Internet of Things (IoT) devices are being developed as fast as consumers can adopt them. Users must be confident they can trust these devices. It builds consumer confidence to know that their IoT devices are equipped with security capabilities. This has introduced a new element into the purchasing decision – the consideration that a particular device will protect data and withstand attempts to tamper with its operation. The potential damage a hacker can do to consumers is high. By remotely accessing devices or systems through a single unsecured device, a hacker can harvest and manipulate a considerable amount of personal data. As a result, a data breach can be costly and potentially damaging to a brand.
With the increased presence of IoT and industrial edge devices in our lives, third-party security certifications are becoming critically important.
Developers are racing to get their devices to market and consumers aren’t always able to recognize the characteristics of poorly designed IoT products before making a purchase. Similarly, device manufacturers need to know the components they are building their products around are trustworthy, especially when they are used to store user credentials or used as the main service when encrypting user data. Rapid device development and meeting consumer expectation for security is the catalyst for the Security Evaluation Standard for IoT Platforms (SESIP) from GlobalPlatform®. Third-party validation of security protocols will play an increasingly important role as more and more devices, standards and protocols are introduced. SESIP expands on the widely adopted Common Criteria (CC) for IoT security certification, which has gained a reputation for being stringent in its approach. It verifies the protection of personal data on the device or in transit, as well as any data related to the product’s identity.
NXP believes SESIP will help build safety and trust, as it aims to lower the overhead cost to manufacturers when they embark into products certification. SESIP is designed to be practical, cost effective, easy to use, understandable and is backed by the strength of an industry organization that operates on an international scale. SESIP offers flexibility to certify an IoT product while being able to tailor requirements to match the needs and constraints of each vertical market. SESIP also utilizes a concept known as composition which allows the certification of a subcomponent to be reused as an input to the product certification, to help further decrease the cost and effort for the manufacturers. NXP has a long history of technical collaboration and supports the idea of using third-party certifications to further industry goals and to drive consumer confidence in IoT. We are a long-time member of GlobalPlatform and chair of the SESIP Working Group within GlobalPlatform.
To this end, we have a SESIP program underway and developers are already benefitting from this security-centric approach with our LPC55S16 MCU. This general-purpose MCU is used in IoT and Industrial IoT applications and is part of the NXP EdgeVerse™ platform. It was also awarded a Level 2 SESIP certification.
The EdgeLock SE05x secure element family, including its latest addition EdgeLock SE051, has also been certified for SESIP. The ready-to-use secure element family provides root of trust at the IC level and delivers real end-to-end security for IoT devices, from edge to cloud. EdgeLock SE051 is certified for SESIP Level 3, making it a proven IoT security solution with support for updatability and custom applets.
There are five levels of SESIP assurance, ranging from self-assessment to gradations of more thorough analysis, this helps device manufacturers choose the best match for their needs and ultimately helps device manufacturers improve their devices. This can also be used to allow end-users to match risk assessment to SESIP certified devices:
In addition to these certification standards, NXP has developed the EdgeLock™ Assurance Program to give customers the confidence of knowing that the devices they use meet industry standards. This is a natural extension of NXP’s security-by-design approach to product development. Products carrying the EdgeLock Assurance badge have been reviewed to comply with the latest security standards and requirements.
SESIP is a certification standard designed to meet the broad and complex challenges of IoT security. For more information about NXP’s approach to SESIP, download our whitepaper “SESIP Delivers Cost-Effective Security Evaluation for IoT” .