Close on the heels of the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, which establishes mandatory cybersecurity standards for consumer IoT devices, The Cyber Resilience Act (CRA) is a significant piece of legislation proposed by the European Commission to boost cybersecurity across the European Union. It is particularly aimed at Internet of Things (IoT) devices. The act is part of the EU Cybersecurity Strategy in 2020 and came into force this year. The requirements for compliance are phased in over three years to allow companies time to adapt.
Chris Jones, Director of Applications, Crypto Quantique further explores.
CRA summary
Scope and coverage: The CRA applies to manufacturers, software developers, distributors, importers, and other economic operators supplying digital products to the EU market. Product coverage includes computer hardware, software, IoT devices like smart home devices, and network-connected critical infrastructure.
Security requirements: The Act requires cybersecurity features to be integrated into the design and development of products. Products must be made secure by design and by default must be able to manage risks, handle incidents, and protect personal data. Products must also be updateable and patchable to address emerging vulnerabilities, in other words, firmware and software must be updatable in a secure way.
Compliance and penalties: Manufacturers must comply with the CRA’s security requirements, and failure to do so can result in significant penalties, including fines of up to €15 million or 2.5% of annual turnover, whichever is greater.
Objectives: The CRA aims to improve end-to end security, facilitate compliance through a coherent cybersecurity framework, provide greater transparency about cybersecurity properties, and ensure safer use of products with digital elements. Through this, it will address systemic issues such as inadequate cybersecurity and an apparent lack of consumer awareness about risks and vulnerabilities.
The challenge for embedded development teams
The CRA’s emphasis on cybersecurity will significantly impact the design and development of IoT devices. Manufacturers will need to incorporate security considerations from the outset, ensuring that devices are resilient to cyber threats throughout their lifecycle.
This includes implementing robust security measures, providing clear information on cybersecurity features and maintaining the ability to update devices to address new vulnerabilities.
CRA is just one of a growing number of stringent security regulations that create compliance challenges for embedded development teams.
Meeting legislative requirements requires the implementation of a hardware secure boot process which is fundamental in enabling secure firmware updates throughout the operating life of devices.
Secure boot ensures that only authenticated and trusted software executes during the device’s startup process. It cryptographically verifies the device’s firmware and operating system against a secure cryptographic key that is ideally hard coded or baked into the central processing unit during manufacture. Less secure alternatives are to inject the key as part of the end product’s manufacturing process.
Firmware updates cannot be practically implemented in a manual process, for example, using USB sticks. Not only are there too many IoT devices deployed in most networks to make this a viable approach but it’s also a high-risk practice from a cybersecurity perspective.
Secure firmware over the air (FOTA) updating therefore becomes an essential requirement. Embedded engineers work with secure MCUs, CPUs, or secure elements for cryptographic key generation and secret storage of keys.
This typically requires them to write complex low-level C code to interface with on-chip functions. The process is not only difficult and time-consuming but also fraught with risk. A small coding error or poorly safeguarded key can lead to project delays or, worse, introduce vulnerabilities that attackers can exploit.
The diversity of embedded platforms further complicates matters, forcing developers to work across different platforms and learn often poorly documented and inadequately supported APIs to implement mission-critical security features.
For example, teams must rely on a mix of open source cryptography libraries (e.g., OpenSSL), device-specific libraries (e.g., STM32 Crypto library), third-party PKI/CLM infrastructure, and custom-written code to meet regulatory requirements. This approach is complex, time consuming, and insufficient to meet today’s stringent security demands, particularly in the most highly regulated sectors, such as the medical and automotive industries.
There is the additional complication of the management of the private keys that are integral to the secure boot process. Where are these keys stored? Oftentimes on senior engineer laptops or IT department secure servers. Who has access to these keys? These factors are often overlooked when developing a secure product.
How Cloud-based platforms overcome challenges
Cloud-based platforms can help the embedded design community overcome these challenges and ensure ongoing compliance with current and future legislation.
Crypto Quantique’s QuarkLink platform is one example. The Cloud-based software platform enables embedded developers to take control of their security implementation and infrastructure, including direct ownership of their PKI.
This article originally appeared in the October 24 magazine issue of IoT Insider.