Cyber Resilience Act

The Cyber Resilience Act (CRA) is on its way. It is a European initiative to regulate cybersecurity. In contrast to NIS-2, which involves infrastructure operators, CRA starts with the manufacturers of products. CRA plays a crucial role when it comes to ensuring security in the digital world. One focus is to firmly incorporate the idea of “security by design” into the development process and the product life cycle. This means that security aspects are taken into account from the outset and continuously analyzed in order to design products securely throughout their entire life cycle. Cybersecurity is an integral part of future products which includes hardware and software in order to implement robust security measures based on currently required security standards. In this way, users can be better protected against potential threats.  
Cybersecurity measures that are appropriate to the current threat situation should be taken during the design, development, production, and use of the products by customers. The CRA makes manufacturers responsible for guaranteeing cybersecurity over the life cycle of the product, which goes beyond the previous market observation obligations. This includes obligations to deal with vulnerabilities, security support, and reporting obligations. The support period can be defined by manufacturers based on specific indicators such as user expectations, product type, intended use, alignment with other regulations, period of other similar products, support periods of central integrated components.

Security requirements for product features

The CRA stipulates the premise of “security by design” for products with digital elements. Security measures should be taken into account during the development of the product. A risk assessment of the product must be carried out. Depending on the type of product, there may be restrictions with regard to the requirements, but all detailed requirements must be examined and checked for feasibility. If the product cannot fulfill a requirement due to its nature, this must be documented. The following selected requirements must be checked and, if the nature of the product permits, fulfilled:

• Provision of the product without known vulnerabilities
• Secure standard configuration with the option of resetting to factory settings 
• Vulnerability addressing through security updates: These should have an opt-out option if they are carried out automatically, as automatic updates are usually undesirable in OT environments.
• Access control: authentication & proof of identity
• Ensuring data confidentiality & data integrity
• Minimization of data: Only data required for the product purpose should be collected and used.
• Monitoring of access, changes to data, services or functions
• Minimization of negative effects on availability through other devices, networks or services
• Minimization of attack surfaces (e.g. interfaces)
• Appropriate mechanisms and techniques to mitigate the potential exploitation of security vulnerabilities

Vulnerability handling

Security support for a product is another component of the CRA. Security updates should be offered for the product over a defined period of time in order to close security gaps and protect the product appropriately against acute threats. Selected security support requirements are listed below:

• Identification and documentation of vulnerabilities
• Quickest possible elimination of vulnerabilities and free provision of software updates 
• Regular checks of the product to identify the potential need for software updates
• Provision of comprehensive information for the user
• Development of a coordinated communication process for the disclosure of vulnerabilities
• Secure distribution of security updates

Product classification levels

The Cyber Resilience Act assigns products to different classification levels. Which products fall into which classification can be found in Annex III & IIIa of the CRA. Based on the classification, appropriate conformity assessment procedures must be followed. If products are cyber-critical or network-critical, they are considered Class I critical products. If the products are cyber-critical and network-critical, they are classified as Class II important products. In addition to this classification, there are also critical products.

Summary

In summary, the CRA promotes the integration of security aspects into the entire life cycle of a product, makes cybersecurity an indispensable component of products, and protects users from potential security threats. These are essential steps for successfully mastering the challenges of the digital world and shaping a secure future.

KiviCore offers support in the form of consulting on security concepts for system-on-chips, computing, and communication applications and can provide customized security subsystems for FPGAs and ASICs consisting of hardware and software for integration into customer products. Pure software solutions for microcontrollers can also be designed and provided. Examples include topics such as secure boot, root-of-trust, secure life cycle or authentication, integrity checks and encryption of data transmissions.