The Accelerating Landscape of Digital Transformation
It’s a term that we are more and more familiar with - digital transformation – but what does it actually mean?
Director, Secure Device Ecosystem
Arm - PSA Certified Co-Founder
This mega trend of digital transformation is not unique to one sector, it spans them all with the ability to transform our lives and the way we do business.
Across multiple industries we see a drive to digitize and embrace new and connected technologies that promise to bring new levels of services and efficiencies. This megatrend of digital transformation is not unique to one sector, it spans them all with the ability to transform our lives and the way we do business. Whether we are streaming music from our voice-activated smart speaker or tracking the progress of our latest online purchase to our front door the digitization of our lives is everywhere. Consumers are just starting to see the possibilities, firstly appearing almost as novelties but gradually turning into products and services that we cannot live without. Industrial and enterprises have been the early adopters, realizing quickly how improved efficiency can translate quickly into business opportunity. From how you run buildings to reduce C02 and save energy costs, manage waste collection, optimize production processes and track assets through complex supply chains the opportunities are limitless. We have long spoken about the promise of IoT, thinking about the Internet of Things as a market in its own right but the reality is that all of these digital transformation examples are all part of how the Internet of Things will transform the world around us.
Digital Transformation Hurdles
This transformation offers a lot but doesn’t happen overnight, there are multiple business, market and technical challenges to overcome for this to be realized. Although there are many hurdles, they can broadly be grouped into three areas.
Devices or ‘things’ must be able to connect to a ‘service’
A device should have the ability to deliver value via a service
A device should be trusted and not be susceptible to compromise
The Industry Needs Assurance to Embrace Digital Transformation
Markets grow based on confidence, if there is a perception that device networks are susceptible to attacks then the RoI will not work and instead investment is postponed or worse, never happens. Securing a network of devices is not optional, but how do you know that the security is ‘good enough’? This question is being asked both in businesses and governments the world over, the cost and impact of failure is high, so we must get this right. When we think about a website being hacked the impact is probably significant but normally limited to a specific business or organisation. Hacking a network of connected devices or objects is a very different proposition and stands to impact our lives and businesses in a significant way. There have already been many well publicized examples of security hacks on IoT devices and in many cases the devices themselves were never designed with security in mind. This not only effects the device and its application, but also has a much larger ripple effect, especially when the devices offer a “way-in” to a larger network. An inconsistent approach to security is the industries biggest challenge to solving this problem, how to drive a common set of requirements for devices that connect to services and collectively deliver the required security assurances. Of course there are multiple ways of addressing this and multiple competing vendors who are all taking products to diverse markets but there is still a common denominator that they all have in common and that is the ability for a device to securely connect to a service and maintain its security during its complete lifetime.
Securing a network of devices is not optional, but how do you know that the security is ‘good enough’?
A Foundational Approach to Security
At the heart of a secure device is a ‘Root of Trust’ or RoT. This is the portion of the device that is completely trusted and is used for the basis of all secure operations. If the RoT is compromised in a device then we no longer trust the device. Although a RoT is not a new concept, the need to deploy connected devices at scale with a RoT is. A simple way to think about a RoT is the SIM card in your phone or the chip in your banking card. These devices have been designed with very high levels of security in mind, being able to offer extreme levels of robustness. Not all applications need banking card security, some need lower levels of security that are ‘right size’ to balance cost and complexity with the end market needs.
PSA Certified – An Industry Collaboration
PSA Certified is a device level security assurance scheme that was created to drive security best practice across the electronics industry. As we have learned earlier, the markets need assurance and confidence in device security in order to grow and achieve the scale they promise. Founded by four of the worlds leading security labs UL, Riscure, Brightsight and CAICT as well as Arm and Prove & Run, PSA Certified has been specifically designed to certify best practice device security centered on the provision of a RoT. At the heart of PSA Certified is a multi-level assurance scheme evaluated by independent security labs. PSA Certified Level 1 is the industry ‘hygiene factor’ for a connected device and represents the minimum criteria for a device to be securely deployed and connected to services. As well as mandating a hardware Root of Trust, PSA Certified Level 1 also maps to the most significant regulations and standards for IoT devices such as NIST and ETSI and includes checks for how the device is managed during its deployment. Progressive levels of PSA Certified drill into the additional security measures around protecting the RoT with PSA Certified Level 2 certifying robustness to scalable software attacks and PSA Certified Level 3 defining protection against lightweight hardware attacks as well.
From Conception to End-of-life, Device Security Matters
As we have seen, PSA Certified represents the electronics industries collective approach to drive security best practice into connected devices. The provision of security is not something that can be added just at the network layer (although clearly that does have a role in spotting rogue devices) but is rather something that has to be considered right from the outset. PSA Certified manages this in four distinct phases whereby the device requirements are analyzed against the perceived threats that the device will have to counter during its lifetime. Secondly, these threats are architected right into the heart of the device and most notably through the design of a RoT. The third step is to implement the design, we can already see most of the major chip vendors in IoT working to implement security into their designs. Finally, the product is certified to validate that the security best practices were followed, this allows vendors to showcase their security capabilities and in turn allows OEM designers to choose secure silicon that best meets their requirements.
We have seen how digital transformation is driving the adoption of connected devices across multiple industries and applications. To realise this vision it is essential that these massive networks of connected intelligent devices are secured to assure the end users of the robustness and resilience of the service. PSA Certified is a multi-level certification scheme that has been designed to drive industry best practice into how connected electronic devices are secured and trusted.
“As we expand our business geographically, the PSA Certified program enables us to maximize our products’ security and brand visibility, and ultimately the value we offer customers. It’s not only good for Nuvoton but it’s an efficient and cost-effective way forward for the entire IoT industry.”
- Jason Lin, Nuvoton Technology
“Device manufacturers know that our platform is certified on the best global standards which means they can follow those standards, too, and we don’t need to open up our product source code for verification or provide stacks of documentation.”
- Suik Hwang, CEO, Security Platform Inc.
Join Us on Linked In
For the latest news and security-related conversations, why not join us on Linked In?