DESIGN
SECURITY: CYBER
The Cyber Resilience Act: an opportunity for embedded developers, not a threat According to David Pashley, Co-Founder & Managing Director at Direct Insight, it’s really quite clear for designers of embedded systems, written in black and white in the EU Cyber Resilience Act (CRA): in three years’ time – on December 11th 2027, to be precise – compliance will be mandatory. No compliance, no CE mark – and no shipping to the EU. Y et, there are those embedded developers who adopt the position that three years is still some way off. product right now.
Where do I begin? The first step is a risk assessment that will guide the cyber resilience aspects of the project – and become the backbone of your documentation. To understand the importance of this requirement, I recommend reading what the CRA actually says, not relying on bullet points in annexes. The Act explicitly requires that: “…manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases…” [Article 13(2)] Therefore, the first step is to understand how to undertake a cybersecurity risk assessment, and to perform that assessment against the planned product (and its associated development process) – across the whole product lifecycle. This assessment must be provided to end-users and maintained for the lifetime of the product. It will also guide the rest of the process. Moving on, and setting out a framework, following the over-arching cybersecurity risk assessment (with the details, of course, depending on the conclusions of that exercise), the project is likely to include the following features – some of which may be new to the development team (this list isn’t intended to be exhaustive): • Secure boot, with firmware images authenticated against an immutable hardware-based root of trust. The CRA specifically requires
While future concessions remain possible, there is no sign of them
right now. In fact, current evidence suggests the screws are tightening, rather than loosening. Illusion of immunity The notion that if you can get your product to market ahead of the three-year deadline, you’re off the hook, is an illusion. Although there might be safety in numbers for legacy products, the CRA provisions still apply. Indeed, many embedded products become part of a larger system once commissioned and so are also subject to the provisions of the CRA – and systems are also subject to other cybersecurity standards, such as NIS2. The provider of an overall system – your customer – will not themselves be compliant unless your product and all other constituent elements comply individually. This most notably applies to embedded system building blocks, such as boards, modules and operating systems, which must carry a CE mark for the first time. This means that, for many vendors, the effects of EU CRA will, in effect, be retrospective in the eyes of their customers, who need to comply themselves – and are looking for sub-assembly compliance immediately, so that they can, in turn, set about redesigning existing products. In many markets, therefore, near-term compliant products will have a massive commercial advantage over legacy products – so, there is substantial advantage to be gained by having a conforming
40 ELECTRONICSPECIFIER.COM
Powered by FlippingBook