When it comes to securing Internet of Things (IoT) devices, “no device should be left behind,” says Paul Williamson, VP and GM, IoT Device IP at ARM. To this end, the U.K.-based silicon chipmaker developed an industry-wide framework for building secure, connected devices.
The ARM IoT security framework is called Platform Security Architecture (PSA). It’s already won endorsements from major cloud, hardware, and service providers including Microsoft Azure, Google Cloud Platform, Cisco, Sprint, and Vodafone.
ARM plans to publish the PSA framework and deliver an open-source reference implementation firmware early next year.
One trillion IoT devices will come online by 2035, according to ARM. All of these Internet-connected things, from electricity grids to cars and coffeemakers, can potentially be hacked. Think: the Mirai attack that crippled much of the Internet in the U.S. last year and spawned even worse IoT botnets.
The framework is architecture agnostic and protects sensitive assets — such as keys, credentials, and firmware — by separating these from the application firmware and hardware. It defines a secure processing environment (SPE) for this data, as well as the code that manages it and its hardware.
“PSA is a fundamental shift in the economics of IoT security, enabling ecosystems to build on a common set of ground rules to reduce the cost, time, and risk associated with IoT security today,” Williamson wrote.
It includes three major components: threat models and security analyses, architecture specifications for firmware and hardware, and an open-source project.
The open-source reference implementation firmware, called Trusted Firmware-M, will initially target the company’s Armv8-M systems. ARM expects to release source code for this in the first quarter of 2018.
IoT Security Standards Lacking
“One of the biggest issues with IoT security is that there’s almost a lack of standards, but there are plenty of standards bodies,” said IDC analyst Robert Westervelt, who leads the firm’s IoT security practices team. “It’s good that a silicon maker is providing guidance with regard to security.”
Westervelt said the threat modeling piece will prove extremely important considering the variety of IoT use cases. “It really makes sense to go down the threat-modeling road to identify what the true risk is and what is the likely attack vector,” he explained. “Then you can invest most of your resources in those high-risk areas of the IoT device or even IoT ecosystem.”
Last year the Industrial Internet Consortium released an industrial IoT security framework. But Westervelt said this group, founded by AT&T, Cisco, GE, IBM, and Intel, focuses more on safety and reliability of industrial control systems environments. “Both of these approaches are needed, and certainly what ARM is doing is a good one.”
Embedding security in the silicon chip that powers the connected device not only reduces risk but also lowers manufacturers’ costs, Westervelt added. “Security needs to be part of the design phase,” he said. “We know that by looking at how security in IT in corporate networks has evolved over time. When you bolt on security, it ultimately results in more complexity and it costs more to implement and maintain. If you build in security, your costs will be lower over time.”