While Netherland’s Brightsight is not a widely known name, it has been around for years in the security certification and testing space and we first came across the business in 2010 as ARM was starting to find its way into the security space, leveraging Trustzone and have covered its involvement in what was initially called SEPIA (Secure Embedded Platform with Process Isolation and Anonymity) in partnership with ARM, Infineon, Giesecke & Devrient and Austria’s Graz University of Technology back in 2010/2012.
Today it claims to carry out more security evaluations than any other company in the world, more than 3 x than its closest rival, and at Embedded World 2020 a few weeks ago, it announced it is the first security firm to certify for SESIP (Secure Evaluation Scheme for IoT Platforms) making the framework a genuine bidder to provide multi-layered security offerings across the IoT.
As of now this grouping gets its credibility from one of the chip leaders in IoT, NXP, built around the old Philips and Motorola Semiconductor businesses, as a sponsor of the SESIP framework. Essentially Brightsight is the first lab licensed by owner TrustCB to perform SESIP evaluations, though others will follow.
We talked to Carlos Serratos, Director Business Development at Brightsight this week, and he talked us through that and the company’s continuing involvement with ARM through its Platform Security Architecture aimed at pushing the ARM architecture into the IoT.
The first thing Serratos assured us was that SESIP would be backed by 3 to 5 of the top semiconductor houses as and when they were certified for it, and he though in short order later this year. It is a framework for defining the security level required for differing use cases in IoT, that came out of two things – a standard for government procurement, and optimized around the Common Criteria (CC), the methodology by which smart cards were macde secure for financial apps.
CC is an internationally recognized methodology for IT security evaluation. SESIP uses composite security evaluations to certify individual hardware and software components separately.
Serratos told us it was built around use cases, “Use cases tend to be bottom up, but security has to be defined top down,” he said with the most stringent security requirement set first, and then some elements of it is relaxed as the use cases require less security. “There is no such thing as a ‘risk free’ framework, but you can reduce risk. Think of this like insurance – if you can demonstrate and show real evidence that you have built your systems adhering to a secure framework, you can get cheaper insurance.”
He then analogized it around the UK governments’ Cyber Essentials, which is a multi-layered set of steps for businesses to prevent most of the simpler cyber-attacks.
If you are talking about a humble sensor out in a field running on a battery reporting infrequent and meaningless readings, security does not have to be at the level of a smart chip on a payment card. But that sensor can still be recruited into a distributed denial of service attack, so you have to carry out sufficient security to prevent that happening. As you move towards the cloud, there are a variety of data aggregation sites, which need better protection, and finally once you are dealing with multiple millions of readings or transactions, your whole business may be reliant on cloud held software which may need full cyber protection. We put it like that to Serratos and he said, “That’s pretty much what we’ve done. First you show us the hardware, and we test it for security, and then as you put each layer of software on it we test the software, layers to check these too are secure. It works in three levels, silicon, system design and software?” said Serratos.
We had another discussion about software updates, and he made the point that it was not automatic in IoT to build in software updates, because some business processes were so cheap at the endpoint, that a new endpoint can just be installed, rather than enabled it with security to protect over the air updates – making it use case driven.
IoT products which are developed using SESIP certification makes it quicker to market at a lower cost is the sales line here.
The scheme is aimed at the certification of individual IoT platform components, providing evidence of the security functionality and its strength against physical, logical and software attacks.
The SESIP platform is owned by TrustCB, and it is supposed to let us extrapolate the rigor of the Common Criteria certification process, and templatize it so that it fits onto other verticals like IoT and automotive. Not identically, but with layers of complexisty and risk. NXP is a market leader in automotive, so this may well be one of the key reasons that NXP is out of the gate first. Brightsight was called in to help develop SESIP, as was local Dutch rival Riscure.
It is tough to say for sure if SESIP will take the honors in the IoT market, coming as it does from security applications in finance where security is pretty much the product, where it is highly valued. IoT has traditionally valued it less and only typically looked at securing aggregated data when it has been made meaningful through aggregation in, or on the way to, the cloud.
Separately Brightsight also reminded us that it is a lead partner of ARM in setting up Platform Security Architecture (PSA) and its certification which seems to come from its earlier work with ARM. This is more about the ARM hardware architecture although it does extend to other hardware platforms such as Risc-V and MIPs, but it very much works at the hardware level. “We want to be very careful that we do not support multiple different security architectures,” said Serratos, “think of ARM as being highly prescriptive at the hardware level and SESIP being more of a dynamic certification. But they are very similar,” he added.