand, Silicon Labs has launched the Secure Vault™ platform, comprising cutting-edge advanced security features to address evolving IoT threats. The platform helps reduce security vulnerabilities in the IoT ecosystem and minimizes the risk of intellectual property leaks or revenue losses due to counterfeiting. Secure Vault technology prevents scalable local and remote software attacks and defends against local hardware attacks.
Key features of Secure Vault include secure key management, anti-rollback prevention, anti-tampering, locked/unlocked secure debugging, secure link, secure boot with RTSL, secure attestation, differential power analysis (DPA) countermeasures, and a true random number generator (TRNG). Additionally, Secure Vault has obtained PSA Certified Level 3 on EFR32FG23B and EFR32MG21B, which will expedite the user’s product development process.
Conclusion
With the widespread adoption of IoT applications, the security of IoT devices has become a significant concern. IoT devices that have undergone PSA Certified signify that the product meets the requirements of IoT security standards. This certification enhances the product's added value and increases consumer trust and willingness to purchase. Arrow Electronics collaborates with the PSA Certified organization to assist IoT device developers in obtaining PSA Certified for their products. It provides solutions to accelerate the product development process, making Arrow Electronics an ideal partner for IoT product developers.