October 17, 2018

By Paul Williamson, vice president and general manager, IoT device IP Line of Business, Arm

News highlights:

• Arm is building the industry’s broadest IoT security offering with secure device IP and the Pelion IoT Platform guided by PSA design principles
• Arm celebrates the first year of PSA with new APIs and API test kits to accelerate PSA development
• Pelion IoT Platform to integrate Cybereason AI hunting engine for ongoing security of IoT devices

This week at Arm TechCon, Arm CEO Simon Segars shared details in his keynote address on version 2.0 of the Arm security manifesto. Within the manifesto, I look at the risks to IoT devices and how even a small-scale disruption of a company's infrastructure will immediately compromise the integrity of the data, but also have a damaging long-term impact to the trust from businesses and consumers in data-driven insights.

Trust is ultimately the key to widespread adoption of any emerging technology. The same approach holds true for IoT silicon, systems and data. Security cannot be an afterthought in IoT devices because the confidence in any data-driven insight they provide is only as strong as the trust businesses and consumers can place in them.

One year later, PSA is an essential part of building trusted connected devices

As a starting point in building that trust, a year ago Arm introduced the Platform Security Architecture (PSA), a common framework for securing a trillion connected devices. Since that time, PSA has grown, gathering more industry support and offering deliverables on all areas of the three-stage pipeline; threat modeling documentation, specifications and reference software through the open source Trusted Firmware project (TF-M). Today, I'm announcing the latest PSA milestone – a series of APIs and accompanying test kits that will accelerate the development and delivery of robust PSA implementations.

We are releasing new PSA APIs and API compliance test kits to support three key areas of design, including:

• PSA Developer APIs for RTOS vendors and software developers
• PSA Firmware Framework APIs for security experts making custom secure functions
• For chip vendors, the Trusted Base System Architecture (TBSA-M) Architecture Test Kit, checks for compliance of chip hardware to the PSA TBSA-M specification.

PSA is a reality today and already seen as essential for building trusted IoT devices. For example, In a research note earlier this year, leading industry analyst firm Gartner said “Technology product management leaders need to look into partnerships with security software companies, as well as prioritize semiconductor vendors that are planning to incorporate Arm's PSA.”[i]

Building on our ongoing PSA investment, we recognize the need to equip our partners with full solutions and a system-wide approach for building secure SoCs faster. To address this, we’re also unveiling a new umbrella design solution at TechCon. The Arm secure foundation consists of Corstone foundation IP, pre-integrated with the processor and security IP; development tools (including FPGA/test chip boards) and open source Corstone ready software.

Of course, while PSA and secure IP such as Corstone, Arm TrustZone and Arm CryptoCell, are critical in designing secure IoT devices, Arm recognizes more needs to be done. We are committed to going higher up the solution stack to ensure IoT devices are secure as evidenced by the Arm Pelion IoT Platform. Pelion already integrates PSA principles and delivers unified device-to-data security across both IoT devices and data. The solution offers state-of-the-art PKI-based device security, trusted TLS security communication, data encryption, and other services such as secure firmware updates and in-field device access control.

Pelion gets a new hunting partner

However, the complexities associated with securing the vast attack surface of billions of connected devices requires industry collaboration to build an ecosystem dedicated to security from device-to-data. In the coming weeks, months and years you will see plenty of Arm partner collaborations focused on securing devices, but the one we’re announcing today with Cybereason brings an entirely new dimension for monitoring IoT device security to Pelion Device Management.

The Cybereason AI hunting engine is a shield for helping to safeguard all future Arm-based IoT devices tied into the Pelion IoT Platform. Cybereason’s technology can analyze 8 million events per second, and each one of events incidents could signal the start of an attack or that a device was failing. The joint solution will add visibility and attack response capabilities to the already strong protection offered by Pelion Device Management. The combined offering will include a comprehensive cybersecurity solution designed to operate at an IoT scale of billions of devices.

If you’re attending TechCon this week, stop by the Arm booth to see a joint demo with Cybereason that simulates an attack on a single smart meter and how it could compromise an entire utility provider’s data. If something like that were to happen, then it would ultimately create an immediate lack of consumer trust in those smart meters and the bills they are responsible for generating. This of course would have implications for an entire industry building connected devices.

Therefore, the industry must now think differently about how IoT systems are built and how they will be secured from device-to-data. Since our ecosystem has shipped more than 130 billion chips with your architecture, we are expected to think differently about how to get in front of future threats. It is why Arm is uniquely positioned to deliver the industry’s most scalable device-to-data security solution stack, starting with PSA as the common security framework for designing IoT devices, supporting those devices with a robust suite of security IP and ultimately securing and managing the devices and data generated with the Pelion IoT Platform.

[i] Gartner Market Insight: Address 3 Critical Security Issues to Differentiate Yourself in the Connected Home Market, Annette Zimmerman and Saniye Alaybeyi, April 26, 2018