To increase security in the Internet of Things (IoT), where billions of connected devices are prime targets for hacking, a number of government agencies around the world have developed standards that help IoT devices safeguard data and protect privacy. Of these government-defined security standards, the US-issued FIPS, is a well-known standard.
The FIPS standards, officially known as the Federal Information Processing Standards, are developed and maintained by the National Institute of Standards and Technology (NIST) and implemented by the US government to regulate information technology and computer security.
FIPS compliance is a requirement for products certified for use by government departments and agencies within the US and Canada. Also, because FIPS standards are widely recognized as being state-of-the-art, FIPS compliance is used as a purchasing guideline in the private sector, too.
Insisting on a FIPS-compliant solution gives users operating in the IoT the confidence that their setup is both interoperable and secure. For this reason, many IoT vendors, including those who aren’t working directly with the US or Canadian governments, now make it a priority to obtain FIPS compliance, either for the IoT device as a whole or for select components in the design.
The drawback is that obtaining FIPS certification isn’t easy. The standards are very specific in their requirements, and compliance involves rigorous verification and checking by an accredited third-party laboratory. From start to finish, the certification process can take up to a year to complete, adding unwanted time (and considerable expense) to what is already a tight development schedule.
One way to save time and effort while pursuing FIPS certification is to integrate components that have already been FIPS certified. Working with solutions that are already validated and certified makes it much easier to deliver an IoT device that meets strict requirements for security.
The most relevant FIPS standards for the IoT are the FIPS 140 series, which specify guidelines for what are termed cryptographic modules. According to FIPS definition, a cryptographic module is any combination of hardware and software or firmware that support's security functions in a computer or electronic system.
FIPS 140-2, the version currently used for compliance testing, defines four levels of security for cryptography modules. Levels 1 and 2, primarily intended for relatively simple computing devices, cover basic requirements and baseline anti-tampering features. Levels 3 and 4, which are recommended for more complex edge devices, servers and the infrastructure, build on Levels 1 and 2 by adding more sophisticated anti-tampering mechanisms, mechanisms that can detect and respond to attempts at intrusion, and in the case of Level 4, protection for environmental factors such as fluctuating voltage or temperatures outside normal operating ranges.
Designing, producing and testing the higher-level FIPS 140-2 security mechanisms is no small task, and requires extensive, specialized knowledge and investment into the certification process. Instead of investing time, efforts and financial resources in the development, developers can integrate a secure element, which can be certified as a FIPS-compliant cryptographic module.
Secure elements are developed by security professionals and designed to protect against the latest threats. Optimized for use in small, power-sensitive IoT devices, secure elements deploy a wide range of security mechanisms, including encryption, decryption and anti-tamper features, to protect the information that IoT devices transmit, receive and store.
Adding a secure element to an IoT design saves time and effort while helping to ensure a high level of protection. Using a secure element that is already certified to meet FIPS 140 guidelines gives IoT developers an extra advantage, because it means they can leverage the FIPS compliancy of the secure element without having to pursue their own FIPS certification, as long as all of the security within the product is done in the secure element.
One example of a secure element that offers FIPS certification as a cryptographic module is the NXP EdgeLock SE050. Designed for use in IoT devices, the EdgeLock SE050 is a FIPS 140-2 certified platform with security Level 3 for the OS and app, and security Level 4 for the physical security of the hardware. The higher level of certification for the hardware reflects NXP’s use of protections that deter different types of side-channel attacks, which are attacks that exploit weaknesses in the hardware implementation to reveal sensitive information.
The EdgeLock SE050 is not the first NXP solution to achieve such high FIPS ratings. The security architecture used in the EdgeLock SE050 uses security mechanisms based on NXP’s other FIPS-certified solutions, especially those in our smartcard portfolio. By using the same multi-layered approach developed for sensitive smartcard applications, such as payment and access, the EdgeLock SE050 brings the same kind of high-level, FIPS-certified protection to IoT devices.
Developers of IoT devices are already under a lot of pressure to meet tight deadlines. Adding security to the list of requirements can add stress and expense to the development cycle, since designing an effective, FIPS-compliant solution takes time and requires specialized knowledge.
With the EdgeLock SE050, developers can leverage NXP’s decades-long know-how in security to deliver to market faster. Our standards-based approach to security and our high-level compliance with industry-recognized standards help to ensure that our IoT solutions deliver strong protection. The certified EdgeLock SE050 enables a significant advantage, by making it easier to deliver an IoT solution that meets strict requirements and accelerates time-to-market without having to navigate and pay for a complex certification process.
To learn more about the EdgeLock SE050 and its FIPS 140-2 certification, visit www.nxp.com/SE050
Giuseppe is product manager at NXP Semiconductors. As part of the IoT security team, he is driving NXP’s secure element offering for IoT products making security more accessible. He works with IoT and Industrial customers and supports them in understanding security threats and in the realization of their secure IoT solution. Giuseppe has experience in system engineering roles with focus on IoT, edge and cloud architectures.
