New Security Standards and Regulations for Secure Elements
Microchip expert Todd Slack shares the lay of the land regarding worldwide embedded security standards and regulations in early 2022.
Global Security Standards and Regulations
Watch the video or read the transcript for the video below:
Hi everyone, Ulises here for Microchip Technology. Welcome to Ask Our Experts, a series of videos where we answer some Frequently Asked Questions (FAQs) on a diverse set of topics.
Today's topic is on secure elements. To help answer our question, we welcome Todd Slack. Todd is a technical staff engineer in our secure products group and is well versed on this topic. So, let's get started. Todd, since 2019, we've seen a rise in security standards and regulations across the globe; can you illustrate that landscape for our viewers?
Product Security in the U.K.
Well, there's no shortage of activities around the globe as it relates to security and specifications. We'll start off in the United Kingdom (U.K.) who has been influential for a number of different IoT (Internet of Things) specs, for example. They have introduced this notion of security by design, and the IoT Security Foundation released Thirteen Principles in IoT Security with three core principles—the first one being no default passwords. The second one is that you have to have a vulnerability disclosure process, or PSIRT is covered within Microchip Technology, so you can visit our PSIRT site, which is the Product Security Incident Response Team.
What that means is that if an outside source discovers a vulnerability, you can submit that to the PSIRT site. And then we have a team that will go through a review process to verify what was submitted, determine whether or not it is an actual vulnerability and then we would move down the list if we feel that it does require a documented response. Then we would also go through a process determining what level of security vulnerability does this represent and then ultimately, we could put together a report that we would put out to our customer base and we can make that publicly available and/or document things directly with each individual customer who might be impacted by the vulnerability.
European Security Standard
If you move from the U.K. to greater Europe, you have EN303645 and that is basically a mirrored initiative to the documentation that the IoT Security Foundation put together. You can actually see some identical language in each of those.
U.S. Standard
In the United States (U.S.), we have NIST (National Institute of Standards and Technology). They're not quite as far along, but they have come up with this initiative, the IR 8259, which is starting to mandate that they go off and create some similar specifications surrounding privacy and a lot of familiar activities.
As you move around the globe, you see some activity in India, Korea. Australia has the IoT Code of Practice, and you'll see a number of similar sorts of requirements; again, you have no default passwords, vulnerability assessments, you must be able to keep your software updated, securely store credentials and it goes on and on down the list.
Now beyond the standards, which are mostly best practices at this point, we do have some legislation kicking in to make it required by law. So the U.K. is intending to make the first three principles, the core principles, legislated in 2022 sometime. So, coming up pretty soon. In the U.S., we have California and Oregon leading the charge on privacy requirements, which will also get driven into legislation and then the European Union (EU) is sure to follow.
In short, there is no shortage of activity yet—at least, there's a lot of commonality for what we're seeing across the globe so that you can have solutions like secure elements with our ECC608 and Trust Anchor, where we have gone through the process of putting together an app note and a blog that can show our customers exactly how those particular devices can support these initiatives.
Thanks, Todd. Good to see you again! For our viewers, make sure to check out our secure elements web page. And don't forget to subscribe to our YouTube channel to be the first to know when we have more insights from our experts. We'll see you next time!