PSA Certified

Platform Security Architecture (PSA) Certified is a security certification scheme for Internet of Things (IoT) hardware, software, and devices. It was created by Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure, TrustCB, and UL as part of a global partnership.

Arm Holdings first brought forward the PSA specifications in 2017 to outline common standards for IoT security, with the PSA Certified Assurance Scheme launching two years later in 2019.

History
In 2017, Arm Holdings introduced the Platform Security Architecture (PSA), a framework designed to enhance the security of Internet of Things (IoT) devices and services. PSA emerged as a comprehensive standard, incorporating various elements such as threat models, security analyses, and architectural specifications for hardware and firmware. It also included an open-source firmware reference implementation. The primary objective of PSA was to establish a baseline for security in the IoT sector, catering to the needs of both software and device manufacturers.

Over time, PSA evolved into PSA Certified, a more structured, four-stage framework. This development aimed to provide IoT designers with a systematic approach to ensuring security. The framework categorized security into different levels, each offering varying degrees of assessment and assurance.

The initial PSA documents and IoT threat models were released in 2018, marking a significant step in standardizing IoT security.

The formal certification process for PSA Certified was launched at Embedded World in 2019. This event saw the introduction of Level 1 certification, primarily targeting chip vendors. Concurrently, a draft outlining Level 2 protection was also presented.

PSA Certified was further strengthened by the collaboration of seven founding stakeholders, including Arm Holdings, Brightsight, CAICT, Prove & Run, Riscure, UL, and TrustCB. TrustCB joined as an independent certification body for the scheme, while the other stakeholders, four of which are security test laboratories, contributed to the creation of the PSA Certified specifications under the PSA Joint Stakeholders Agreement.

The PSA Certified ecosystem expanded in 2021 with the addition of Applus+ and ECSEC, two notable security test labs.

Noteworthy milestones in the journey of PSA Certification include the issuance of the first Level 2 certificates to chip vendors in February 2020 and the awarding of the first Level 3 certificate in March 2021.

In November 2022, PSA Certified introduced Level 2 + Secure Element. This new category allows for the integration of a secure element to enhance the physical protection at Level 2, bridging the gap before advancing to the more robust Level 3 protection.

The evolution of PSA and the introduction of PSA Certified represent significant strides in standardizing and enhancing IoT security, reflecting the industry's ongoing commitment to safeguarding interconnected devices in an increasingly digital world.

Certification
The PSA Joint Stakeholders Agreement is an initiative focused on establishing a global standard for Internet of Things (IoT) security. This agreement aims to simplify the security protocols within the electronics industry by providing a coherent and comprehensive security scheme. The security certification scheme, as outlined in the agreement, advocates a security-by-design approach applicable to a broad spectrum of IoT products. This process begins with a thorough security assessment of the chip, specifically its Root of Trust (RoT), and progressively extends to system software and device application code. Notably, the PSA-certified specifications are designed to be neutral regarding implementation and architecture, making them applicable across various chips, software, and devices.

The PSA Certified program seeks to address and reduce fragmentation in the IoT product manufacturing and development sectors. It supports the creation of system-on-chips (SoCs) that incorporate a PSA Root of Trust (PSA-RoT), a security component accessible to software platforms and original equipment manufacturers (OEMs).

Functional API Certification
PSA-RoT offers a set of high-level APIs, facilitating the abstraction of trusted hardware and firmware across different chip vendors. These APIs include the PSA Cryptography API, the PSA Attestation API, the PSA Storage API, and the PSA Firmware Update API. Compliance with these APIs is verified through open source API test suites, and an open-source implementation of the PSA Root of Trust APIs is available through the TrustedFirmware.org project.

Level 1 Certification
Level 1 targets chip vendors, software platforms, and device manufacturers. It involves a questionnaire, document review, and an interview conducted by a certification lab. The process ensures alignment with key IoT standards and laws, like NISTIR 8259, ETSI 303 645, and SB-327.

==== Level 2 Certification ==== This mid-level certification focuses on software attacks and includes a month-long review of the PSA-RoT source code by a security lab. It emphasizes specific attack methods and evaluation methodologies, with a requirement for hardware support of PSA-RoT functions, primarily aimed at chip vendors.

Level 2 + Secure Element
This level enhances Level 2 by adding physical protection for certain security functions. It typically involves a Level 2 Certified SoC combined with a secure element, focusing on secure cryptographic operations and key storage.

Level 3 Certification
The highest level, Level 3, expands upon Level 2 to include safeguards against various physical and side-channel attacks. This level encompasses physical protection for all security functions, differentiating it from Level 2 + Secure Element.

This structured approach under the PSA Joint Stakeholders Agreement and the subsequent certification levels play a critical role in unifying and strengthening IoT security standards, catering to the diverse needs of the industry, and promoting a safer IoT environment.

Industry adoption
Since the launch of the standard, it has been adopted by a number of chip manufacturers and system software providers.