HSM Hardware Security Module

HSM provides enterprises with hardware-based protection for key material. By sealing private keys within a dedicated secure environment, it prevents unauthorized access or tampering. HSMs are equipped with tamper detection and self-destruction mechanisms that automatically erase keys when abnormal behavior is detected, effectively resisting both physical and logical attacks. Combined with Ciot KMS for centralized key lifecycle management, enterprises can further establish unified key management, strengthen compliance, and enhance operational resilience.

More Than an HSM, CHANGING BringsYou a Complete Interoperable Security Solution.

Key Security

Keys Are Generated & Stored Inside Secure Hardware

  • HSM isolates key generation, storage, and usage within secure hardware.

  • Signing and verification are executed internally, preventing key exposure.

  • Supports secure boot, OTA pre-verification,& API-based signing.

KMS

KMS Centralizes Key Management & Access Control

  • Unified key issuance, rotation, and traceability under Ciot KMS.

  • Consistent policies applied across factories and services.

  • MES (Manufacturing Execution System) and DevOps integration streamlines automation and reduces errors.

CodeSigning

Automated Signing for CI/CD from Verification to Updates

  • HSM anchors code signing and OTA update processes.

  • Combined with Ciot KMS, enables end-to-end CI/CD automation.

  • Ensures traceability, compliance, and alignment with DevSecOps.

High-Availability HSM Cluster for Peak Load Resilience

Clustered HSMs balance load and synchronize data, with health checks that trigger automatic failover. Key policies remain consistent across nodes to keep services running during maintenance or incidents.

Centralized Key Inventory with Rapid Recovery

Integrates with provisioning and secure enrollment so keys are added together with device certificates and firmware details. Smart-card or token backups allow quick cross-site restoration using standard formats.

Multi-Vendor HSM Support for Diverse Systems & Scalability

Compatible with Securosys, Thales, Utimaco, Entrust, and Yubico, the architecture adapts to different scales and environments. It supports smooth expansion while keeping resources well balanced.

With HSM at the Core, Enabling IoT Manufacturing & Operation to Be Safer, Faster, & Scalable?
...
Security Starts Inside the HSM

Keys are created and kept inside the HSM with no manual handling or OS exposure. Controlled activation and updates cut tampering and counterfeit risk.

...
Automated Production and Operation

Standardized workflows embed key generation and signing into production for faster deployment and higher efficiency.

...
Key Management System Extension

Ciot KMS centralizes key management across factories and regions, ensuring consistent policies and easy scalability.

Flexible Deployment Options for Fast Implementation

Appliance, PCIe card, and USB key models are available, each with tamper protection and secure key storage. PCIe units fit production lines, while USB keys suit small or mobile deployments.

Compliant with Global Standards and Regulations

PKCS#11 and KMIP are supported with standardized SDKs for easy integration. The solution aligns with FIPS 140, Common Criteria, IEC 62443, GDPR, and CRA to simplify compliance and operations.

HSM × Ciot KMS PQC-Ready Architecture for the Future

HSM isolates keys and performs cryptographic operations, while Ciot KMS centralizes lifecycle management and policy control. It runs RSA and ECC today and is ready for post-quantum cryptography.

Integration with Various Application Systems

HSM Certification Standards
FIPS 140 - Cryptographic Module Security Standard

FIPS 140, short for the Federal Information Processing Standard 140, is a cryptographic module security standard developed by the U.S. National Institute of Standards and Technology (NIST) to evaluate the security of hardware and software cryptographic modules. The current versions, FIPS 140-2 and FIPS 140-3, cover various aspects of encryption, including cryptographic accuracy, physical security, and operational safety. FIPS 140 specifies four security levels, from 1 to 4, with higher numbers representing more stringent requirements:

  • Level 1 : Basic cryptographic module requirements, focusing on correct cryptographic algorithm implementation.

  • Level 2 : Adds physical protections, such as mechanisms to prevent unauthorized tampering or modification of hardware.

  • Level 3 : Includes stronger physical protections and identity verification to restrict module access to authorized applications.

  • Level 4 : The highest security level, protecting data even under extreme conditions (e.g., high temperature, physical impacts)

FIPS 140 is widely adopted by financial institutions, government agencies, and industries requiring high security, ensuring encryption devices meet strict safety standards.

CHANGING is FIPS 140-3–ready and, with Securosys, Thales, and Utimaco, is rolling out next-gen HSMs.Ciot KMS already supports a FIPS 140-3–compliant crypto architecture, keeping key and signing operations in a controlled, secure environment.

Common Criteria(CC)

The Common Criteria for Information Technology Security Evaluation, known as Common Criteria (CC), is an international IT security evaluation standard developed by the U.S., UK, Germany, France, and Canada, officially standardized as ISO/IEC 15408 in August 1999. CC is designed to evaluate the security features of IT products and systems across various countries, with evaluation results recognized internationally to facilitate global product certification.

Common Criteria evaluations are based on Evaluation Assurance Levels (EAL), ranging from EAL 1 to EAL 7. Higher EALs indicate more thorough security assessments:

  • EAL 1 : Intended for products requiring only functional testing, with minimal security demands.

  • EAL 2 : Suitable for systems requiring protection from low-resource attackers, with structured testing.

  • EAL 3 : Designed for products at medium threat levels, requiring moderate design reviews.

  • EAL 4 : Most common in commercial applications, balancing security and practicality, fitting most security products.

  • EAL 5 : Geared towards tamper-resistant systems with high security demands, requiring semi-formal design description and validation.

  • EAL 6 : For products defending against expert attackers, demanding formal design verification.

  • EAL 7 : The highest level, meant for systems facing sophisticated threats, often used in military applications.

The global recognition of Common Criteria enables products with CC certification to be widely accepted across different countries, facilitating international business expansion.