Parks Associates recently interviewed Anurag Gupta, Director Business Development, PSA Certified, with Arm to address the importance of device security for brands and demonstrate the value of standards and industry certifications in creating product differentiation, reducing risks, and building consumer trust. Increasing consumer concerns regarding IoT security and privacy have negatively impacted growth in many industries. Parks Associates data indicates that 35% of consumers who do not own or intend to purchase a smart home product are avoiding these products due to security and privacy concerns and threats.

Ongoing reports of breaches reinforce security concerns, which adversely impact device sales and service adoption. Businesses can avoid these losses, and build consumer confidence, by integrating security throughout the product design process and communicating those efforts with consumers.

Security is a critical aspect of device development, product innovation, and brand reputation. Thank you to PSA Certified for sharing their insight into the importance of device security.

Why do you think successful digital transformation requires a new approach to security? 

Digital transformation relies on new technologies to be embraced, to create new data opportunities that will drive business efficiencies and change our personal and work lives. To succeed, we need to build upon trust. Ultimately, as more devices connect into networks, we are seeing a huge growth of data – this scale in IoT is huge and businesses will need to be able to scale with the industry. You will only ever be as ‘secure’ as the weakest device in your network, so you need to be able to trust the devices, this only is made possible with security.

A further point is our relationship with these devices, in the future we predict that there will be a trillion connected devices, so it is clear that we will not have a relationship with each individual device. In fact, devices will work out of the box with zero touch provisioning and live in our ecosystem for years to come. We cannot scale the security expertise at the same rate as the devices, so standardized frameworks and a mechanism of assurance are key.

What are some of the things that OEMs need to consider when developing products? And, what kind of frameworks can help device manufacturers as they attempt to develop secure products?

When I speak with original equipment manufacturers (OEMs), I find that three key things are ‘trending’ right now:

• The first is how OEMs ensure products meet the baseline of IoT security requirements emerging for key regulatory bodies like ETSI in Europe, NIST in the USA, state California law, DCMS in the UK, CSA in Singapore, and many more.
• Secondly, how OEMs ensure they are designing in sound security principles that have been methodically developed.
• And lastly, how OEMs build on the work of silicon vendors to provide a reliable Root of Trust that has been validated by a security lab you can trust.

OEMs want and need to achieve all three of these, but at the same time, they need to keep their costs low and continually improve their time-to-market. At PSA Certified, we keep all of these problems at the forefront of our mind, which is why we built a scheme that offers a route to achieve a baseline level of security, building on a Root of Trust, and aligning to foundational security principles such as the PSA Certified 10 security goals. It helps OEMs to consider components you will use in your product; specifically, the silicon and operating system – does the silicon provide a Root of Trust with robustness aligned to your product? Does the operating system leverage the security functions within the Root of Trust?

You may have some insights from companies that have implemented security frameworks that have been able to minimize security vulnerabilities and build consumers trust. Can you share some insight on how that is being done?

OEMs are facing a lot of challenges right now: they need to navigate the increasing standards and regulations, manage the risk and liability of the IoT, keep their total cost of ownership at a manageable level and also ensure they have some product differentiation when they get to market.

To have the right balance, I’ve seen OEMs and ODMs create products built on trusted components that have proven security best practice. This means the OEMs have limited security implementations to carry out and are building on a chain of trust. They can provide accurate data to their customers with products that build the trust and provide assurance.

Silicon providers and RTOS vendors are also using the PSA Certified framework to architect in sufficient security principles for specific use cases; building in and supporting the Root of Trust and APIs that enable OEMs to leverage the security, without needing to be security experts.

For a number of the recent smart camera hacks, companies have shifted responsibility to the consumer. Do you think the consumer has a role to play in device security?

For the IoT to be truly secure, it’s something that has to be embraced by the whole of the hyperconnected value chain: from the silicon, through OEM, cloud, to retailers and to consumers. Of course, no matter how much security is implemented into a device, it will always be possible to be hacked, especially as hackers become more and more sophisticated.

However, we believe it’s not sensible to pass all the responsibility to a consumer, OEMs and ODMs need to make the best steps to secure their device and then respond in a smart way when the hack happens: ensuring their reputational and financial integrity.

Security is never done, so communicating updates and transparency are key. These companies hold responsibility for device security however also need to communicate and work with customers to ensure best practice is adhered to.

As has been seen over recent months, COVID-19 has increased consumer use of technology and that may leave consumers even more vulnerable to attacks, can you speak specifically on the key areas of concern?

We all agree that COVID-19 is having an unprecedented impact from various angles, whether it’s at an individual or society level. It is changing the way we work and how we communicate. In fact, some reports and studies show that there will be an accelerated adoption in various technologies as people interact more with it at home. This more widespread acceptance and adoption of technology will drive the mass deployment of IoT. During latter half of 1990’s we saw Internet explosion and now in 2020 we will see the IoT explosion. Just to give you some examples:

• Drones are carrying out medical deliveries, monitoring public spaces and along with broadcasting messages, drones are also used for spraying.
• In consumer electronics, personal wearables are used to track your temperatures, heart beats, blood pressure and other vital information
• In Industrial IoT sensors are tracking where things are with various track and trace solutions, they are also providing regular updates on the commercial road transportation activity
• In health, we have multiple applications like telehealth consultation, digital diagnostics, remote monitoring, robot assistance and many more

As the world embraces these new use cases, we of course need low-cost and low-power solutions, but more importantly, security needs to be at the front of our minds, especially as it’s likely to be a prime target for adversaries. Companies will also need to be very transparent of the security they are implementing and take the best steps to protect their reputation.

Governments are watching COVID-19 very closely, so implementations will need to follow the local standards, guidelines and regulations. OEMs, having built on security best practice, should communicate these efforts and achievements to their customer base – this is where PSA Certified can help.

Typically, security has not been a high priority when implementing new products or services. Could you briefly talk to this point?

Security is costly, complex and ever evolving, when you add the increasing pressures on quality, interoperability, connectivity and profitability, this has historically been a balancing act.  Historically, as OEMs are rushing to market, security was seen as an overhead and often skipped or pushed down the list of priorities. We’re making positive strides in the right direction now, both due to a change in consumer attitude, but also due to upcoming regulations as already discussed. PSA Certified helps to make security a high priority without the financial burden, offering to remove the complexities of security, and continuing to evolve to address a number of these challenges. Companies can focus on their value add and, using PSA Certified components, trust that they are building on a critical baseline of security which has been built methodically over a number of years by security experts.

How much effort is required for a security evaluation? Does it require specialized training or external consulting?

Historically security evaluation was a heavy lift, but from its inception, we wanted to make PSA Certified as simple as possible – ensuring there was not a heavy time delay that would disrupt the creation of new products. The objective of PSA Certified is to make the certification easy to consume and easy to implement with best security practices and guidelines. The framework offers threat modeling documentation and 10 security goals which developers need to follow.

For PSA Certified Level 1, products need to align to foundational security principles based on 10 security goals. The PSA Certified framework outlines how to build in these principles and, we find that often many are already being adhered to. The 50-question evaluation is analyzed by a test lab and provides independent validation of security.

PSA Certified Level 2 and PSA Certified Level 3 specifically focus on the silicon, assessing the Root of Trust for protection against software attacks and hardware attacks respectively. The penetration testing provides laboratory evaluation of the silicon and enables chip vendors to showcase security they have implemented into the chip.

The PSA Certified ecosystem provide resources including example threat models, architectural specifications and open source firmware implementations that can support the implementation of security, further easing the journey to certification. The resources are also all available to download freely from the PSA Certified website, which is very unique for security certification programs.

For more information, click here to watch the replay of the webinar.