The Cyber Resilience Act (CRA) is a regulation introduced by the European Union to enhance the cybersecurity of digital products and services, with a particular focus on the growing risks in the digital supply chain. Set to come into force in late 2024, the EU Cyber Resilience Act aims to protect critical infrastructure by ensuring that all products with digital components meet strict security standards by 2027. The CRA represents a critical step towards building cyber-resilient systems in these sectors. It is important for companies to understand compliance requirements and how to effectively protect embedded systems. The blog post outlines the Cyber Resilience Act (CRA) and its implications for embedded systems, focusing on the need and important steps for manufacturers to meet strict cybersecurity requirements.
Important things first: manufacturers of devices based on micro-controllers, microprocessors and FPGA systems, as well as ASICs with security-related functions, must take action.
The Cyber Resilience Act (CRA) puts significant pressure on the manufacturers and developers of these systems. The CRA emphasizes a shift towards the principles of "Secure by Design" to ensure that embedded systems are built with robust security mechanisms and protocols from the start.
An important first step is to conduct a Threat and Risk Assessment to identify and assess potential security vulnerabilities. Manufacturers must assess which attacks and exploits can affect the device, regardless of an attacker's motives. Protection measures should be tailored to the device in question, balancing the technical costs against the potential impact.
The essential technical security requirements include different features that products with digital elements must meet depending on the level of risk identified in the risk assessment. In the table below you can find all the technical security requirements for the products mentioned in the rating agency.
|
Vulnerability Mitigation |
Products must be free of known exploitable vulnerabilities |
|
Secure Default Configuration |
Products should be delivered with a secure default configuration. |
|
Security Updates |
Security updates shall be provided to fix security issues |
|
Access Control |
Authentication and identity management shall be used to prevent unauthorized access |
|
Confidentiality Protection |
Stored data must be protected by encryption |
|
Integrity Protection |
Data must be protected against manipulation |
|
Data Minimization |
Only relevant and necessary data shall be used |
|
Availability Protection |
Essential and basic features must be protected all time - also after incidents |
|
Minimizing negative Impact |
Other systems shall be protected by minimizing the impact of incidents to other systems |
|
Attack Surface Limitation |
Devices need to have minimal attack surfaces incl. external interfaces |
|
Incident Impact Reduction |
Suitable counter-exploitation strategies and methods to reduce the impact of incidents are necessary |
|
Recording and Monitoring |
Security related information shall be supplied by logging and monitoring internal activity, also an opt-out for users needs to be provided |
|
Secure data removal |
Users shall be enabled to delete all data and settings permanently and to ensure safe data transfers to other systems if necessary |
The CRA requires a multi-faceted approach to securing embedded systems and addressing cybersecurity risks. Here are the 8 key major steps manufacturers of embedded products need to focus on to ensure compliance with the EU Cyber Resilience Act.
First the affected product needs to be identified and classified according to the CRA categories. The regulation divides the products concerned into different risk categories.
The same product requirements apply to all risk classes. The main difference is the conformity assessment. As the risk class increases, the criteria become stricter and the assessment process becomes more extensive. For class II and critical products, assessments by independent bodies are also mandatory, and certification in accordance with a European certification scheme may also be required.
The CRA requires embedded system manufacturers to conduct a risk assessment as part of the initial product development and throughout the product lifecycle. This means identifying, evaluating, and mitigating potential cybersecurity risks based on intended use, foreseeable conditions and expected lifespan. The goal is to proactively address these risks by implementing security features.
For embedded hardware this may include identifying hardware vulnerabilities like design flaws, side-channel vulnerabilities, tampering risks, or weaknesses that could be exploited through physical access to the device and can be prevented through hardware security features like secure boot mechanisms.
Risk assessment for software involves identifying potential vulnerabilities in the code and its execution environment. This includes issues such as buffer overflows, improper input validation, and reliance on outdated or vulnerable software libraries. It's essential to evaluate the software supply chain for potential third-party vulnerabilities. The Secure Development Lifecycle (SDL) helps to mitigate these risks by incorporating secure coding practices, code reviews, and static analysis tools to identify software vulnerabilities early in development.
Secure by design refers to the philosophy of incorporating robust security measures into the design and architecture of embedded systems from the very start. This includes adopting security practices such as using secure coding techniques, implementing hardware-based security features, and ensuring that firmware and software updates can be done securely. For compliance with the CRA, embedded systems must be resilient to a range of cyber threats, and the design must integrate security controls that can withstand future vulnerabilities.
The SBOM is a key component of the CRA's cyber security framework. It is essentially a detailed inventory of all software components used in an embedded system, listing several properties of each individual component. By providing a complete SBOM, manufacturers make it easier to identify and fix security flaws and comply with the CRA's vulnerability management requirements.
To ensure full traceability of embedded systems and their security measures, proper documentation is required. Manufacturers must provide clear records of the design process, risk assessments, testing protocols and security controls in place. This documentation is important not only for compliance, but also for customers, auditors and regulators who may need to verify the security measures taken to ensure a product's security. Documentation must be retained for 10 years after product launch or for the duration of support, whichever is longer.
The CRA requires manufacturers to establish a system to report any vulnerabilities found in their embedded systems. This includes reporting to both end users and regulators. Timely reporting ensures that threats are publicly known immediately and resolved or mitigated quickly. This step also helps build consumer confidence and ensures that embedded systems remain secure and compliant.
Manufacturers must conduct conformity assessments to demonstrate that their embedded systems meet the cyber security requirements set out in the CRA. This may involve independent testing or self-certification, depending on the complexity of the product and its intended use. This process ensures that the product meets all required safety standards.
Finally, the CE marking for your embedded systems confirms that your product complies with the Cyber Resilience Act and is safe for use on the EU market. This marking indicates that all required safety measures have been taken and that the product meets the standards set by the EU.