When it announced its Platform Security Architecture for IoT devices last year, Arm said that “security can no longer be optional.” Now, shortly after it announced the iSim SoC that's supposed to connect more devices to the IoT, the company revealed more about the PSA framework.
The Internet Of Threats
Kaspersky co-founder Eugene Kaspersky called the IoT the “Internet of Threats” in 2015, and as we’ve seen in the years since, his description wasn’t too far off. Poorly secured IoT devices have enabled massive DDoS attacks that took out major internet services, and that may be just the beginning, because we’re still in the early days of IoT boom.
Arm promised to enable over a trillion internet-connected IoT devices by 2035. We don’t know yet what it could mean if malicious actors would control even a small fraction of that, but it probably won’t be a pretty sight.
To make things worse, attackers may have found even bigger incentives to take-over IoT devices: cryptojacking, which sees attackers take over target devices and use them to mine cryptocurrencies they can then sell for a profit. IoT devices may not be remotely as powerful as PCs, but if attackers took over several billion of them, they could probably make a decent amount of money.
The good news is that Arm seems to take this issue quite seriously, or at least more seriously than individual device makers seem to take it right now, because many of them tend to have little incentive to enable strong security for their devices. Arm has announced multiple security-oriented projects lately, including its CryptoIsland secure enclave IP family as well as the PSA.
Platform Security Architecture
According to Arm, the PSA aims to provide a holistic set of security guidelines for the IoT ecosystem, from chip makers to device developers, so they can successfully implement security features. When it launched the PSA framework last year, Arm announced three main components: IoT threat models and security analyses, hardware and firmware specifications, and a reference open-source device firmware.
Today, Arm announced the first stage of the PSA framework with the release of the first set of Threat Models and Security Analyses (TMSA) documentation. The company also published threat model analyses for three types of IoT products: a smart water meter, a web camera, and an asset tracking device. Device makers can look at these examples to see how they should implement security features with their IoT products.
Additionally, Arm announced that the first open-source build of its reference firmware called Trusted Firmware-M, which conforms with the PSA specification, will be released in March 2018. The company will continue to develop and improve the open-source firmware after the release, too.
Securing The Next Trillion IoT Devices
Arm still has some work to do to complete the launch of the PSA framework. The company’s plan is to start by releasing the first PSA architectural document, which is called the Trusted Base System Architecture-M (TBSA-M). The document is currently in active review with some key partners, and it provides guidance on hardware security features to silicon designers.
Another step in the evolution of the PSA framework will be building an ecosystem of developers interested in making PSA-compliant devices. Arm plans to enable high-level security APIs on which companies can depend when building secure IoT devices. The company is also working on a Compliance & Certification Program, which should make it easier for manufacturers to build secure devices and for consumers to identify which IoT devices are worth their money.