IoT Podcast Logo

In S2 episode 11, we catch up with David Maidment – Senior Director Secure Device Ecosystem🔒 at Arm to discover what the PSA Certified Initiative is, why IoT companies should consider certifying their products🛡️ and what can be done to create a more cohesive industry in terms of security.

Tune in, sit back, relax and be the first to discover…

  • David’s background in IoT 🔒
  • What is the PSA Certified initiative? 🛡️
  • Why should companies consider certifying their products? 🔒
  • What can be done to create a more cohesive industry for security? 🛡️
  • What lessons still need to be learned in terms of security? 🔒
  • Is the future bright for IoT security? 🛡️
  • And much more!

ABOUT THE GUESTS!

David Maidment is the Senior Director of the Secure Device Ecosystem at Arm – a PSA Certified Co-Founder. PSA Certified is a security certification scheme for Internet of Things (IoT) hardware, software and devices. It was created by seven stakeholder companies as part of a global partnership. The security scheme was created by Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure, TrustCB and UL.
 

Episode Transcript

Tom White
Welcome to The IoT podcast show, I’m your host, Tom White. And you may have noticed I have a new laptop, which I’m thrilled about. But I won’t take all my time talking about that today. I’m very pleased to welcome to the show. Our second guest, actually for the IoT podcast from Arm. David Maidment. David is the Senior Director of Secure Device Ecosystem at Arm and also is involved with PSA Certified, some of you may know what PSA Certified is. And some of you may not. But today, we’re gonna find out more about that. And its role within IoT security. David, welcome to the show.

David Maidment
Hi, thank you, Tom, it’s great to be here with you.

Tom White
Great to have you here. And another person from Arm of viewers may have remember Stephen Pattinson from about 18 months ago that joined us to talk about IoT security from your hair primarily to talk about the PSA Certified initiative that you’re involved in. So without further ado, could you just explain a little bit more about your role as Senior Director of Secure Device Ecosystem that arm David? And, and and what PSA Certified actually is?

David Maidment
Yeah, absolutely. Yeah, very happy to do that. So yeah, so as as per your introduction. So I’m Senior Director of Secure Devices Ecosystem at Arm. And I’m actually working in the architecture and technology group within and so that role is to lead a group that works and interacts with the industry.

David Maidment
So, you know, for your listeners, that familiar, you know, Arm is a leading licensor of IP intellectual property to, you know, primarily chip companies. So a lot of a lot of the chips that are used in all of our digital devices are built on on ARM technology, the group that I work in, actually works with, you know, most of the leading chip companies around the world. And we work with those companies in order to drive, I guess that the easiest way of describing is higher levels collaboration and understanding around security. So I have a group that is kind of, you know, globally based, we have an activity around driving security best practice. That’s both in terms of, you know, obviously products built on ARM, but also the market in general. And we can talk a bit more about that in a minute.

David Maidment
So the focus is very much on, you know, driving that collaboration across the ecosystem, from an arm point of view. And we’re really excited to be to be a part of that, in terms of PSA certified so PSA certified is actually a sort of independent brand that was co funded co founded by on. So we about five years ago, um, published a security manifesto, which was really a sort of a call to the industry saying, you know, actually, the world is becoming more connected, you know, we talk a lot about IoT. The need for security is becoming ubiquitous. And as the electronics industry, we need to come together. And we need to be able to address that we need to be able to build confidence in the products that are being delivered today. So that that security manifesto resulted in a project within arm, which is PSA, which, you know, we do love our three letter acronym.

David Maidment
So PSA is platform security architecture. And PSA started off really as a set of guidelines, specifications best practice in order to guide both the chip manufacturers and also the wider developer community on this practice within security. So we kind of kicked that off about five years ago, but what we noticed as part of that was a real demand to have a measure on that, you know, how do we, as an industry know that we were doing well, with security, it’s kind of a hard thing to measure it some. You know, a lot of people talk in different ways about security. So that was really where PSA certified was born. And we launched it back in February 2019. So it’s kind of the last normal embedded world that we had, I would say we’re kind of, you know, running around all the different stands, having a great show and launching and announcing our certified partners, and it’s a certificate certification programme that was set up between arm and a number of leading cybersecurity labs.

David Maidment
So we’re a co founder But as a scheme, it’s run in an independent way. And it will certify, effectively any architecture against a benchmark set of requirements. And, you know, today we, we’ve gone through effectively certifying so I think we’re over 20 semiconductor companies now that are part of that. And it’s really built on what we describe as a Root of Trust. So it’s kind of recognising that the security challenge is not just a software challenge. It’s something that’s built into the very architecture of the silicon and PSA certified as a way of describing it, and a way of measuring it and a way for independent security labs to then perform that certification. So we certify, you know, kind of the silicone, look at the software. And then at the final stage, we look at the the OEMs, as well. Yeah, so a broad introduction, I’ve covered a lot of topics there, you know, happy to know, deeper into certain areas. But I think that, you know, as you probably pick up you passionate about driving that best practice and actually passionate about delivering as well as, you know, a language to the market, a common way for people to understand and be able to describe security, and what that means for their products and their businesses.

Tom White
Thank you. Yeah, for the introduction to that, David, I’ve been it’s incredibly good to see that you’ve got over 20 Different silicon business, yes, we have.

Unknown Speaker
So it’s incredible, you know, I kind of sort of remind myself every day how incredible that is, because, you know, we these are the biggest chip companies in the world that are getting behind this, you know, very focused on IoT and embedded. So, you know, we’ve kind of started off a lot of the class of products that are certified in the early stage of be more what we would traditionally consider microcontroller or connected microcontroller. So these devices are small, power efficient, they run communication stacks that can talk to networks. And because of that they’re vulnerable, you know, they attached to the network, they’re part of the IoT.

Unknown Speaker
So we have over 20 companies certified, we actually have three levels of certification, we announced level three, back at the virtual embedded world, this year. And we already have two partners now certified at level three as well. So we kind of have a three levels of certification. One level is sort of a basic on ramp, if you like, it covers all of the security best practices. Level two is really a lab based evaluation, looking at devices ability to protect against scalable software attacks. And then level three builds in extra land based evaluation to look at the device’s capabilities to protect against physical attacks, lightweight physical attacks, and we continue, you know, there’s a, there’s a roadmap of innovation that will continue to go behind that. So, so yeah, 2020 Chip companies certified today, we’re just getting pretty close to having 100 certified products, it’s ramping pretty quick. And, you know, it’s really amazing to be able to see, you know, these sort of tier one semiconductor brands, you know, getting behind this initiative, and, you know, recognising the need to be able to both promote their products, abilities to support security, but also do it in a consistent way that the ecosystem will understand what that means, you know, particularly to developers and device manufacturers.

Tom White
Yeah, I mean, it’s fantastic, isn’t it? I mean, you know, the need for IoT security is often well spoken about, and we’ve talked about it on the podcast and several different episodes. But but that common understanding is something that has lacked in the past. And, and an arm really took the initiative to begin this PSA certification programme. And it’s great to see so many people have joined because it really is a collaborative effort. Yeah. Otherwise,

Unknown Speaker
Actually all of the partners that are part of PSA certified recognise the need for the industry to behave in a common way around a framework that gives that language of description. And I think, you know, what, what PSA certified has done is given all parts of the industry, the ability to understand what it means so, so it’s what we describe as assurance, you know, there’s the ability of the device to protect against bad actors, you know, depends on the effectively the architecture of the device, you know, when you’re developing that product you would go through as a threat model, you would think about the kinds of threats that device might be vulnerable to, you know, if it’s something that’s, you know, mounted in a way that would allow physical attacks to happen, then that’s something you’d need to build in. So having that common language has been very powerful.

Unknown Speaker
And promoting it through multiple voices has been very Powerful. And actually, you know, I think that that that term collaboration is something that, you know, everybody within PSA certified is really passionate about. And that’s that’s not only at the PSA certified level, I’d say that’s the way that PSA certified as a foundational scheme then fits with other schemes as well. Yeah, so, you know, we’ve made a few announcements along the way, you know, IO x t have a, have a device level certification scheme, they recognise PSA certified as a Root of Trust, we made the announcement with UL who’s one of the, you know, PSA co founders and a leading, you know, one of the world’s most famous brands, actually for, you know, security labs, they recognise it in their own scheme. So, I think the ability to work in a collaborative ways is really essential, actually, when we’re talking about security and how to solve that.

Tom White
For the, for the listener, that doesn’t necessarily understand that the need for a common platform, what are the what are the benefits for companies certifying that products and going through a PSA certification? Be that, you know, one, two or three levels?

Unknown Speaker
Yeah, there’s, there’s several, actually. So we kind of often talk about this sort of push and pull in industry. And actually, there’s a couple of things that are happening. So one is the sort of regulatory environment is starting to so kind of governments, regulators, and actually standards bodies are recognising the need for security, if you pull back and think about the very big picture, then we’re talking about, you know, effectively, sort of what we describe as digital transformation. And multiple industries are embracing digital products into their businesses and consumers, actually, you know, whether it’s smart lighting, smart speakers, a smart factory, connected city, you know, the automotive platform.

Unknown Speaker
So, I think that, first of all, having a common language around it gives that breadth of ecosystem, a common way of understanding what they’re talking about, you know, it’s kind of democratisation is a word that’s often used, yeah, we, we don’t want it to be that, you know, only companies with divisions of PhDs can understand, you know, what security really means, you know, it kind of touches every part of the ecosystem. You know, to the point where actually, in the end, what we’re talking about is, you know, business risks. So, somebody is deploying at scale, a business risk, you know, they deploying a digital service, they want to rely on the platform that it’s been deployed on. So they want to have some assurance and having that common language allows both, you know, the procurement of the devices, and also the people building the devices to behave in a in a common way.

Unknown Speaker
So I think that’s really important. The other part is the regulation, as I was describing, so we kind of see in the US with NIST. So this has a set of guidelines sort of 82598. And, you know, it’s kind of well known that that there’s some activity there, we also see the same in Europe around Etsy, with 33645. So these requirements, understanding how your product fits with those requirements becomes important, especially over time, as those requirements evolve. And actually, you know, we one of the things that we are very particular to do is to map PSA certified with those evolving requirements, in order to make sure that, you know, when people are purchasing, effectively PSA certified components, they understand how that relates to the emerging regulatory requirements or how that relates to their own product requirements.

Tom White
It’s fascinating, it really is, and one would, one would imagine, you know, having a common understanding and having 20 Different silicon and Chip businesses signed up, no mean feat. I can imagine I can have, you know, lots of different perceptions of what is a common standard? I mean, what, what, what are some of the things that you’ve learned throughout this process and having this common platform I’m sure that lots of discussions were had.

Unknown Speaker
Absolutely. So I think that, you know, what we’ve what we’ve learned along the way is, you know, to effectively have a sort of an easy to understand description of security that can go far and wide, you know, as a, as a kind of extremes of examples, you know, at one end, you know, you’re talking to a kind of a tier one semiconductor company that understands in deep detail how to build a route of trust, and all of the architecture goes around it. And at the other hand, you’re talking to, you know, business decision makers that want to deploy services onto these digital platforms. And actually, you know, kind of in the middle, you know, stakeholders like, you know, cyber insurance companies and areas like that.

Unknown Speaker
So, joining together, the value chain is really important. And having a language that scales so even the way that I’m, you know, describing this today to your listeners, for example, different listeners will have different views. Using impressions on what security means. And actually, when you talk to different parts of the ecosystem, you realise that it means different things. So, you know, number one, common description, very easy to understand. Number two is this collaboration model. So it’s not, you know, allows, how do we best describe, it allows competition to thrive within a framework.

Unknown Speaker
So the way that PSA certified works, it doesn’t, it doesn’t lead you to a particular way of solving that problem, it simply gives you a measure of how you solve that problem. So it allows differentiation in the market, it allows, you know, these all these different chip companies, all these different OEMs, to differentiate and solve the security problem around that framework, and allow them to describe it to their end customers. So I think that’s really powerful, actually. And it gives everybody a voice, you know, kind of collective voices to live that message. So, you know, the ability to take a trusted component that’s been certified, you know, have that available in a development kit. So for example, you know, we recently certified a development kit with with Arrow who’s a distributor of you know, so they have a development kit that has PSA certified silicone inside.

Unknown Speaker

Unknown Speaker
So that opens up all of that goodness to developers that you know, they don’t need to kind of get under the hood and really understand all of the deep details, they have a common way of understanding the security that’s available on that platform to then enable that for that their end users. So that democratisation story, that root of linking together the value chain, the combination of language and technology is very powerful. And, you know, it’s kind of a privilege, if you like, you know, to be able to work as arm as in that sort of CO founding mechanism to get that up and running. And to see the momentum that’s building behind it as well to kind of link all these things together. Yeah,

Tom White
Yeah. I mean, thank you so much for that, yeah, I can understand, you know, you’ve got different levels of involvement, interaction, understanding, and to be able to have that common understanding in terms of PSA certification, and to have people from all different companies and company sizes involved is really fantastic. If we could just step outside from from PSA certified for a moment and just talk about general security within it. Often, lots of lessons are learned. And, you know, hindsight, is both a blessing and a curse, especially when it comes to security. In your view, what are the sort of, you know, lessons learned recently, when it comes to security, and what else is needed? To get there to make, you know, our devices and our infrastructure more secure?

Unknown Speaker
Yeah, it’s some, it’s about consistency, actually, and consistency in the right way. So, you know, one of the points, it’s interesting, when, when we do these kind of, you know, sort of discussions across the industry, one of the things I’d begin to realise is that it’s not always widely understood the role of the, of the underlying components in that security story. So when we quite often in a very broad audience, when you talk about security, you think about software, and you think, oh, okay, I have a security vulnerability, I’ll download a patch. And I think there’s sort of a conditioning based on our sort of desktop environments as a conditioning, that it’s, you know, predominately software problem, but actually the role of the components underneath having a, what we describe as a Root of Trust.

Unknown Speaker
So a Root of Trust is, you know, the portion of the processor, or the chip, where all of the secure operations take place, you know, whether that’s your crypto, your secure storage, handling your keys, everything happens in a secure environment on the chip. I think that, you know, the lesson learned is to have your services anchored in a Root of Trust. And as I said, before, there’s different ways of achieving that Root of Trust. But you know, the measure, we provide a measure for how you’ve achieved it.

Unknown Speaker
So anchoring on a Root of Trust, you know, that that Root of Trust is, is your relationship between, let’s say, the cloud and your end node. And if you think at scale, you potentially have millions of endnotes. So having that relationship anchored in a Root of Trust, it sounds simple, but actually, you know, the creation of that in a consistent way, having your keys provisioned onto that Root of Trust in a trustworthy way. Being able to manage that device, once it’s on its network, you know, remember, I’m sure this is sort of a common theme in some of your IoT discussions is the lifecycle of the device, you know, these devices are not sort of one or two year devices often they are in the field for a considerable amount of time. So having a secure relationship with it, trusting that it is the device you think it is being able to manage its lifecycle. So you know, at very simple level, can I update the software, and if I do update the software, can I trust that that is the software that I’ve updated, and that it hasn’t somehow been manipulated by a bad actor. So we published something called the the 10 security goals as a kind of overarching, Guiding Light, if you like in PSA certified, it’s, it’s something that’s free to download, and it, it goes through elements like, like I described, you know, you should have a Root of Trust, there should be some hardware mechanism between the trusted and the non trusted part of your processor, you should have a lifecycle management, you should be able to update it, you know, you should be able to take it through its entire secure lifecycle.

Unknown Speaker
So, for us, that’s a major lesson learned is to deploy on devices that are trustworthy. And it’s actually a complicated chain of dependencies to make it trustworthy, which is why we started all of this five years ago, actually, because you could see the direction that you know, that the industry was taking that, you know, for example, just to have your crypto in hardware is it doesn’t mean you have a secure device, you know, you you have this, it’s got to boot in a secure way. Like I said before, it’s got to store its secrets in a secure way, it has to handle the way it runs its software in a secure way. There’s many elements to it. And we tend to associate a lot of those elements with more rich operating systems historically, you know, like Linux based boxes, and that kind of thing, but actually it, it spans them all, you know, it spans them all. If you look at the sophistication of a embedded device today, you know, it has the same set of requirements for an SOS as it as it does for for a Linux based system. So it’s a very long answer to your question. But I think for a reason, you know, I think there’s that’s anchoring it on a Root of Trust and caring about that lifecycle is really essential to learn the lessons from from what we see in the industry. Yeah,

Tom White
I think the phrase Root of Trust is, is really poignant, isn’t it? Because you know, it’s anything on a chip, anything on a board is is secure. To a degree is when it goes into the cloud, no matter how, no matter how you try and make that secure, there’s always going to be vulnerabilities and talking about cold wallets. Yeah, crypto storage, I’ve got a cold wallet away. So I won’t say which one just in case. But yeah, it’s it’s interesting, isn’t it, because, you know, very sophisticated devices, but but that whole common understanding, and how it’s stored is interesting and can mean different things to different people. But it’s nice to hear you talk about it in that way.

Unknown Speaker
It’s definitely and you know, the, I guess the way we look at it, and again, back to this need for common language, what I’ve just described is, it’s quite complex. I mean, okay, if you’re, if you’re a sort of PhD security architect, maybe it sounds quite simple, but there’s many angles to the way that we can describe it, I think that, you know, the thinking about what we tend to call the threat model. So how that device could become compromised is important. We do a lot of work talking to OEMs, and developers around thinking about that early on in your development cycle, because that helps you choose the components that you put into that device, thinking about whether that device is liable to a software attack.

Unknown Speaker
So as we just been describing, you know, using the software update mechanism, for example, to download some malware, or whether it’s, it’s a device that for whatever reason, like I don’t know, a smart door lock, that could be liable to a hardware attack. And even something as simple as you know, not using common shared keys. So, for example, if you took a door lock and hacked it, then you know that one of the principles that we give is, well, because you don’t have common shared keys, then if you hack one door lock, you’ve only hacked one door lock.

Unknown Speaker
But, you know, unfortunately, we see examples where common keys are still used sometimes. And if you hack one door lock or one item, you then have a scalable attack. And of course, that’s terrible. So some of this is, some of this is like deep architecture, some of this is actually common sense, good practice, but as an industry, we need to learn that and we need to go through that learning curve. And actually, in the end, it comes back to reputation, you know, if you think about these devices represent your business, your brand, your company, if they you know if they are compromised impacts your, your reputation, you know, it represents, you know, damage to your business. So you know what, that’s what we’re seeing at the kind of business end of the discussion is, you know, parties caring about it, but maybe parties not always knowing how to solve that problem, which is where schemes like PSA certified and others come in.

Tom White
Yeah, I completely agree because you’ve touched on too You think the ark, the architecture of the security solution, plus human error? And the user’s interaction with that, and the two sometimes can be juxtaposed right, depending on who’s Yeah, exactly. And that’s always going to be a concern, but an awareness of why it’s important. So yes, the PhD, computer architect graduate, you know, is going to understand this and care about it a lot more. But the person that perhaps doesn’t really know why they should have changed default passwords, or even have, you know, encryption keys, or even understand the necessity to have that is useful. And this is something that we we talk about a lot on the podcast to raise awareness about why this is important in an ever increasing connected world, and, and hopefully something that that PSA certified, does as well, right to people outside of the industry?

Unknown Speaker
I would imagine. We do. Absolutely, yeah. So, you know, proud, proud to promote my own podcast as well. So I host the beyond an hour podcast on PSA certified organ. And actually, you know, we deliberately talk to a broad range of industry players. You know, the example I like to give is cyber insurance, actually, or cyber insurance where, you know, there there you have a group of companies that are, you know, like any insurance company, they are looking at a risk profile. So, you know, what’s, what’s the impact? What’s the risk profile, and they are effectively modelling that risk? And, you know, we, we know, through the discussions, we’re having that, that initiatives like PSA certified feed into their risk modelling, yeah, and it allows them to understand, you know, the deployed risk, you know, it doesn’t reduce the risk to zero because no scheme ever would.

Unknown Speaker
And this is also a sort of a, you know, a sort of a important part of this security journey is that you move the risk into a sort of an acceptable bounds based on the threat modelling and the use cases. So that’s a big part of what we drive is this, this whole use case driven threat modelling? But it’s back to that common language, isn’t it? And, you know, talking to the insurers, talking to the big cloud guys, as well, you know, the kind of the hyper scalars, that the ones that, you know, we’ll have these huge arrays of devices deployed on their clouds, you know, they recognise that that little problem per device that multiplies pretty quick, you know, if you’re not securing the device, at that individual level, it multiplies pretty quick, if especially if we look at the speed of digital transformation over the last, you know, well, I mean, especially in the last couple of years, because of the way that the world has had to operate.

Unknown Speaker
But we see that to continue to accelerate, you know, just the sheer number of connected devices that they’re arriving on Cloud networks, those, those entities are really starting to care a lot about the device level security. And it actually links as well, you know, if we kind of take it one step further, if you think a lot of those devices are data driven. So you’re then back to sort of, well, I want to trust my data, because my data drives my service. And actually, if you add in, you know, the sort of the rise of machine learning and artificial intelligence, actually, that that data is driving insights that are used to deliver services. So you really want to trust where that data is coming from. You want to trust that those devices are the ones you think they are, and they’re not being manipulated. So we see that need growing, you know, kind of expertise exponentially, actually, in terms of, you know, the need for trusted secure components. At the edge.

Tom White
Yeah, thank you for that. No, I think it’s I think it’s important. I think the continual awareness, as you as you say, is great, because I think sometimes it’s not until people are really affected on an individual basis B, that their company or within their family, fire security breach, they start to look at it. And yeah, and that mass adoption is is to is the lacking part sometimes. Because you know, the work that you’re doing is no doubt fantastic. The promotion that you’re doing is great. But equally, I’ve don’t know what the actual numbers are. But I think I’ve read it in the past, but common man just still doesn’t see the importance of it. Right. And I think sometimes, not until there’s a real issue and that you’re physically affected by it. Do you do you? Do you take notice? Yeah. David, what’s what’s the future holding them for IoT security? You know, what, what can we expect to see in the short and medium term in terms of advancements made?

Unknown Speaker
Yeah, I think there’s a few things actually mean obviously. growing awareness and adoption of Root of Trust, you know, trusted components Root of Trust. You know, we see, we see that that great momentum that we have now with PSA certified, we’re, you know, we’re excited about other that’s moving forward. And, and I think really, what comes next is the way that the OEMs and the broader business environment engage with that. So, you know, that’s why we carry on with this process of driving best practice and education into the market, I think in the end, it’s going to be a combination of, you know, regulation, and companies wishing to demonstrate best practice, because they recognise, you know, that they can do, they can do business better because of it.

Unknown Speaker
So, you know, we’re excited, we’re very much looking at that scalable route, you know, so how PSA certified, grows on that theme of collaboration. So that’s collaboration with the ecosystem collaboration with other initiatives. You know, I think that if you stand back and look at what the electronics industry has to do, we can only do it jointly. So, you know, we’re kind of wholeheartedly embracing that approach. And looking forward to, you know, kind of seeing, seeing that further rapid growth of an understanding of why security needs to be, you know, kind of your first thought, when you’re developing a product and not not an afterthought later on, you know, we can’t allow people to learn through bad experiences permanently. Yeah, that would be a failing on the electronics industry. We have to be proactive in what we’re driving.

Tom White
Fantastic. And what a what a way to end the podcast. That’s, that’s, you know, really poignant, poignant phrase. David, thank you so much your time today, it’s really been great to understand more about yourself and PSA certified for our listeners, where can we find out more information? Assume you’re on a website? Social media?

Unknown Speaker
Absolutely. Yeah. So PSA certified.org is the is the website and you can find us at PSA certified on social media, LinkedIn and Twitter. But yeah, I’d encourage you to have a look and listen to the podcast as well. It’d be on real podcasts. So yeah, absolutely. Thank you very much indeed. I appreciate it. It’s been great having a chat with you, Tom. Really great. Thank you.

Tom White
Thank you, David. As always, guys, if you’d like to find out more, please get involved in the comments. Click on the link, subscribe, like share, save, send print files, store everything as usual that we’ve normally asked you to do, and we look forward to seeing you on the next episode. Cheers.

The IoT Podcast Team

The IoT Podcast is powered by Paratus People, a leading organisation in IoT Talent Solutions.

Innovation is at the heart of IoT, it is our passion to explore and learn more about this fast paced and transforming sector.

Connect & Get Involved

Your subscription could not be saved. Please try again.
Your subscription has been successful.
Subscribe to our newsletter to be amongst the first to find out exclusive information about The IoT Podcast.

We use Sendinblue as our marketing platform. By Clicking below to submit this form, you acknowledge that the information you provided will be transferred to Sendinblue for processing in accordance with their href="https://www.sendinblue.com/legal/termsofuse/">terms of use