The Cost-Efficient, Time-Saving, and Multipurpose Certification: SESIP Emerges as the Hottest IoT Security Certification

Bruce Chou, a senior pre-sales consultant at Onward Security, a subsidiary of the DEKRA Group, explains that the IoT ecosystem's foundation is built upon relevant chips supplied by vendors like NXP, STMicroelectronics, Infineon, Qualcomm, and Taiwanese companies like MediaTek and Realtek. There are dozens of such vendors globally. Similarly, the IoT platform ecosystem comprises the work of several hundred manufacturers, with renowned companies like Amazon, Microsoft, IBM, and Oracle, each having their own IoT platforms. However, the one behemoth element that comes with the largest number, reaching billions in production, is the diverse IoT devices such as IP cameras (IP CAM), smart streetlights, smart refrigerators, etc. 
 
Let’s start with chips. The chips of concern here are Systems on a Chip (SoC) containing processors, memory, I/O, GPU, and radio configurations, resembling small computers that often carry a significant amount of sensitive information. Moving on to the diverse IoT products incorporating these chips, all suppliers generally face intense competition, thus they often only focus on accelerating time-to-market and reducing costs. As for the initial design goal, being runnable used to be the only goal. 
 
However, with increasing customer demands, regulatory compliance, and product differentiation factors, IoT developers face significant pressure to ensure cybersecurity in the design phase, which is a heavy burden under the tight schedule and budget. 
 
"Considering that a product lifecycle is usually only 1-2 years, and now developers must spend six months to over a year on certification preparation, that is indeed a daunting challenge,” Chou notes. Additionally, developers are usually proficient in product design, but may not possess the same expertise in cybersecurity while implementing secure development, whether by hiring better talent or self-training, entails high learning costs.
 
Despite this, IoT cybersecurity remains a non-negotiable necessity, as hackers would exploit every last IoT device vulnerability to steal sensitive information and cripple user networks, leading to disastrous outcomes. Therefore, all IoT ecosystem suppliers must overcome all challenges to meet relevant cybersecurity compliance requirements. 

For IoT chips and end products, the most well-known security standard is the Common Criteria (CC). However, obtaining this certification can take well over a year, requiring developers to compile extensive documentation, which could lead to significant time and financial costs, deterring many businesses. Therefore, lighter IoT cybersecurity standards such as SESIP and PSA Certified have emerged. SESIP, proposed by GlobalPlatform, and PSA Certified, proposed by Arm, have been gaining traction. 
 
Taiwanese OEMs now face the major challenge of meeting various security certifications requested by partners or customers, which entails heavy costs. Given the short product lifecycle of merely 1-2 years, following through all requests would be impractical. 
 
How can businesses alleviate this dilemma? A streamlined solution that helps companies to achieve cybersecurity while reducing the effort is needed, hence high expectations had been placed on SESIP and PSA Certified. SESIP, or Security Evaluation Standard for IoT Platforms, simplifies the CC standard by lowering certification thresholds while meeting IoT security requirements, making it more acceptable to IoT manufacturers. 
 
In short, SESIP provides a flexible and efficient certification method to establish common criteria for the complex and varied IoT ecosystem, aiming to achieve certification within 3-6 months. More importantly, SESIP supports IoT developers in reducing the complexity and cost of their projects, speeding up market entry. Since IoT devices span multiple levels from top to bottom, being certified starting from the chip level can be beneficial. 
 
Chou gives an example: if the developers of Company C, a chip vendor, have already obtained SESIP certification, by providing the certificate along with a packaged product certification document, the customers will be exempt from additional security certification requirements, thereby increasing the appeal of their chips. Additionally, the developers of Company B, a Crypto Library business, may need to utilize the chip’s encryption capabilities. A chip that has already obtained SESIP certification can significantly reduce its learning costs and expedite its Crypto Library certification process. For developers of Company A in the System Integration (SI) industry, who need to support customers in constructing Transport Layer Security (TLS), using a Crypto Library with SESIP certification can lower costs and facilitate easier TLS certification, eliminating the need to start from scratch. 
 
For Chip Vendors, SESIP provides a significant advantage by enhancing security levels efficiently without consuming excessive time and effort, thereby differentiating their products in the market. For Software Vendors, utilizing certified chips and calling functions like encryption can reduce repetitive work and accelerate the SESIP certification process. For System Integrators, SESIP can lower project development risks and costs, preventing customer complaints due to data leaks. 
 
Additionally, for many Taiwanese OEM manufacturers or service providers, SESIP helps achieve robust compliance. The certification content of SESIP is versatile and can map to different industry standards. For instance, through profiles recognized by both SESIP and PSA Certified, obtaining PSA Certified becomes easier. Moreover, SESIP can correspond to ETSI EN 303 645 and the UK's PSTI scheme, enabling multiple certifications with a single assessment. 

In Summary, for IoT end-users, whether for industrial or consumer-grade products, cybersecurity awareness has been rising continuously, with increased attention to regulations like the General Data Protection Regulation (GDPR). Ensuring data security and thereby creating differentiated value for their products is crucial for chip, software, and equipment developers. Demonstrating secure development capabilities through SESIP certification is now evidently the most ideal starting point.