NXP in the IIoT: Upgrading to FIPS 140-3 for State-of-the-Art Protection of Edge Devices

In the industrial Internet of Things (IIoT), manufacturers are using cryptographic modules to implement the security protocols and algorithms that protect data and prevent unauthorized access to edge devices and the networks they connect to.

Manufacturers can choose from a number of cryptographic modules, but those that comply with the latest Federal Information Processing Standard, or FIPS, are widely considered to be highly trustworthy. That’s because FIPS publications, which are developed and maintained by the US National Institute of Standards and Technology (NIST), define minimum security requirements for cryptographic modules in information-technology (IT) products, and address nearly 11 areas related to module design and implementation. FIPS aligns with ISO/IEC 19790:2012 (E), which defines four security levels to address a range of application environments, and spans the design, implementation and deployment of a module.

Cryptographic modules that are labeled FIPS-compliant have been closely examined by a federally accredited lab and given a Cryptographic Module Validation Program (CVMP) certificate. In the US and Canada, any federal agency or institution that receives federal funding, and any private-sector organization that works with the federal government, must use FIPS-compliant solutions. FIPS publications are also used as a purchasing guideline worldwide in the private sector, and as the basis for compliance obligations in a broad range of regulated industries, across global markets.

Because the FIPS publications are so widely trusted and respected, many IIoT vendors now make it a priority to obtain FIPS compliance, either for their IIoT device as a whole or for the security subcomponents embedded in their design.

Transitioning to the Next Generation

FIPS publications are periodically revised, to keep pace with new and emerging threats. For several years, FIPS 140-2 has been the reigning standard, but 140-2 is now being replaced by FIPS 140-3.

The last day of CMVP testing for FIPS 140-2 was September 22, 2021. CMVP certificates are valid for five years, which means that all current FIPS 140-2 validations will sunset on or before September 21, 2026.

The NIST Computer Security Resource Center, or CSRC, maintains a searchable list of active CMVP validations, so it’s easy enough for developers, purchasing agents and other people involved in IIoT deployments to check the status of a given CMVP certificate.

CMVP validations can be marked as “revoked” or “historical.” According to the CSRC website, if a validation certificate is marked as revoked, then the “module validation is no longer valid and may not be referenced to demonstrate compliance with the 140 standards.” If the validation certificate is marked as historical, then “Federal Agencies should not include these in new systems but [they] can be procured for legacy systems.” For a more detailed explanation of the difference between “revoked” and “historical” status, refer to the CMVP website.

Because support for 140-2 is coming to an end, manufacturers are encouraged to pursue 140-3 certification as soon as they can. Transitioning to the latest FIPS certification helps products stay current, with the most up-to-date protections, and avoids having solutions marked as revoked or historical.

How 140-3 Differs from 140-2

Products that have already received FIPS 140-2 certification should be relatively easy to upgrade to 140-3, since the bulk of the requirements for 140-2 and 140-3 are the same. There are, however, a few notable things that have changed.

To begin with, 140-3 introduces noninvasive physical requirements as an option. This includes guidance for protection against side-channel attacks, which involve exploiting leakage of physical information from the system during the execution of an application.

140-3 also includes stricter zeroization requirements for Critical Security Parameters (CSPs). In other words, 140-3 refines the process for permanently erasing or destroying security data, such as keys, passwords, PINs and other information used to perform cryptographic functions, should the data be somehow disclosed or modified. Zeroization for CSPs helps prevent cryptography-related data from being recovered and used to compromise the security of the module, the system as a whole and/or the information it protects.

Another important addition to 140-3 is that it introduces mechanisms, such as SP 800-140Br1, which allow for the automation of aspects of the FIPS documentation and reporting. This is part of a broader effort from the CMVP to further automate the FIPS testing process, with the goal of reducing certification times. Certification still requires several months to complete, though, which is another reason why manufacturers are urged to begin thinking about 140-3 certification now.

NXP Is a Leader in FIPS-Certified Security

As a leader in secure connectivity solutions for embedded applications, and a trusted provider of security solutions for smartphones, bank cards and passports, NXP has a long history of security certification, not only with Common Criteria, but with FIPS, too. As a matter of fact, we began offering FIPS-certified products more than a decade ago and have continued to keep current with FIPS publications as they’ve evolved.

We were also one of the first noncommercial testing labs to be accredited as a first-party laboratory for the NIST Cryptographic Algorithm Validation Program (CAVP), meaning we are authorized to provide validation testing of NIST-approved/recommended cryptographic algorithms and their individual components.

FIPS-Certified Secure Elements

Since 2021, our EdgeLock® SE050 family of secure elements has included Common Criteria (CC) EAL 6+ and FIPS 140-2 Level 3 certified security for strong protection in a broad range of IoT applications, including industrial. Now, with the impending transition to FIPS 140-3, we’ve launched the EdgeLock SE052F, a secure element certified for Common Criteria (CC) EAL 6+ and the FIPS 140-3 standard. The EdgeLock SE052F is the first secure element certified to FIPS 140-3. More specifically, it is certified as a cryptographic module to Level 3 of FIPS 140-3 for the OS and applet, and to Level 4, the highest available, for the physical security of the hardware.

Prevalidation for FIPS and CC EAL certification means that developers can save time, effort and cost when delivering new products. If an embedded FIPS-certified module, such as the SE052, is used to run all the cryptography in a product, then a separate FIPS certification at the product level is not required. The EdgeLock SE052F also features cryptographic functionalities, such as ECDSA and ECDH/E, based on NIST and Brainpool curves, as well as RSA up to 4K (including key generation), and authenticated AES encryption modes CCM/GCM.

Axis Communications Is an Early Adopter

As the first hardware secure element for the IIoT certified for FIPS 140-3 Level 3, the EdgeLock SE052F combines protection and convenience, making it easier to develop and deliver a broad range of secure, differentiated IoT devices.

In August 2024, Axis Communications, a leader in network physical security products, including scalable, easy-to-integrate IP-based products and innovations for security and video surveillance, launched the AXIS Q1809-LE Bullet Camera, the first network security device to offer FIPS 140-3 certification based on the EdgeLock SE052F.

The Axis CTO, Johan Paulsson, explained the company’s choice of the EdgeLock SE052F by saying that it “allows us to push the limit of edge device security within the physical security industry.” Going forward, to improve the cybersecurity postures of their customers, Axis will continue to expand their range of FIPS 140-3 certified devices, by embedding the EdgeLock SE052F into all of their upcoming network products, from cameras to access control, intercom and audio products.

Looking Ahead

As the need for security increases, and more IIoT deployments demand FIPS certification, we anticipate that a growing number of our customers will use NIST FIPS 140-3 compliance to meet regulatory requirements and indicate advanced security capabilities.

The EdgeLock SE052F, a ready-to-use platform for secure IoT operations, runs cryptographic functionality, is a crypto module certified to the latest version of FIPS (140-3) and provides out-of-the-box FIPS compliance. Designed as a turnkey solution, it simplifies the delivery of secure, differentiated IoT devices.

Take the Next Step

To learn more about NXP’s approach to IIoT security, support for FIPS 140-3 certification visit the EdgeLock SE052F page.

Authors

Giuseppe Guagliardo

Giuseppe is product manager at NXP Semiconductors. As part of the Industrial IoT and NFC security team, he is driving NXP’s secure element offering for Industrial IoT products making security more accessible. He works with customers and supports them in understanding security threats, cybersecurity trends and helps in the realization of their secure Industrial IoT solution. Giuseppe has experience in system engineering roles with a focus on IoT, edge and cloud architectures, standardizations and cybersecurity.

Marc Ireland

Sr. Principal Security Certification Expert, with over 15 years of experience working with the FIPS 140 security standard, Marc drives NXP’s North American security certification strategy with a focus on bringing certified NXP IoT solutions to market.

Antje Schuetz

With more than 20 years’ experience in the semiconductors market, Antje leverages her understanding of security and mass market to drive NXP secure element solutions into the industrial and smart city markets.