‘Better together’ – Collaboration for a secure IoT ecosystem
By Gil Bernabeu, GlobalPlatform Technical Director
Security, efficiency and innovation is only possible through collaboration. This is at the heart of everything GlobalPlatform does.
IoT is expected to provide numerous benefits to the daily lives of every citizen via smart homes, self-driven cars, wearables and more. Also, industries like farming, energy, telehealth, water and waste management will also be more efficient using the data that will be provided by IoT sensors and applications. But, today, security is one of the big challenges delaying the full potential of IoT. A new ecosystem of security certification is needed to make the efforts being made by each actor in the (vendors, laboratories, certification bodies and regulators) effective.
Here, Gil explains why collaboration is better than competition to tackle important issues such as security and certification in IoT, discusses two initiatives gaining momentum – the Security Evaluation Standard for IoT Platforms (SESIP) methodology and PSA Certified – and outlines SESIP’s value to other IoT schemes, vendors and laboratories.
What is SESIP and who is it for?
The SESIP evaluation methodology was donated to GlobalPlatform by NXP in 2019 so it could develop within an industry standards development organization (SDO). The methodology is mappable to multiple IoT requirements, including NIST, ISA/IEC 62443 and ETSI/EN 303 645, IoXT and more. Users can demonstrate security functionality, for compliance purposes, with standards and regulations. This reduces fragmentation, cost and time-to-market for IoT stakeholders. To improve the time, effort and cost related to security certification, the SESIP methodology optimizes the ’composition and reuse’ of certified components, so that they can be used to meet the requirements of multiple markets.
This means that it offers value to IoT schemes, component and device makers, certification laboratories and other IoT stakeholders. Fundamentally, if you recognize the importance of the Root of Trust (RoT) and protecting the device against attacks to the future of IoT security then SESIP will be valuable to you. If you answer yes to any of the below then SESIP can help you:
- Do you need to align with the requirements of different geographic, horizontal and vertical markets?
- Do you want to use common components in your devices?
- Do you want to specify specific requirements for the market?
- Do you want to benefit from reuse and composition to streamline device certification?
Thanks to the work GlobalPlatform is doing on SESIP, adopters will be able to demonstrate that they support many of the existing global, regional, and vertical requirements. This directly addresses the challenge of fragmentation in IoT.
Taking an example, how is PSA Certified using the SESIP methodology?
PSA Certified was launched in 2019 to help secure connected devices by creating a standardised Root of Trust (RoT) and a unified set of security by design requirements.
Because the two initiatives recognize the importance of the RoT to enable secure services in IoT devices, the PSA Certified and GlobalPlatform SESIP communities are working together to help the industry improve the security of connected products.
PSA Certified already supports the use of the SESIP evaluation methodology by publishing SESIP profiles for the chip’s PSA-RoT at:
- PSA Certified Level 2 (which maps to SESIP Level 2 with the scope including optional whitebox and no physical attacker)
- PSA Certified Level 3 (which maps to SESIP Level 3 with whitebox and a physical attacker in the scope).
PSA Certified also enables chip vendors to use composition by allowing their trusted subsystems to be certified using SESIP and the PSA Certified RoT Component flow, and in 2021 the protection profiles evaluating the chip PSA-RoT (Level 2 and Level 3) were made available as SESIP Profiles. New for 2022, PSA Certified is updating its device level threat models and rewriting them as SESIP Profiles. They will be published under a permissive licence so that OEMs can edit them according to their specific security assets and threats.
On GlobalPlatform’s side, we will continue to collaborate and validate that the SESIP methodology fully supports PSA Certified’s requirements and evolve the methodology over time.
This model is proof that we are ‘better together’, that collaboration is the way forward for the IoT ecosystem.
PSA Certified is a notable IoT scheme for RoT’s that has been able to define and describe its requirements using SESIP and vendors will now be able to benefit from composition and reuse of evaluation results and certificates. This collaboration is an example to other schemes and stakeholders of what can be achieved with SESIP.
Our priorities are to continue to evolve and refine the methodology to ensure that SESIP evaluation methodology fits the different needs of cert in the IoT world. This work will include recognizing more requirements, mapping with other standards and schemes, improving and clarifying guidelines to bring greater alignment across schemes in relation to governance and technology implementation.
The methodology is also under discussion at CEN-CENELEC to be recognized as a European standard. We hope to update the SESIP community further on this soon.