Compliance Suite for STM32
Compliance Suite for STM32 includes security development tools and practical guidance, delivering a shrink-wrapped solution for organizations to ensure security legislation assurance in IoT applications.
With new legislation for IoT security and privacy rapidly being introduced globally, compliance according to these regulations is a challenge for organizations and developers working with embedded applications. For your existing or new application, this means that it has to meet a new set of baseline standards. The good news is that we can help you to comply with the new regulations. Compliance Suite is what you need!
Overview video
Get an overview of the Compliance Suite for STM32 and the included software in this video.
Evolving IoT security legislation
The Consumer IoT Security Standard EN 303 645, based on the 13 Best Practices Guidelines evolved by the IoT Security Foundation and UK Government, is widely regarded as the security benchmark for Consumer IoT. Both the standard and the guidelines contain core requirements for applications, which developers should achieve. Compliance Suite enables you to rapidly build applications with these core requirements included.
Compliance Suite enables you to rapidly build applications with these core requirements included.
As a founding member of the IoT Security Foundation, a non-profit organization dedicated to driving security excellence, Secure Thingz has been involved in the creation of best practices, compliance and vulnerability disclosure for over 5 years.
What are the 13 Best Practices?
- Defined by the IoT Security Foundation
- Adopted by the UK Government
- Adopted by the EU in ETSI EN 303 645
- Supported by US Cybersecurity Improvement Act
13 Best Practices in practice
The Preconfigured Security Context included with Compliance Suite targets a broad set of the Best Practice requirements.
A Preconfigured Security Context defines the configuration of a trusted execution environment. It includes all the necessary security and encryption settings for protecting an application against security threats such as IP theft, malware injection, illegal access, copying or counterfeiting. This innovative technology ensures that you remain in control of your application, today and into the future.
Included in Compliance Suite
Tools
Compliance Suite for STM32 is specifically designed for applications based on the STM32 family of MCUs from STMicrolelectronics. To use it, you need a license of IAR Embedded Workbench for Arm.
- Preconfigured Security Context - Ensuring all necessary security and encryption are automatically included in your application
- Secure Boot Manager - Securing the overall boot process to protect the device
- C-Trust - Extension to IAR Embedded Workbench for Arm enabling secure, encrypted code
- C-STAT - Static code analysis tool ensuring code quality
Supported devices: STM32F405, STM32F407, STM32F412, STM32F429, STM32F777, STM32L475, STM32L4R, STM32L4S5, STM32L5, STM32H725, STM32H735, STM32H743, STM32H753, STM32H7A3, STM32H7B3, STM32WB55
Practical guidance
Unique package of courses with hands-on guides led by Secure Thingz’ in-house security experts. Topics include:
- Introduction to Embedded Security
- Security Development Workflow
- Legislation and Compliance Requirements
- Meeting the IoT Security Foundation Compliance Framework
Practical guidance included
Unique package of courses with hands-on guides led by Secure Thingz’ in-house security experts. The package includes a full day of training, divided in different parts based on topic.
Introduction to Security
- Introduction to Embedded Security
- Guiding principals and outcomes - Threats, Analysis and Requirements
- Fundamentals of Security - PKI, Identity, Device Management and Cryptography
Secure Development Workflow
- Introduction to the Secure Development Workflow
- Introduction to C-Trust
- Security Context Overview
- Application Development
- Leveraging Preconfigured Security Contexts
- Lifecycle Management
Legislation and Compliance Requirements
- Legislation and Standards Update
- Introduction to IoT Cybersecurity Improvement Act
- Introduction to European Standard EN 303645
- 13 Best Practices & Requirements
- Alternative regulations
- Vulnerability Disclosure
Meeting the IoT Security Foundation Compliance Framework
- Mapping C-Trust implementations to the Compliance Framework
- Compliance Classes
- Business Processes
- Device Hardware and Software Requirements
- Authentication, Authorization and Privacy
- Secure Supply Chain Production
- Configuration Considerations
- Device Ownership and Transfer
FAQ
Our most common questions about Compliance Suite.
What is Compliance Suite for STM32?
Compliance Suite has been created to enable a fast and easy on-ramp introduction to security based on Preconfigured Security Contexts, tools to get you started, and Practical Guidance in the form of an online training package.
The Security Context is built by Secure Thingz on your behalf, based on a high security requirement and customized to your company. A Secure Boot Manager will be provided as a binary file, as part of the Security Context, to be used in the development tool C-Trust enabling your application to be secure and encrypted.
How is the Practical Guidance training package delivered?
The package of courses is targeted at the security requirements demanded by EN 303645 and the IoT Security Foundation Assurance framework, including a deep dive into the individual hardware and software component requirements.
The course package is delivered through the online IAR Academy platform. We have created a training package that you should be able to go through in a day, but you can also choose to split the learning over several days or sessions. The content is highly technical and in case you have questions, we are available for you to provide answers.
Can the Security Context be used in production?
The Security Context in Compliance Suite should be seen as a first step and mainly for development purposes. While it can be used in production, we would recommend you take ownership of your own Security Context when going into production. For this, you need the additional product Embedded Trust.
Some critical context setups, such as Device Lockdown, are not configured in the default Security Context.
Can I replace the keys/certificates for my own PKI?
No - Customization of keys and certificates is not the purpose of Compliance Suite. The Security Contexts included in Compliance Suite are implemented to support the compliance requirement learning.
What is the precise device support for Compliance Suite for STM32?
The Compliance Suite for STM32 supports standard Root of Trust implementation on the following devices: STM32F405, STM32F407, STM32F412, STM32F429, STM32F777, STM32L475, STM32L4R, STM32L4S5, STM32L5, STM32H725, STM32H735, STM32H743, STM32H753, STM32H7A3, STM32H7B3, STM32WB55.
SFI technology is primarily utilized in mass secure provisioning and is not supported in Compliance Suite. We do have other options if you wish to use SFI, please reach out to us to discuss your needs!
Interested in buying Compliance Suite?
Fill out this form with your needs and requirements, and our sales team will contact you to guide you and give you a price offering tailored for your needs. We look forward to your request!
Want to know more?
We are present worldwide to help you wherever you are, and we are happy to answer any questions you might have about our products.