In cybersecurity, standards and regulations are not the same thing. As technology becomes increasingly integral to our lives, robust standards and regulations are needed. This is equally, if not more, true of semiconductors and cybersecurity. This article analyses the growing need for and fundamental differences between standards and regulations and how they interact.
Despite the staggering investment of over 80 billion USD in the cybersecurity business, with projections suggesting that the market will surpass 87 billion USD in 2024, cyber attacks targeting government organisations and major corporations continue to make headlines. This persistent threat serves as a stark reminder of the urgent need for more robust cybersecurity measures. So, how is the semiconductor industry striving to become more resilient to cyber threats?
Cybersecurity standards
Within the private sector, the industry is structuring itself with cybersecurity standards that are the product of international consensus among industry, academia, and government experts. These standards are designed to manage new forms of risks and to complement future regulations.
Typically, standards are introduced by working groups and are sponsored by organisations, including the European Telecommunications Standards Institute (ETSI), National Institute of Standards and Technology (NIST), American National Standards Institute (ANSI), Internet Engineering Task Force (IETF), and Open Web Application Security Project (OWASP).
Additionally, private standards bodies introduce internationally recognised standards like the International Organization for Standardization (ISO) and the European-recognised EN standard. Compliance with a standard is usually voluntary, allowing businesses to adapt to changing market conditions and contractual obligations.
Within the industry, there are numerous cybersecurity standards. For instance, the ETSI EN 303 645 standard is designed to prevent widespread attacks against smart devices by establishing a security baseline and incorporating security into products by design. This standard is applicable globally and targets consumer IoT devices like smart TVs and speakers, smart doorbells, and smart toys. The standard also covers connected gateways, hubs, and base stations. Among its 13 recommendations to IoT device manufacturers, the top three are: no default passwords, the implementation of a vulnerability disclosure policy, and regular software updates.
Similarly, the ISA/IEC 66243 standards provide guidance for automation and control systems, ensuring safety, integrity, and security throughout their lifecycle. These standards help asset owners determine the required level of security to meet their business and risk needs, establish a cyber security lifetime methodology for product developers, and include mechanisms for product certification and risk assessment.
Cybersecurity regulations
Regulations, conversely, are mandatory rules implemented by the public sector to enforce measures that improve cybersecurity. These are made by governments or other authorities to control practices and behaviour to mitigate cybersecurity risks and come in two forms.
The EU Cyber Resilience Act (CRA) is a regulation that describes the cybersecurity requirements for hardware and software products with digital elements placed on the EU market and applies across all EU member states. On the other hand, the Network and Information Security (NIS) Directive, now known as the NIS2 Directive, is a regulation that sets out goals to improve cybersecurity across the EU but allows each country to devise its laws.
See a comprehensive overview of the Cyber Resilience Act, understand the impact of non-conformity and explore Avnet Silica's supplier partner solutions for CRA compliance.
SEE CRA OVERVIEWThe Cyber Resilience Act aims to enhance the security of connected devices, but what does that mean for businesses, developers, and end-users? We'll explore the benefits, challenges, and impacts of this Act and practical steps for ensuring IoT security in our 'We Talk IoT' podcast.
Listen nowHow standards and regulations interact
Standards can serve as guidelines for regulated organisations, providing methodologies and technical requirements that aid in demonstrating compliance with regulations. Existing standards can also influence the content of forthcoming regulations by setting foundations and expressing consensus on a subject. Indeed, the EU CRA hints at certain existing EU standards and, in some cases, replicates them entirely.
The General Data Protection Regulation (GDPR), which came into effect in 2018, GDPR is not exclusively a cybersecurity regulation but mandates the protection of collected personal data.
As mentioned earlier, the NIS2 Directive is the first EU-wide cybersecurity regulation for digital service providers and operators of essential services, imposing specific cybersecurity requirements and mandatory reporting of security incidents.
The Radio Equipment Directive (RED), initially a framework that aimed to prevent radio interference in radio equipment, now includes high-level cybersecurity requirements but does not cover software or services.
The EU CRA covers all products with digital elements put on the market which can be connected to a device or a network, including their building blocks (both hardware and software) and also encompassing solutions provided in a Software-as-Service (SaaS) manner if they qualify as remote data processing solutions.
Therefore, the scope of the EU CRA not only covers digital elements in the form of finished goods like laptops, smartphones and industrial control switches, but it also covers semiconductors like central processing units (CPUs) and graphics processing units (GPUs) and their operating systems, software, and firmware as well as the future update mechanisms needed throughout the lifetime of your finished product.
Remember, even though hardware and software may be considered less critical in terms of cybersecurity risk, they can facilitate the initial compromise of a smart device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems.
The impact of the CRA
The CRA shares similarities with the Delegated Regulation under the RED 2014/53/EU. While the RED encompasses EMC and health & safety considerations for radio equipment, it also includes cybersecurity requirements that are in alignment with the CRA. Even so, adherence to the CRA will likely increase product development costs for OEMs. This is due to the necessity of conducting risk assessments and compiling the requisite documentation.
Upon formal adoption of the CRA proposal, OEMs will enter a transition phase concluding at the end of 2024. Subsequently, OEMs will be granted a two-year period to ensure compliance. It is anticipated that the application of the CRA will commence between the end of 2026 and the beginning of 2027. Non-compliance may result in penalties, including fines of up to €15 million or up to 2.5% of the OEM’s annual turnover from the previous financial year. The EU member states will designate the enforcing authority.
Conclusion
The distinction between standards and regulations in cybersecurity is significant. Standards offer a voluntary framework based on consensus, while regulations enforce mandatory compliance. As technology evolves, the interplay between these two will continue to shape the cybersecurity landscape, ensuring that both products and services adhere to the highest levels of security.
Engineers working on semiconductor chip designs and those specifying chips may have already developed an understanding of cybersecurity standards and regulations. Now, with the advent of the EU CRA, a deeper understanding of the impacts of cybersecurity compliance is needed. With the help of its suppliers, Avnet Silica has developed a range of resources and services to help you get up to speed on the EU CRA requirements and ensure compliance for your designs.
NEED CRA SUPPORT? CONTACT OUR EXPERTS
We Talk IoT Podcast
Episode 55: Securing the Future: Understanding the Cyber Resilience Act
This episode of the We Talk IoT Podcast covers an exciting and crucial topic: the Cyber Resilience Act. With us are two guests who are experts in their fields: Guillaume Crinon, Director of IoT Business Strategy at Keyfactor, and Romain Tesniere, Business Development Manager at Avnet Silica. Guillaume and Romain bring a wealth of knowledge and experience in IoT security and business strategy, making them the perfect guides to help us navigate this important legislation.
The Cyber Resilience Act aims to enhance the security of connected devices, but what does that mean for businesses, developers, and end-users? We'll explore the benefits, challenges, and impacts of this Act and practical steps for ensuring IoT security.