Arm partners with testing labs to provide IOT security certification

The new certification process will verify that devices are based on Arm's Platform Security Architecture (PSA) framework.
Written by Stephanie Condon, Senior Writer

Seeking to build trust in IOT devices and services, Arm on Monday announced it's partnering with multiple security testing labs to offer independent security certification. The new certification process will verify that devices are based on Arm's Platform Security Architecture (PSA) framework. Arm says the PSA Certified program should help organizations across the value chain ensure they're buying silicon or devices with the appropriate level of security. 

"We think this is going to be a really important part of delivering trust at scale over the next  billions and trillions of devices," Rob Coombs, security marketing director for Arm, told reporters.

Arm's testing partners include the labs Brightsight, CAICT, Riscure and UL, along with consultants Prove&Run.

Launched in 2017, the Platform Security Architecture is four-stage framework that guides IOT designers through best practice approaches to security. The new certification program, Arm says, is applicable to the vast majority of the IoT device market volume today. Based on openly published threat models, specs and open source reference code, it can be applied to older MCUs as well as newer processors and processor architectures.

The PSA Certified program comprises two elements -- a multi-level security certification process, as well as a developer-focused API test suite.

The multi-level certification process was designed for devices with different security requirements. For instance, a temperature sensor that meets Level 1 certification should be sufficiently secure to deploy in a field. A Level 2-certified device should be secure enough to deploy in a home environment, while a device that meets the upcoming Level 3 certification standards could be deployed in an industrial plant.


Level 1 certification is granted via a questionnaire based on PSA security model goals and IoT threat models. There are 10 goals, such as a secure update process, validation of those updates, anti-rollback features and security lifecycle states. A vendor can download the questionnaire -- there are different versions for chip makers, OS providers and device makers -- fill it out and then work with one of Arm's partner test labs to conduct an interview-style assessment.

Some of Arm's silicon partners that have already achieved Level 1 certification include Cypress, Microchip, Nordic Semiconductor, Nuvoton, NXP, STMicroelectronics and Silicon Labs.

While Level 1 asks vendors to provide evidence that they've met the PSA security model goals, Level 2 is about testing -- effectively trying to get past a chip maker's security features. It includes a 25-day lab based evaluation against the PSA-root of trust protection profile and tests for both software and light-weight hardware attacks.

Arm plans to soon roll out Level 3 certification, which will include testing against more extensive attacks such as side channel and physical tamper.

Meanwhile, Arm is also offering PSA Functional API Certification, which is a separate certification to show that PSA-based solutions have consistent APIs for critical security functions. This should make it easier to build secure applications and help developers build an ecosystem of interoperable solutions. 

Editorial standards