Effectively Navigating Security Guidelines and Regulations to Protect Your Business in 2020

Posted on by David Maidment

 As the Internet of Things (IoT) market grows, use of connected devices is growing exponentially as consumers drive the demand for more mobile applications and devices in their everyday lives. As we head towards a trillion connected IoT devices anticipated by 2035, businesses are beginning to deploy IoT solutions, but there is growing concern for the security of each of these solutions.


Our expanding connected global ecosystem is becoming a rich environment for hackers who have increasing opportunities to target and exploit connected devices. In recent years, we have seen many famous hacks, including the Mirai botnet attack that used connected TV cameras with default passwords to disrupt websites and internet infrastructure. When devices are shipped without basic security principles applied, hacking can be simple. With the hacking being far simpler than people realize, all devices must be protected, whether they are placed in homes or businesses, allowing services to trust the device’s data.

With each attack that takes place, more white hat security research takes place and the security concerns surrounding IoT intensify. This has caused governmental institutions to act and provide IoT security guidelines and regulations to protect consumers and businesses with increasing concerns. To help prevent security hacks in the future, we need to treat the source of the problem, which doesn’t lie just with the network or ringfencing devices in a separate network. In fact, the devices themselves need to be resilient against attacks. They need to be designed and built using security best practices and implemented using trusted hardware and software.

Embedded security is a complex topic but can be simplified through the use of a security framework, open source software and an evidence-based security assessment. After all, just one weak device provides an access point to hack a group of vulnerable devices.

It sounds simple and obvious, but in reality it can feel like an impossible feat, which is why PSA Certified was created. PSA Certified offers a framework for securing devices, plus an independent security assessment of IoT devices, software and chips created by Arm and a group of leading test laboratories. The program is based on a set of 10 security goals that should be implemented into all devices to ensure they meet security best practices. These are broad and cover many elements, but a key outcome is implementing a hardware protected Root of Trust (RoT), which can be realized in many ways, including the PSA Root of Trust (PSA-RoT) in a chip or device, or the Trusted Computing Group Trusted Platform Module (TPM) that might be found in a gateway. When a RoT is deployed along with the remaining security goals, it helps to provide security resilience with minimal design effort for each device. 

PSA Certified defines 10 security goals to meet security best practices

Every device has unique security needs—for example, a connected toy will need a cheaper security solution than an autonomous car. The designer also has to consider practical considerations, including the amount of resources to allocate to security. Therefore, it’s really important that security is flexible and scalable. The security goals create a security basis for all connected devices, offering multiple implementation design patterns, each with a different impact on security robustness, assurance and cost. PSA Certified Level 1 requires a short questionnaire of less than 50 security questions based on the 10 security goals. These questions have been carefully developed after considerable research into IoT threat models and security goals to provide a holistic review of security needs.

With many regulations and security standards to use, it can be a challenge to detect which security standards are needed for each device that are also suitable for its capabilities. In different regions, there are a growing number of regional guidelines, which is making it difficult to decipher what is needed for each device. Whilst these standards are “advised,” it’s important to remember that as hacks continue, they could become regulations. It’s important to consider whether you have met the mandatory requirements of ETSI 303 645 for Europe and the security features of NIST 8259 and SB-327 for USA. PSA Certified is actively aligning certification to these schemes to reduce fragmentation and help IoT device makers show they have followed industry best practices. This heals the fragmentation of security requirements.

With the growing digital economy evolving and the pace of IoT deployment ever-increasing, it is vital to ensure every IoT device is protected. With these devices containing a Root of Trust, providing a trust anchor for the device, the data flows from it and the services that need to trust the data. PSA Certified has the momentum to heal the fragmented world of IoT security and offer a comprehensive solution that is leading to broad industry adoption. You can see the long list of PSA Certified products here.

David Maidment

Director of Secure Devices Ecosystem within the Architecture and Technology Group, Arm

Mobile & IoT Security

Internet of Things

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs