Custom Meta Tags

EBV - Solutions - CRA (HB)

Cyber Resilience Act (CRA)

EBV - Solutions - CRA - Solutions (SN)

EBV - Solutions - CRA - Solutions Intro Static HTML

EBV solution to cyber resilience act compliance

On this page:

 

CRA risk assessment – what to check

Most embedded products now include some form of accessible connectivity. It may be a physical connection, or wireless, but the process for assessing risk is the same.

All hardware and software interfaces should be identified and documented; this includes:
 

  • Standard physical connections, such as Ethernet, USB ports, JTAG ports, UART interfaces.
  • Non-standard physical connections, such as PCB edge connectors, generic connectors with a proprietary pin assignment.
  • Software interfaces, such as network ports.
  • Standard protocol-based wireless connectivity, such as Wi-Fi or Bluetooth.
  • Proprietary protocols operating over an ISM wireless connection, such as 2.4 GHz.

CRA risk assessment – what to check

 

All software should be from a known source and documented in a software bill of materials (SBOM).

All software not written in-house should be monitored for new threats, or common vulnerabilities and exposures (CVEs). Some SBOM tools can help automate CVE monitoring.

All known CVEs in your product’s software should be identified, and a plan for remedial action put in place.
 

CRA compliance versus non-compliance

Connectivity is now so fundamental that many integrated circuits include connectivity at the transistor level.

Not all ICs with connectivity functionality will be able to comply with the CRA’s requirements. Some components will need to be replaced with compliant solutions. The level of redesign will depend on the risk assessment.

The good news is that by selecting the right components, OEMs can make products that are secure by design. The features to look out for include:

  • Hardware support for cryptography, such as:
    • Elliptic Curve Cryptography (ECC), an encryption technique based on public keys
    • Rivest-Shamir-Adleman (RSA) public-key cryptography
    • Advanced Encryption Standard (AES), a block cipher that works on blocks of 128 bits
    • Secure Hash Algorithm (SHA), a family of cryptographic hash functions
  • Hardware-based True Random Number Generator (TRNG)
  • Support for Transport Layer Security (TLS)
  • Secure memory features:
    • Encryption
    • Execute-in-place
    • Immutable certificate storage
    • Memory protection
  • Secure Debug
    • Lockable JTAG
  • System-level features:
    • Privilege separation (secure enclave)
    • Secure boot
    • Secure key storage  

 

Three steps to CRA compliance

In the future, most connected electronic products sold within the EU will need to comply with the CRA. We can expect this practice to permeate across the world, with all nations and regions adopting similar precautions.

To future-proof your products, follow these three steps:

  1. Create and maintain a preferred products list that enables a secure-by-design approach to product development.
  2. Work with partners that can support you and your products throughout their entire lifecycle.
  3. Remain diligent, using automation to provide early warnings of new CVEs, and follow a proven approach to securely updating products in the field.

 

EBV - Solutions - CRA Contact Us (GBL)

Do you have a Question?

Contact EBV

Get in touch with our Security experts now.

contact us