The European Union's Cyber Resilience Act (CRA) represents a significant step forward in cybersecurity. It sets forth stringent cybersecurity requirements for hardware and software products with digital elements intended for the EU market. This regulation is designed to ensure such products are devoid of known exploitable vulnerabilities and must maintain security throughout their entire lifecycle.
In this article, we examine the intricacies of the CRA and its impact on Original Equipment Manufacturers (OEMs). We discuss the stringent requirements set by the CRA, the steps necessary for compliance, and the potential competitive advantages for OEMs that meet these standards.
The impact of CRA
Upon formal adoption and entry into the transition phase of the CRA, projected for the end of 2024, OEMs will be granted two years to achieve compliance, with enforcement anticipated from the end of 2026 to early 2027.
Non-compliance may result in penalties, including fines of up to €15 million or up to 2.5% of the OEM’s annual turnover from the previous business year, as determined by an authority designated by EU member states.
The compliance process will likely lead to increased costs in product development for OEMs, attributable to the time investment required for risk assessments and the preparation of necessary documentation. However, verified compliance may provide a competitive advantage in marketing, distinguishing compliant products from those manufactured outside the EU. This distinction could have various effects on the brand and future product sales.
The CRA shares a close relationship with the Delegated Regulation under the RED 2014/53/EU standard, which includes considerations for EMC and health & safety for radio equipment, in addition to cybersecurity requirements integral to the CRA.
A significant consequence of the CRA is the new legal requirement for manufacturers to meticulously record comprehensive details about their products. This includes clearly defining and explaining the software and hardware bill of materials (BoM). Furthermore, manufacturers must compile a detailed inventory of all the harmonised EU cybersecurity standards adhered to by the product and conduct in-depth risk assessments that serve both the OEM and the end-user. It is also necessary for the manufacturers to disclose the nature of the software utilised — whether it’s open-source or proprietary — and to commit to a regime of continuous vigilance, proactively informing the market of any security breaches and maintaining this level of awareness for the entire lifespan of the product.
Another fundamental component of the CRA that affects manufacturers is the imposed upgrade mechanism, which could be via a wired or wireless connection. This feature is essential for two primary reasons:
- The OEM is responsible for maintaining the product’s security throughout its entire lifecycle.
- The product’s security features need to be enhanced as it progresses through its lifecycle. The upgrade mechanism must be secure, with the OEM safeguarding the integrity and confidentiality of the firmware.
Further elements of the CRA include device authentication, device identity management, device access management, data integrity, and data confidentiality. The mechanisms to fulfil these requirements are already in existence. They are not technological innovations but rather the application of established best practices in secure design.
Compliance with the CRA
For OEMs, adhering to the CRA involves undertaking risk assessments, which can present a considerable challenge. The risk-based approach classified products under four categories:
See a comprehensive overview of the Cyber Resilience Act, understand the impact of non-conformity and explore Avnet Silica's supplier partner solutions for CRA compliance.
SEE CRA OVERVIEWThe Cyber Resilience Act aims to enhance the security of connected devices, but what does that mean for businesses, developers, and end-users? We'll explore the benefits, challenges, and impacts of this Act and practical steps for ensuring IoT security in our 'We Talk IoT' podcast.
Listen nowCritical products
The critical products classification is the highest of all those established by the CRA. Products, such as smartcards, secure elements and trusted platform modules (TPMs), are considered critical dependencies. The CRA mandates a third-party assessment of level ‘substantial’ or ‘higher’, according to the EU NIS2 Directive.
Important Class I
Products associated with cybersecurity capabilities or those that pose a considerable risk of negatively impacting a broad array of other products or the health and safety of users. Such products include virtual private networks (VPNs), operating systems (OS), routers, microcontrollers (MCUs), and microprocessors (MPUs). OEMs must adhere to a cybersecurity standard or conduct a third-party assessment.
Important Class II
Products that, if compromised by cyber incidents, could result in more severe adverse outcomes owing to the characteristics of their cybersecurity-related role or the execution of another function that carries a substantial risk. Examples include firewalls and tamper-proof MPUs. For these products, the CRA mandates a third-party risk assessment.
Default
The default classification is anything else with a digital element. This category encompasses photo editing software, smart speakers, video games, and HDDs, and permits self-assessment.
Despite the allowance for self-assessment, manufacturers must still address several critical security requirements. These include maintaining data integrity and confidentiality, managing the provision of security keys and certificates, identifying and mitigating vulnerabilities, notifying the market of any security issues discovered, and executing enhancements to the product’s security features through an upgrade mechanism.
Technical support for CRA compliance
Avnet Silica offers a range of supplier solutions, providing developers with the tools and technologies needed to enhance the cybersecurity and trust of their embedded systems and IoT devices. These solutions help mitigate security risks, protect sensitive data, and ensure the integrity and reliability of connected devices.
> STMicroelectronics
STM32Trust is a comprehensive set of security solutions from STMicroelectronics for its STM32 MCU family, which leverages Arm® Trustzone-M technology to ensure separation between the secure and non-secure sides of the system architecture. The security mechanism for the STM32 MPU family is based on the Arm® Trustzone-A technology for application processors. This suite includes hardware-based security features such as secure elements and TPMs under STSAFE, which satisfies the need for high-level resistance to physical and side-channel attacks, for example.
On the factory programming side, STM32Trust offers secure firmware installation (SFI) for the STM32 MCUs to protect the confidentiality of the firmware when needed, and it is also linked to its update mechanism to support the device in the field. The secure secret provisioning (SSP) for MPUs injects the secrets in a secure way for establishing the root of trust features. The secure elements are also available with generic or custom profiles.
Focusing on the STM32H573 device, which is based on the powerful Arm® Cortex M33 with cryptographic accelerators and hardware-based secure storage, in terms of software, STMicroelectronics provides and maintains a pre-baked secure manager root of trust as a non-modifiable binary, which is Level 3 compliant with the Security Evaluation Standard for IoT Platforms (SESIP Level 3). Both the hardware and software are pre-certified, which the device manufacturer maintains, making it much easier for the OEM to comply with the CRA. If the security software needs to be updated, STMicroelectronics will provide the binary code to implement the fix or new crypto algorithm. The device is SFI compatible and comes pre-provisioned with x509 certificates and attestation keys. Avnet Programming Centers, facilitated by Avnet Silica’s collaboration with System General, can help provision these devices.
> NXP Semiconductors
The NXP EdgeLock® range of security solutions is intended to bolster the security of edge-connected devices. The hardware portfolio includes secure elements (SE05x and A5000), secure MCUs, such as the LPC55Sxx, i.MXRT11xx, MCXN54x, and MCXN94x, as well as secure MPUs, including the i.MX8ulp, i.MX93, and i.MX91 models.
For factory programming, these devices come equipped with EdgeLock® secure elements and secure enclaves, which are provisioned with NXP’s x509 certification. The secure elements and enclaves can be managed remotely through the EdgeLock® 2GO service, allowing for flexibility in the field, on the production line, or within Avnet Programming Centers, facilitated by Avnet Silica’s collaboration with System General.
> Renesas
Renesas offers security solutions that are integrated into its MCUs to secure embedded systems and IoT devices. These integrated solutions include hardware-based security features, although Renesas does not provide standalone secure elements.
The device lifecycle management (DLM) Server Tool provided by Renesas is used for factory programming and administering the injection of shared keys into the chips. Currently, Renesas does not provide x509 certification for its devices. However, Avnet Programming Centers, facilitated by Avnet Silica’s collaboration with System General, can help obtain this x.509 certificate.
> Microchip
Microchip’s Trust Platform delivers discrete secure elements, specifically the ATECC608 and TA100. The PIC32CM series combines an Arm® Cortex M0 core with the ATECC608 secure element within a single package. Microchip also offers early access to the PIC32CK for select OEMs, which integrates an Arm® Cortex M33 core with a hardware secure element.
Microchip conducts programming services, with the Trust Platform Design Suite (TPDS) allowing OEMs to define their specific requirements. Additionally, Avnet Silica provides Microchip programming services through MCC Direct, offering further support for OEMs in their security implementations.
Avnet Silica’s technical teams assist developers in selecting suitable hardware, focusing on services that address confidentiality, integrity, and authentication. The services related to the CRA encompass key generation, public key injection, root-of-trust provisioning with device certificates, and ID chip collects.
This combination of hardware and services provides a distinct offering from Avnet Silica compared to other component suppliers. Furthermore, Avnet Silica aids its customers in monitoring their businesses and identifying emerging opportunities.
Avnet Silica delivers a range of cybersecurity solutions throughout all stages, from initial design to mass production and across the product lifecycle. The company operates as a central point for accessing all services and tools from its suppliers, catering to various applications and supply chain configurations. This includes support for specific certificates and keys required for cloud authentication, such as AWS Connection and Azure Connection, as well as the protection of OEM intellectual property with integrated confidentiality certificates and keys.
While chip manufacturers typically provide only generic certification authority information, Avnet Silica can supply the specific details necessary for compliance with standards such as Matter.
Timing and methods for secure provisioning
The Avnet Silica Warehouse enables precise control over the secure provisioning process, allowing devices to be locked after which the OEM can upload the firmware. This centralised approach to secure provisioning suits specific scenarios but necessitates that customisation content is finalised before the dispatch of components.
For OEMs that prefer to conduct secure provisioning directly on their production line or via the EMS production line, Avnet Silica provides the TOPS Plug&Go solution. This is a compact Hardware Security Module (HSM) equipped with the necessary keys and certificates for loading onto the device.
This method affords the OEM greater flexibility in managing the supply chain and production unit quantities, though it does require the EMS to integrate a third-party product into their systems, potentially necessitating internet access.
When personalisation is not integrated during manufacturing, a late personalisation strategy is employed in the field. An agent software within the IoT device facilitates connection to the appropriate Public Key Infrastructure (PKI) cloud service upon initialisation, utilising platforms such as NXP’s EdgeLock® 2GO or comparable services from strategic partners like Keyfactor. This late personalisation requires reliable internet connectivity and involves devices leaving the manufacturing site without preloaded credentials.
Overall, Avnet Silica’s value proposition is centred around technical expertise, comprehensive product offerings, supply chain solutions, value-added services, and market support. Dedicated to providing customised security software and services for embedded and connected devices, Witekio is an on-demand trusted Avnet Silica partner for delivering CRA compliance. The company’s packaged services include a cybersecurity workshop to initiate a hardware secure by design methodology.
The fast-track Linux service provides the OEM with everything they need to ensure their device is delivered on the market fully secured, and the Linux long-term maintenance service ensures that the device remains secure in the market via regular vulnerability checks and software update deployments.
Conclusion
In summary, Avnet Silica provides solutions and technical support to assist OEMs in meeting CRA requirements, offering services from key generation to secure device management and provisioning. Secure provisioning can be managed through Avnet Silica’s Warehouse, TOPS Plug&Go, or late personalisation methods, depending on the OEM’s needs. Witekio, as an Avnet Silica partner, offers additional customised security services to ensure devices comply with the CRA.
NEED CRA SUPPORT? CONTACT OUR EXPERTS
We Talk IoT Podcast
Episode 55: Securing the Future: Understanding the Cyber Resilience Act
This episode of the We Talk IoT Podcast covers an exciting and crucial topic: the Cyber Resilience Act. With us are two guests who are experts in their fields: Guillaume Crinon, Director of IoT Business Strategy at Keyfactor, and Romain Tesniere, Business Development Manager at Avnet Silica. Guillaume and Romain bring a wealth of knowledge and experience in IoT security and business strategy, making them the perfect guides to help us navigate this important legislation.
The Cyber Resilience Act aims to enhance the security of connected devices, but what does that mean for businesses, developers, and end-users? We'll explore the benefits, challenges, and impacts of this Act and practical steps for ensuring IoT security.