Clicky

Cybersecurity and the IoT Today: The Importance of Being PSA Certified – Futurum Tech Webcast Interview Series
by Shelly Kramer | October 1, 2020

This episode of the Futurum Tech Webcast – Interview Series is part of our newly launched Women in Tech Series. I’m thrilled to have as my guest today Jasmina Omic, product manager for services with Riscure, a global security lab offering security services and tools.

We’re talking all things cybersecurity and the IoT today, and the importance of being PSA Certified.

PSA Certified offers a framework for security connected devices, from analysis, to security assessment, and certification. The framework provides standardized resources to help resolve the growing fragmentation of IoT requirements and ensure that security is no longer a barrier to product development. Jasmina played a role in the creation of PSA Certified, which is why I was excited to talk with her today.

About Jasmin Omic, Riscure

First, some background. Jasmina started at Riscure as a senior security analyst and is currently the product manager for services. She’s an engineer and has experience in embedded chipset security, and has also worked in a number of different markets: IoT, automotive, payment markets, etc. She brings an incredibly diverse background to her work at Riscure. Jasmina helped in the creation of PSA Certified and I wanted to share her expertise and insights on the importance of framework that secures connected devices, from analysis to security assessment, and certification.

Cybersecurity and the IoT and Why PSA Certified is Important

Today’s conversation revolved around cybersecurity and the IoT, highlighting industry-wide security concerns related to the IoT and a discussion on the importance of being PSA Certified. PSA Certified offers a framework for security connected devices, from analysis, to security assessment, and certification. The framework provides standardized resources to help resolve the growing fragmentation of IoT requirements and ensure that security is no longer a barrier to product development.

Our conversation covered:

  • Digital Transformation and the impact of DX for the IoT industry, which is predicted to reach a global market size of $150 Billion by 2025.
  • The pervasiveness of the IoT and the growth that’s ahead.
  • The security weaknesses that are often an inherent part of the IoT.
  • Why security is fundamental and the current drivers of IoT security, including government-driven initiatives across the globe.
  • The impact of the growth in IoT on the industry is significant and what that means for consumers, OEMs, the software ecosystem, SIPs, etc., all of whom must be constantly aware of what they need to do to keep up with the governmental changes.
  • What PSA Certified offers and why an overarching certification and recognition scheme helps the whole ecosystem to develop secure solutions easier.

The Mission of PSA Certified: Architecture Agnostic Framework for Security Devices, Industry Alignment, Transparency, Faster Time to Market

The mission of PSA Certified is to provide a framework for security devices which was architecture agnostic. The organization also co-founded a certification scheme with seven security expert companies (Jasmina’s company, Riscure is one of those companies).

PSA Certification is important because it can increase confidence in your product, demonstrate compliance to standards, and demonstrate that industry best practices have been followed and applied in every step of the development process. This means faster time to market, with confidence that can be counted on.

The goal of PSA Certified is to help align the industry as a whole, set a level of security, and enable a transparent conversation on security that results in everyone talking the same language about the same structures of security.

With over 40 products from over 25 companies now certified, there is much excitement about what’s ahead for PSA Certified and the good the organization can do in the IoT ecosystem.

Watch my interview with Jasmina Omic here:

Grab the audio version of the podcast here:

Why Certify? Why PSA Certified?

With over 5,400 attacks on average per month targeted at IoT devices, the risk of a hack is great — and the cost of inaction can be even greater. Addressing that risk with PSA Certification can speed both time to market and adoption rates and provide confidence about device security right up front. Equally as important, governments are taking action, and products that don’t meet a myriad of government standards, requirements, and regulation don’t get to market. PSA Certified maps products to government-backed baseline requirements, standards, and emerging law, essentially doing the legwork for you.

Expert IoT security assurance is important today and, as the number of IoT connected devices continues to grow, it will rapidly become even more critical. PSA Certification allows companies to meet regional cybersecurity and regulatory requirements with relative ease. It also helps keep development processes in check and create audit trails that help organizations protect their investment in development and allow them to design security directly into their product from the start — avoiding the possibility of a hack.

The PSA Certified founding members specialize in security and created this program to provide free access to world-leading expertise. To find out more about PSA Certified, or to get more information on certifying your product, visit the PSA website.

Disclaimer: The Futurum Tech Podcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.

Read more analysis from Futurum Research:

State Of Women In Tech And Startups Report 

Oracle Updates Its Unity CDP To Streamline Data And Eliminate Complexity

Oracle CX And Zoom Announce New Integrations At Oracle Live

Transcript:

Shelly Kramer: Hello, and welcome to this episode of the Futurum Tech Webcast, Interview Series. This is part of our newly launched, Women in Tech series, and I’m thrilled to have as my guest today, Jasmina Omic, and she’s with Riscure, a global security lab offering security services and tools. We’re talking about all things cybersecurity today, and the importance of being PSA Certified. PSA Certified offers a framework for security-connected devices from analysis to security assessment and certification. And this framework provides standardized resources to help resolve the growing fragmentation of IOT requirements, and really ensure that security is no longer a barrier to product development.

That sounds like a mouthful, but the real gist of this is that with the proliferation of IOT devices, integrating security into the nascent stages of product development is more critical now than ever before. So that’s really what we’re talking about today. And Jasmina helped in the creation of PSA Certified, which is why I’m so interested to talk with you today.

So, before we get started on our conversation about all things security, Jasmina, why don’t you tell us a little bit about your career and your career path. You and I have spoken a little bit about this before, and I think it’s fascinating, the journey that you’ve had. Welcome, and I can’t wait to hear more from you.

Jasmina Omic: Thank you. I’m very happy to be here and have the opportunity to share information about PSA Certified. And I’m very happy that you’re also asking me about my career for stimulation of other women in technology. I started studying electrical engineering and after electrical engineering I got interested in math. So I did my PhD in mathematics, and finally I got a little bit overwhelmed with the mathematics and with doing things in abstract manner and I decided to go in security domain and have a hands-on work, which is security evaluation of embedded devices and embedded chipsets.

After finishing all this, I got a large knowledge from the different type of markets and different type of solutions in payment industry, and media, and entertainment industry in automotive and IOT. And from that perspective, with this type of knowledge, understood that it’s very useful for the company to become a product manager for services and have an oversight over all the services that we are actually doing in this company.

Shelly Kramer: I think I remember a line in our conversation a week or so ago about hacking your way into things, because you love… That’s been the secret to my career success, is that I love change, and I love solving problems, and I love walking into a situation and being the person and being part of a team, not really necessarily just an individual, but being part of a team that says, “How do we get to the yes? How do we make this happen?”

And I think that’s really, for me an exciting part of my career, that and also just being able to love, change and learning new things. And I’m very grateful. I think that we are wired how we’re wired, and for those of us who are wired to truly love change, we’re so fortunate because I think we live in a world today where change is a requirement and it’s given. And for those people, for whom change is hard, it’s tricky. So they need to get on the change train.

So let’s talk a little bit about digital transformation and the impact of digital transformation in the IOT industry. I’ll quickly note that the IOT industry is predicted to reach a global market size of 150 billion by 2025. This is no small industry, and we know that industries as a whole are moving to adopt digital solutions, which make their businesses more efficient, and everything today is powered by data and lots and lots of data.

And so, the traditional, internet connected people to machines, the IOT connects machines to machines and then takes all this data that machines collect and shares it. But every part of that journey of that data involves security. So you’ve got an insider seat here, Jasmina, let’s talk a little bit more about the IOT and how it’s probably more pervasive than most people realize. And also, maybe we can touch on how the IOT is powering and it really will power everything we do. So what do you think? Talk with me a little bit about the IOT.

Jasmina Omic: IOT is in the large expansion right now. There are smart homes, the automotive is really extremely spreading out, there are services and offerings that they can provide. For example, it is going to be possible to pay the oil that you’re purchasing for your car, the electricity you’re purchasing for your car, you can pay that with your car. There’s payments enabled in cars. It is possible to warm up your smart home while you are coming back because your thermostats is connected to the internet and it is available on your phone, your lightening is available on your phone.

A lot of critical infrastructures are getting very advanced and very fast. The different type of sensors are embedded, and expanded, and present. And this amount of data gathered about people by devices that are developed very quickly and under strong pressure of the price is really influencing security.

Security can be created only if you have a secure development process within your company when you are deriving software and when you are basing your decisions about the platform. And only if you have secure development cycle, then you can produce secure devices. And IOT is connected to the networks and can influence the security over the complete network, because it is simple and it is very sensitive to security, it is practically an open door for your network or your infrastructure, many different kinds of security issues can be born there. That’s why security in IOT devices will become extremely important very quickly.

Shelly Kramer: Oh, yes, I absolutely agree. And to step back from this a little bit and give the most simple of examples, you spoke about smart cars and smart thermostats, but there are toys. My kids are teenagers, so they’re past little kid toys these days, but I’ve written in the past a lot when my kids were younger about IOT-connected dolls and other devices that children play with, many of which were developed without any thinking at all about security.

And concerns at that time, when I was writing about it was really about children’s privacy and things that parents were integrating into their homes that they didn’t really realize were not secure. And a lot of us have smart thermostats and I drive a car that is IOT-connected. And it’s like once you get used to those things that surround you, you don’t even think about it.

You walk into a smart office building back in the day when we used to go to office buildings, but all of these things that happened that are conveniences and that we take for granted, but then when you extrapolate it out to utilities, smart cities and automobile and things like that, there’s also extreme dangers involved.

It’s bad enough that Barbie, and actually, I shouldn’t use that brand name. It’s bad enough that any doll is developed, and it’s IOT-enabled, and it is not secure, but it’s critically important when you start looking at critical infrastructure or when you look at business data, when you look at consumer data, when you look at customer data and all of those things. And so, that’s really when security becomes… I believe that every conversation has to start with security as the foundation, and hopefully this conversation will get people thinking about that a little bit more as well.

So as you have seen businesses rush to digital transformation, what changes do you see as you talk with colleagues or you work with clients? What changes do you see that you think companies might need to think about and adapt?

Jasmina Omic: First of all, companies need to start with embedding the secure development process in their development process. Next to that, it is absolutely important for all the OEMs that are developing on certain platform to consider the security of the platform and to have a way to communicate with the market. What is the security requirements that you are covering and how are they applied when I’m developing my application, my OS on top of it?

Basically the governments are also taking the first steps in legal regulation of consumer devices IOT. In Europe, ENISA is doing a standardization, in US, we have missed doing the standardization. We also have several states in US that are taking the first steps towards legislation, such as California on bill SB-327, and there are similar activities in Oregon and Virginia in US.

In Europe, the legislation will start with European commission and ENISA is the main advisor and main driver there. And there is a cybersecurity act which is driving the digital transformation that is happening in Europe, which will include IOT for consumer devices. But ENISA is also thinking about IOT in the transportation market as well as health markets. This is going to happen in the next two, three years. And it is very important for OEMs to get ready and be really in a position where they can produce products that are secure, and they can market them openly, and they can communicate with the market about the security level that they have.

Shelly Kramer: I agree. And it’s of one of those things that you don’t develop a product, that’s not the first step. You step back and you think about not only what the impact of this product is and what the potential of this product is, but what are all the regulations in all the countries where I hope to be able to sell this product, and I need to take into consideration. Because if you do that later, you’re going to have a lot of headaches. And I think that that’s one of the things that I see that brands really need to adapt to.

And we’ve done actually a couple of different research studies here at Futurum in the last couple of months, and one of them surveyed 2000 consumers and 2000 brands on customer experience and talked with customers about how they felt about privacy and data privacy.

Customers do very much feel vulnerable, and I think that you made a point about messaging. And really speaking in your messaging to consumers, whether it’s direct to consumer or whether it’s a B2B consumer, and really letting customers know that you start with security, and their security means everything to you. I think that’s really important and that’s the part of messaging that PSA Certified shares as well.

So I think we’ll see lots of changes in that. And when you can plan in advance for all of the hurdles that you have, you’re going to be on a much better path down the road.

We’re talking about security and the other report that I mentioned was about security and about breaches. And these days, when it comes to cybersecurity, it’s really not a matter of whether your company will in some way experience a data breach, it’s more when that will happen or how often that will happen.

And part of our research was around it functionality and our survey audience were asked questions about whether you use the dashboard so that you can have a bird’s eye view of security operations throughout your organization. And the people who responded to our survey that they did actually had a higher incidence of reported breaches that were discovered and remediated than people who weren’t looking at security.

So anyway, security is fundamental and hackers are getting more, and more, and more sophisticated. So talk a little bit about what the role cybersecurity plays here in the IOT industry, and what we’re seeing happen with regard to governments and how they’re waking up. Do you have any thoughts on that?

Jasmina Omic: Security in IOT industry will affect OEMs, it will affect the consumers, business to business case. The problem with security is that it’s always a future risk, and you need to estimate this risk to understand better what will happen to your market, what will happen to your product. It happened before that cameras that are stored in houses have been broken from the internet side and have been taken over by hackers. This led to significant drop in sales for some camera producers, until they went for a proper certification in this context, in common criteria, then they were able to sell the cameras again.

There are aspects of security which will influence OEM sales capabilities or could lead to the problems with liability if the legislation is open, as it is going to be in next few years. That’s where Europe is going, that’s where US is going. Japan is also establishing legislations which will lead to liability for OEMs. And definitely something is present in Singapore as well, they’re the leading country in this aspect.

Shelly Kramer: That doesn’t actually really surprise me. And so, really, security can’t be optional. That’s the drum that we’re beating in this conversation. Security can’t be optional. And that’s really where I see the PSA certification offering having so much value. Can you talk a little bit about the different level one certificate and the level two certificates? Can you talk a little bit about the differences there and why they bring so much value as part of this equation?

Jasmina Omic: PSA Certified is also trying to make umbrella over different events that are currently happening in the market in the legislation aspect, in standardization aspect, but also the industry-driven schemes such as ioXT in US, and there is also CECIP in Europe. And PSA is trying to build an umbrella that will incorporate all these different specifications and build that on top of the base and basis, practically a platform on which applications will be built afterwards.

There are multiple levels in this scheme, starting with level one, which is driven by the questionnaire and can be used by the platform developer, chipset developer, by the OS developer and by the application developer, which practically creates a device in the end. The questionnaire is actually describing the architecture and verifying that there are security aspects built into the architecture. And these architectural aspects are considered by the security evaluation labs. Security evaluation labs does not go into the implementation for level one. So at least the security architectural level is sound and secure.

The next level, L2 level, is focused on the platform or practically a chipset. And in this sense, the security level is going into the implementation and provides more assurance that security is really implemented and is really working on this device.

Next is also planned and is going to be developed soon is level three. The difference between level two and level three is in the intensity the attacker can put into the evaluation of the device. The hacker can hack level two devices with less effort, while the level three devices will require much more effort, activities such as side channel, fault injection, hardware access and will go really deep inside the security. That would be the approach PSA Certified is taking, and it’s building certain levels, so for everybody to develop their platforms and then further own the solutions on top of them, which are actually bringing security in the market of IOT.

Shelly Kramer: I’m thinking a little bit about there is economic benefit is they’re not in terms of messaging, in terms of your commitment to your customers, in terms of we care so much about security that being PSA Certified is a no brainer. Is that really part of what this value proposition is about when we get… And there are many, many, many advantages, many very technical advantages, and I get that, and those are all things that we should care about. But I think that when you look at the bottom line, when you look at dollars and cents, when you look at all of that sort of thing, to me this is really a no brainer, this interjects so much in terms of potential cost savings down the line. How do you feel about that?

Jasmina Omic: For OEMs, building on top of the secure platform is much easier. It’s much easier to bring security in such a device. It saves in the development process quite a lot, and also any kind of liability or modifications later on, they are also offloaded. And PSA Certified, the main purpose of this certificate and other certificate as well is to communicate in the market. This is a secure product, this is a secure platform, if you build on top of it, and if you use it properly, you will develop a secure device. This is reducing the amount of money that is needed to be placed in security and it’s also simplifying communication between OEMs and vendors for the chipset and platforms.

Shelly Kramer: I think of it as being part of a community, and trusting and relying on. I believe that the PSA Certified works to align the industry and we’re all working from the same playbook, we’re all following the same game plan. I think I’ve been watching too many episodes of Friday Night Lights right now. But it does truly set a new level of security.

And I think that when we treat security as part of the development process or as part of anything that we do as a secret, I think that becomes a challenge. And I think that when we can talk about security, and we can talk about the importance of security, and we can talk about how to have more secure systems, and how we can work within a framework of being PSA Certified, I think that it really makes everyone talk the same language. And I think that that’s really important for our industry today for enterprises and for consumers.

Jasmina Omic: Speaking the same language is only one aspect, basing your security on sound security concepts such as root of trust, proper cryptography, proper communication is really critical for you to actually build on top of that, everything that is required by the governments and will be required in the next few years.

And next to communication, it’s also the independence of the security evaluation. PSA Certified products are evaluated by an independent security lab, which means it’s not that your vendor is trying to market their product to you. It’s that vendor of yours that you’re buying from has really proven and shown that third-party independence, hacker or evaluator, or an analyzer actually estimated that this security is of a certain level and that it is really the correct claim that you are showing off to your vendors, to your consumers.

Shelly Kramer: I think that’s incredibly important and I think it will get more important as time goes on and as the IOT continues to grow at its rapid pace. Well, Jasmina, is there anything… I feel like maybe this wraps up our conversation. Is there anything that I haven’t touched on that you want to leave us with?

Jasmina Omic: I would like to also share the fact that there are many IOT products that will come up. A lot of them will be quite different and will be used for different purposes, but they do have platforms that are coming only from several Silicon vendors. There are about 25 Silicon vendors that went through the PSA Certified evaluations with their products, and there are over 40 products available that have passed level one and level two certification. And this is a good base and very large market acceptance that PSA Certified has actually achieved. I would like to share that, I think that’s a big success.

Shelly Kramer: I think that’s a great success. I think that’s a great success, indeed. I’m glad you shared that. Well, thank you so much for being a part of this interview series and for hanging out with me today, it has truly been a pleasure getting to know you and having this conversation about cybersecurity, and I hope you’ll come back and hang out with me again sometime.

Jasmina Omic: Oh, that would be very nice. I really enjoyed it. Thank you.

Outro: Thank you for joining us on this week’s Futurum Tech Podcast, The Interview Series. Please be sure to subscribe to us on iTunes and stay with us each and every week as we bring more interviews and more shows from our weekly Futurum Tech Podcast.

 

Shelly Kramer