How to achieve security in connected devices – visualizing the path
The security of your connected devices has never been more important. With the advancement of technology there is an increase in benefits and added value, and overall positive impacts. Because your device is connected it becomes more easily accessible to yourself, it also becomes more easily accessible to others. This means that hackers (malicious third parties, criminals) and other government agencies (military, critical infrastructure attacks) can also access your data more easily. That is why EU and USA are regulating the cyber security of devices, software and digital services.
Several security functionalities, such as authentication, access control, cryptography, secure updates and hardening are becoming mandatory functionalities for IoT devices sold in Europe. In order for these to be implemented, you need to select the right hardware and software components without exploitable vulnerabilities, and have a design team with the required expertise. The required security posture, and skills that are needed are all dependent on the intended use of the device and component selection.
“Out of the box thinking helps uphold a higher level of consistency in regard to the security of your devices,” according to Tomasz Śleboda, Software Specialist. A good way to think outside the box is to start development with a threat and risk assessment. This method identifies why and how hackers could potentially gain access to the device – and defines how to prevent them.” Moreover, security must be approached as the primary concern for connected devices. There are numerous ways to address this, many commercial and open source embedded operating systems follow reliable standards e.g. from IEC (International Electrotechnical Commission).”
Certifications from organizations is one way to approach the security and standards.
Even though it is in the best interest of all legitimate parties, taking measures in securing connected devices is no longer voluntary. Etteplan has been following the regulatory changes related to cyber security and delivering software and device development following secure-by-design principles already for the last few years. Here are some of the newest regulatory additions as outlined by Sales Director in Software and Embedded Solutions, Antti Tolvanen in the following section.
Impact of updated cyber security regulations
By the 1st of August 2024, the Declarations of Conformity of wireless IoT devices with RED delegated acts 3(3) def need to be renewed, in order to legally continue their sales in the EU.
Before the end of 2024, the NIS2 directive will make information security management systems along with secure development procedures mandatory for all Entities and their direct suppliers, affecting also the whole supply chain. For digital services providers, such as Software as a Service companies and Managed Service Providers, will start applying NIS2 along with an implementing act that includes more detailed security requirements.
During the year 2026, the Cyber Resilience Act will make cyber security a mandatory part of CE marking for all products with digital elements (all devices, software and many software and hardware components). Already in 2025 vulnerability and incident reporting will become mandatory, also for all old products. It is important to note that for Critical Products, which includes devices such as routers, gateways, Industrial IoT, robots and smart meters, there will be mandatory 3rd party compliance assessments. However, manufacturer self-assessment will be possible for non-critical Products.
One particularly interesting detail is that medically proven psychological harm and non-compliance with cyber security legislation have been added as device / software manufacturer’s liability to the recently published EU Liability Directive proposal.
In the United States the following Executive Order 14028 is proceeding: the recent Office for Management and Budgeting memorandum gives software and device suppliers to Federal Agencies only 270 days to attest compliance with NIS2 guidelines. The Federal Acquisition Regulation is also being updated, and CISA will publish Binding Operational Directives for the US. When it comes to critical infrastructure both the EU and US markets will be horizontally regulated when it comes to cyber security.
What this means for secure embedded devices
Among the most important aspects of embedded security are secure boot and secure updates which are used to run only authenticated firmware. One of the most crucial architectural decisions is the selection of the critical hardware components that support these security functionalities.
Different devices require different levels of protection. Linux and Zephyr are some operating systems that can be used as a guide to point out industry demands and therefore offer reliable choices. It is very beneficial to select an operating system that provides support for various security functionalities and which are in turn supported by the wider community. It is very important to check that silicon vendor supports the selected operating system, and vendor specific hardware solutions.
From the perspective of the application, proactively making sure that you are staying ahead and consistently keeping up to date with security is the best way to avoid risks. Regularly cross-referencing the Software Bill of Materials of the device with publicly known exploitable vulnerabilities along with vulnerability reporting is turning into a legal requirement. Changing passwords, multi-factor authentication, limited access time, and role based access levels are some of the functionalities that you can use to reach the appropriate level of security.
Author
Tomasz Śleboda, Software Specialist