The Cyber Resilience Act (CRA), recently passed by the EU Council in October 2024, sets new security requirements for digital products. The current legislation establishes a direct link to the CE marking, as compliance with the cybersecurity requirements outlined in the CRA will soon be a prerequisite for CE certification of digital products. The CE marking indicates that a product complies with applicable EU directives and may be safely marketed. With the CRA, cybersecurity aspects are now becoming an integral part of this certification.
Remarkably, the timeframe is tight. According to the EU Council’s official press release, manufacturers and companies now have a two-year transition period to implement the necessary measures to comply with the new requirements. This means that the CRA regulations will be binding starting in 2026. As of October 2026, all affected products entering the EU market must meet the cybersecurity requirements specified in the CRA to retain CE certification. The EU Council’s press release on the Cyber Resilience Act is available at the following link.
For manufacturers of electronics and embedded systems, this means they must adapt their development and production processes over the next two years to integrate the new security standards. Previously, the CE marking mainly addressed physical safety aspects, such as electrical safety or health compatibility. With the CRA, new requirements are added to ensure that digital products containing software and hardware components are also protected against cyberattacks. In addition, manufacturers will now need to demonstrate that they have implemented IT security measures before they are permitted to apply the CE mark. This requirement often pertains to the IT and OT of companies, an area where many have already taken action in recent years.
Significance of the CRA for Electronics in Products and Devices
First things first: manufacturers of devices based on microcontrollers and microprocessors must take action. A key initial step is conducting a Threat and Risk Assessment (TARA) to identify and evaluate potential security vulnerabilities. Manufacturers must assess which attacks and exploits, regardless of an attacker’s motives, could affect the device. The focus here is on programmable hardware and communication interfaces on the circuit board.
Manufacturers often lack structured measures for analyzing attack scenarios. Many methods from IT security, however, can be adapted, with some adjustments, to electronics. For instance, the classification of attack scenarios can be performed using the STRIDE method, which covers typical threats such as spoofing, tampering, repudiation, unauthorized information disclosure, denial-of-service attacks, and unauthorized privilege escalation.
Protection measures should be tailored to each device, balancing engineering costs with potential impacts (single device/many devices/all devices). Nonetheless, there are essential steps for manufacturers of devices with electronics and embedded systems that every R&D department should prioritize in the coming years.
The Four Pillars of Cyber Resilience in Embedded Systems
Embedded systems are present in virtually all commercially available products, such as industrial sensors, control technology, or camera systems. Even household appliances like washing machines and coffee machines include microcontroller-based controls. As a result, nearly all providers and manufacturers of “smart” systems are now obligated to implement protective measures.
The four pillars of secure embedded systems are as follows:
- Zero-Trust Communication
- Anti-Denial-of-Service Measures
- Secure Updates
- Key Management
Bausteine sicherer Embedded Systems
The implementation of Zero-Trust Communication is an approach to prevent spoofing attacks. Spoofing involves attempts to inject false identities or fake data in the form of messages into the system. To prevent this, the Zero-Trust principle is applied, where every communication attempt is considered potentially insecure. There are two key approaches to implement this. The first is full message encryption, ensuring only authorized participants can read the communication. The second approach is Secure Hashing, where tamper-proof cryptographic hashes are created to ensure message integrity.
Protection against Denial-of-Service (DoS) attacks is particularly challenging with weak threading behavior. DoS attacks aim to disable systems through overload, which is especially dangerous for embedded systems on critical communication buses such as ModBus, CAN, Profibus, or RS485. An attacker could flood these systems by intruding on the bus, overwhelming them with data, and rendering them inoperative. This applies to both secure and insecure attempts. Anti-DoS mechanisms must detect and counteract such attacks at an early stage.
Additionally, systems must have secure mechanisms to receive software updates and ensure that only authorized and intact software is used. In embedded systems, updates are often transmitted unencrypted or without sufficient protective measures, posing a significant risk. Flash images should therefore always be encrypted during transmission to prevent tampering. Cryptographically relevant functions should be stored in secure TrustZones or encrypted in flash memory. Furthermore, a secure boot process ensures the system only starts with trusted software.
Finally, managing cryptographic keys on both the build and device sides is crucial. These keys are used for data encryption and authentication and must be securely stored on both the device and development side. Secure management on the development side restricts access to the keys. For secure key transmission over bus protocols, encrypted and authenticated mechanisms should be used to ensure that unauthorized parties cannot access the keys, even in insecure environments.
In this article series, we will explore these measures individually and provide a detailed explanation of each aspect.
Our article series on Cyber Resilience for Microcontrollers
- Der Cyber Resilience Act und die Bedeutung für eingebettete Elektronik
- Spoofing- und Tampering-Attacken in Bussystemen
- Zero-Trust-Kommunikation auf Low-Level-Bussystemen
- Anti-Denial-of-Service-Maßnahmen für Peripherien
- Sichere Updates über Kommunikationsbusse (ab 08.11.2024)
- Lokales und gerätebezogenes Schlüssel-Management (ab 22.11.2024)
Kommentieren