To increase security in the Internet of Things (IoT), where billions of
connected devices are prime targets for hacking, a number of government
agencies around the world have developed standards that help IoT devices
safeguard data and protect privacy. Of these government-defined security
standards, the US-issued FIPS, is a well-known standard.
A Measure of Excellence
The FIPS standards, officially known as the Federal Information Processing
Standards, are developed and maintained by the National Institute of Standards
and Technology (NIST) and implemented by the US government to regulate
information technology and computer security.
FIPS compliance is a requirement for products certified for use by government
departments and agencies within the US and Canada. Also, because FIPS
standards are widely recognized as being state-of-the-art, FIPS compliance is
used as a purchasing guideline in the private sector, too.
Insisting on a FIPS-compliant solution gives users operating in the IoT the
confidence that their setup is both interoperable and secure. For this reason,
many IoT vendors, including those who aren’t working directly with the US or
Canadian governments, now make it a priority to obtain FIPS compliance, either
for the IoT device as a whole or for select components in the design.
A Complex Process
The drawback is that obtaining FIPS certification isn’t easy. The standards
are very specific in their requirements, and compliance involves rigorous
verification and checking by an accredited third-party laboratory. From start
to finish, the certification process can take up to a year to complete, adding
unwanted time (and considerable expense) to what is already a tight
development schedule.
One way to save time and effort while pursuing FIPS certification is to
integrate components that have already been FIPS certified. Working with
solutions that are already validated and certified makes it much easier to
deliver an IoT device that meets strict requirements for security.
FIPS 140 for Cryptographic Modules
The most relevant FIPS standards for the IoT are the FIPS 140 series, which
specify guidelines for what are termed cryptographic modules. According to
FIPS definition, a cryptographic module is any combination of hardware and
software or firmware that support's security functions in a computer or
electronic system.
FIPS 140-2, the version currently used for compliance testing, defines four
levels of security for cryptography modules. Levels 1 and 2, primarily
intended for relatively simple computing devices, cover basic requirements and
baseline anti-tampering features. Levels 3 and 4, which are recommended for
more complex edge devices, servers and the infrastructure, build on Levels 1
and 2 by adding more sophisticated anti-tampering mechanisms, mechanisms that
can detect and respond to attempts at intrusion, and in the case of Level 4,
protection for environmental factors such as fluctuating voltage or
temperatures outside normal operating ranges.
Designing, producing and testing the higher-level FIPS 140-2 security
mechanisms is no small task, and requires extensive, specialized knowledge and
investment into the certification process. Instead of investing time, efforts
and financial resources in the development, developers can integrate a
secure element, which can be certified as a FIPS-compliant cryptographic
module.
Secure elements are developed by security professionals and designed to
protect against the latest threats. Optimized for use in small,
power-sensitive IoT devices, secure elements deploy a wide range of security
mechanisms, including encryption, decryption and anti-tamper features, to
protect the information that IoT devices transmit, receive and store.
Adding a secure element to an IoT design saves time and effort while helping
to ensure a high level of protection. Using a secure element that is already
certified to meet FIPS 140 guidelines gives IoT developers an extra advantage,
because it means they can leverage the FIPS compliancy of the secure element
without having to pursue their own FIPS certification, as long as all of the
security within the product is done in the secure element.
NXP FIPS 140-2 Certified Security
One example of a secure element that offers FIPS certification as a
cryptographic module is the NXP EdgeLock SE050. Designed for use in IoT
devices, the EdgeLock SE050 is a FIPS 140-2 certified platform with security
Level 3 for the OS and app, and security Level 4 for the physical security of
the hardware. The higher level of certification for the hardware reflects
NXP’s use of protections that deter different types of side-channel attacks,
which are attacks that exploit weaknesses in the hardware implementation to
reveal sensitive information.
The EdgeLock SE050 is not the first NXP solution to achieve such high FIPS
ratings. The security architecture used in the EdgeLock SE050 uses security
mechanisms based on NXP’s other FIPS-certified solutions, especially those in
our smartcard portfolio. By using the same multi-layered approach developed
for sensitive smartcard applications, such as payment and access, the EdgeLock
SE050 brings the same kind of high-level, FIPS-certified protection to IoT
devices.
Convenient and Cost-Effective
Developers of IoT devices are already under a lot of pressure to meet tight
deadlines. Adding security to the list of requirements can add stress and
expense to the development cycle, since designing an effective, FIPS-compliant
solution takes time and requires specialized knowledge.
With the EdgeLock SE050, developers can leverage NXP’s decades-long know-how
in security to deliver to market faster. Our standards-based approach to
security and our high-level compliance with industry-recognized standards
help to ensure that our IoT solutions deliver strong protection. The
certified EdgeLock SE050 enables a significant advantage, by making it easier
to deliver an IoT solution that meets strict requirements and accelerates
time-to-market without having to navigate and pay for a complex certification
process.
To learn more about the EdgeLock SE050 and its FIPS 140-2 certification, visit
www.nxp.com/SE050