[Press Release] An Objection to IoT Security Certifications

Updated: May 6


IoT Security mandates IoT Products to be compliant with IoT Security Legislation & Certifications and must be assessed by a third party authority.

It is not easy to switch the whole ecosystem to the secure side, but we definitely need security in our IoT products.


The trend is “being flexible” for existing “non-secure” service providers. It may make sense while trying to keep the majority of the IoT service providers alive even if they don’t offer “secure” solutions.


So, we have an objection here.



The current flexible approach splits an IoT product into “Platform” and “Application” layers; a third-party authority, a security lab, assesses and certifies a “Platform”. In this assessment, the security lab checks for security leaks in the platform implementation.


This is a “Passive Protection” in design time; it says the “Platform” does not have any security leak (memory overflow etc.) in its implementation, but it does not guarantee full protection in run-time especially for resource-constrained IoT devices.


It is recommended to use a certified “Platform” for an IoT device. In this way, the “Application” layer does not need to think about “Platform” layer security. The application layer implements its custom needs. It still needs to be secure; a security assessment should be performed on Application Implementation.


There are some issues with this approach in resource-constrained systems.

1- The platform layer does not have any security leak; however, it does not protect the Application layer. Application Layer can violate itself, but also it can violate even the certified Platform layer. So, “Passive Protection” by a certified Platform layer does not really offer security.


2- Who can guarantee that the application layer developer does not modify the Certified Platform Layer after the assessment, which could introduce a new security leak?


3- As mentioned, Application Layer could be assessed by a Security Lab to find and fix security leaks in the application layer. For the assessment, the IoT manufacturers must invest in building security and certification teams. After that, the IoT manufacturers need to pay for assessment costs to the security lab. If they fail in the assessment, they will need to pay again for re-assessment. And all these can be “innovation killer” costs, especially for innovative SMEs.

4- Even the application layer is assessed by a security lab, applications need upgrades by time, and the previous assessments no longer guarantee the security of future modifications on the application layer. IoT manufacturers would not prefer paying assessment costs for each application modification.


Herein, we have to decide that will we continue to be flexible for non-secure solutions or; do we need “true” secure solutions that actively protect both itself (Platform Layer) and the “Application” Layer and makes it “Assessment-Free” as much as possible.


If we offer a “security-less” and “assessment-free” environment for IoT manufacturers, we could protect IoT products, and avoid security/certification costs to allow IoT manufacturers to survive.

The question is: do we have sufficient protection profiles to offer a trustworthy and painless solution for manufacturers?


There are some alternatives; Arm PSA enforces security in the hardware layer in high assurance levels (PSA Level 2/3). Secure hardware that handles security requirements is quite helpful in security. However, supervisor applications like operating systems, are still critical to configure and make use of secure hardware properly while operating systems are resource managers. However, PSA offers higher assurance level profiles for "chips" and supervisors resource manager software's like operating systems that could handle all problems mentioned above are out of PSA scope.


SESIP is another IoT Security certification. But a traditional non-secure solution that does not protect the system, can be certified even for the highest assurance levels. Does it sound trustworthy?


We believe it is time to find new solutions to lower the market entry barriers before getting late and offer true secure approaches. Otherwise, it would not be possible to keep innovative SMEs alive once everything is settled.


The solution? We are working on exciting announcements to help IoT Manufacturers. Please follow us.


Aytac Toptas

Head of Business Development @ ZAYA

aytac[at]za-ya.co



92 views0 comments

Recent Posts

See All