Top 5 CRA Takeaways for Engineers and Device Makers

Table of content
The EU Cyber Resilience Act (CRA) is set to redefine the landscape of embedded device security, making it a critical topic for OEMs and device manufacturers worldwide. With devices becoming increasingly complex and interconnected, understanding and adhering to new regulations is more important than ever. To shed light on this pivotal legislation and its implications, we at Witekio, in collaboration with our partners at EBV Elektronik, hosted a webinar on Navigating the EU Cyber Resilience Act: Avoid Penalties and Enhance Security. During the session, our experts discussed the challenges and opportunities presented by the CRA, offering practical advice on building secure embedded systems that are compliant. You can find our top five takeaways below You can watch the full webinar here.

The CRA and Its Impact on Connected Devices

One of the most significant topics covered in the webinar was the EU Cyber Resilience Act and its implications for devices with wireless Bluetooth interfaces. Even if a device does not have direct internet access, it can still be subject to stringent security regulations. The act aims to ensure that all interconnected devices, regardless of their primary function, are secure and resilient against cyber threats. Why It’s Important: Compliance with the EU Cyber Resilience Act is not just about meeting regulatory requirements; it’s about safeguarding your devices and, by extension, your users. Engineers must now consider all potential attack vectors, including wireless interfaces when designing their products.
_x000D_ “As soon as a device is interconnected to some system, it should be affected by the Cyber Resilience Act. It’s not just about internet connection but any form of connectivity that could be used as an attack vector,” Julien Bernet – Head of Security, Witekio

Security Measures for Devices

The increasing frequency and sophistication of cyber-attacks make it criticalfor engineers to implement robust security measures in their devices. Implementing strong security measures from the design phase is essential as it’s about building resilience into the device architecture to withstand potential threats. Some of the key ways to do this include:
  • Proactive Threat Modeling: Engineers should engage in proactive threat modeling during the design phase. By anticipating potential threats and attack vectors, they can build systems that are inherently more secure. This involves identifying possible vulnerabilities and assessing the impact of potential security breaches on the device’s operation and the broader network.
  • Layered Security Approach: A layered security approach, also known as defense in depth, was emphasized as a best practice. This involves implementing multiple layers of security controls throughout the device architecture. For example, combining hardware-based security features with robust software security measures can provide a comprehensive defense against various types of attacks.
  • Regular Security Updates and Patches: Keeping devices up-to-date with the latest security patches and updates is crucial. The webinar underscored the importance of having a mechanism in place for deploying updates efficiently. This ensures that any newly discovered vulnerabilities are promptly addressed, reducing the risk of exploitation.
  • Secure Boot and Firmware Integrity: Ensuring that devices boot securely and that their firmware integrity is maintained was another key point. Secure boot mechanisms verify the authenticity of the firmware before allowing the device to boot. This prevents unauthorized firmware from running on the device, which is critical for maintaining the overall security posture.
  • Access Control and Authentication: Implementing strong access control and authentication mechanisms was highlighted as essential for preventing unauthorized access to the device. This includes using robust authentication methods such as multi-factor authentication and ensuring that only authorized personnel can access and manage the device.
  • Resilience and Recovery Plans: Finally, the webinar emphasized the importance of resilience and having recovery plans in place. In the event of a security breach, having a well-defined recovery plan ensures that the device can be quickly restored to a secure state, minimizing downtime and potential damage.

Testing and Maintenance Platform Automation

Witekio’s robust testing and maintenance tools are designed to help OEMs ensure their devices are secure and compliant with the latest standards. The Embedded Kit by Witekio provides comprehensive testing capabilities, including automated testing, continuous integration, and detailed reporting, making it easier for engineers to identify and address potential vulnerabilities. Why It’s Important: Regular testing and maintenance are critical for ensuring device security and performance. We can help streamline these processes, allowing engineers to focus on innovation while ensuring their devices remain secure and compliant. Our testing and maintenance platform is designed to provide OEMs with the tools they need to maintain high security and performance standards throughout the device lifecycle.

EBV’s Comprehensive Support and Services for Hardware Selection and CRA Compliance

EBV is not just a hardware distributor but a full solution provider that supports customers throughout the entire design, production, and lifecycle of semiconductor-based products. They have specialized teams and local support to help customers make informed decisions about hardware selection, particularly in compliance with the CRA. This includes helping customers choose the right MCUs and peripherals to meet CRA requirements and ensuring continuous support with logistics and supply throughout the product’s lifetime.

Security Requirements and Solutions for CRA Compliance:

In the Webinar, EBV provided detailed information on the security requirements necessary to comply with the CRA, including secure by default configurations, updatability, data confidentiality, and secure boot mechanisms. They also emphasized the importance of cryptographic support, random number generators, memory encryption, and secure key storage. As EBV Elektronik partner with various hardware vendors like Infineon, Microchip, NXP, and STMicroelectronics, the speaker, Daniel Bartz, also showcased their secure elements, secure enclaves, and cryptographic capabilities. Why It’s Interesting: Understanding these security requirements and the available hardware solutions is essential for device makers to ensure their products are secure and compliant with the CRA. This information helps make informed decisions about the hardware components and security features necessary to protect against vulnerabilities and ensure long-term security and compliance.
_x000D_ “Looking at the product requirement side, we have a few highlight requirements… you need a product with a secure by default configuration. The core functionality and the core requirement really that goes throughout the entire CRA is the updatability…” Daniel Bartz, Segment Security & Identification, EBV.
Georgie Casling
Georgie Ryan-Casling
Head of Content

Related articles

Witekio-Long-Term-Software-Maintenance
Long-Term Maintenance Guide for i.MX Family Devices
06/13/2024
SOUP-Software-medical-devices
Understanding SOUP Software in Medical Device Development
05/31/2024
medical-device-software-development
Long-term support for medical devices
05/14/2024

Newsletters
Signup