Blog:
The Cyber Resilience Act is here

Tuesday, December 10, 2024

Introduction:
The Cyber Resilience Act Enters Into Force Today

As of today, the Cyber Resilience Act (CRA) officially enters into force, ushering in new regulatory requirements for manufacturers of embedded devices and critical software. Although most provisions of the CRA won’t take effect until late 2027, it is critical for device makers to start preparing now.
The CRA focuses on bolstering cybersecurity and ensuring that devices remain secure throughout their lifecycle. This checklist will help you understand the key actions needed to get ready for the impending requirements and ensure that your products comply with the new rules.

1. Put a Software Update System into Place

This is probably the single most important thing you can do. The CRA mandates that software updates must be available for devices to address vulnerabilities throughout their lifespan. Furthermore, these updates need to be automatic by default, ensuring that users receive them without needing to initiate the process themselves. As a manufacturer, you should implement a robust software update system capable of handling both security patches and general updates. Crucially, your system must be able to update all components of your device—not just the application software. If you can only update the app but not the operating system, bootloader, or other critical firmware, you risk facing costly recalls if vulnerabilities are discovered in these unpatched parts.

It’s also very important that your software update system itself is secure. A compromised software update system can lead to disaster, and the software updater is a valuable target for attackers. Your threat model for your software update system should include more than just the risk of an attacker using it to install their own malicious software, though: it can be equally damaging to allow the installation of old software that has exploitable vulnerabilities, or prevent vulnerabilities from being patched.

2. Start Monitoring Software and Dependencies for Vulnerabilities

The CRA requires manufacturers to monitor and address vulnerabilities in the software and dependencies they use. This includes regularly scanning for known vulnerabilities using CVE (Common Vulnerabilities and Exposures) databases and scanning tools. However, relying solely on scanning tools may not be enough. Choose your base hardware and software carefully—using outdated or poorly supported software could result in additional maintenance work or security issues down the line, potentially violating CRA provisions. Choosing low-cost silicon vendors that don’t provide long-term support for their BSPs may save money in the short term but result in a much higher total cost of ownership.

3. Create a Risk Profile for Your Product

To comply with the CRA, manufacturers don’t need to address every single potential security flaw or CVE related to their product. You can define a clear risk profile for your product to help identify, categorize, and triage vulnerabilities. Develop a threat model that helps you focus on the vulnerabilities that matter most, whether that’s through physical device attacks, network breaches, or software exploits. By narrowing your focus to the most relevant risks, you can prioritize security efforts and avoid wasting resources on non-critical issues, while still remaining in compliance.

4. Evaluate Technical Measures to Mitigate Your Risks

Once you've identified potential risks, it’s time to implement technical measures to mitigate them. If your device processes personal data or sensitive information (like passwords or cryptographic secrets), you should implement encryption at rest to protect that data. Additionally, take advantage of the hardware security features provided by your silicon vendor, such as hardware-based key management. To further reduce risks, especially from malicious software, consider implementing Secure Boot by default. Secure Boot ensures that only trusted and signed code can run on the device.

5. Set Up Security Points of Contact and Disclosure Policies

Under the CRA, manufacturers must designate a contact point where users or third parties can report security vulnerabilities. This requirement ensures that vulnerabilities are discovered, communicated, and addressed promptly. In addition to this contact point, you will need to establish clear disclosure policies outlining how you will publicly disclose vulnerabilities once discovered. This will include setting timelines for notifications, procedures for fixing vulnerabilities, and how end users will be informed of the updates and patches available.

6. Make Sure You Are Generating a Comprehensive Software Bill of Materials (SBOM)

The CRA requires that manufacturers generate and maintain a comprehensive Software Bill of Materials (SBOM) for all products. The SBOM is a detailed list of all the components—both proprietary and third-party—that make up the software within a product. Having a clear and up-to-date SBOM is crucial for demonstrating compliance with the CRA and ensuring transparency in the software supply chain. Fortunately, there are open-source tools available that can help you generate and manage your SBOM efficiently, reducing the complexity of this task. An accurate SBOM also makes vulnerability monitoring much easier.

Conclusion

As the Cyber Resilience Act comes into effect, device makers need to be proactive in preparing for the upcoming changes. Although you still have plenty of time to prepare, it’s important to start planning now. Software updates, vulnerability monitoring, risk assessment and threat modeling, technical security measures, disclosure policies, and SBOM generation are all critical elements of CRA compliance, and focusing on those things early on in your development process will save a lot of painful effort later on.

?Have a Question ?