Towards less vulnerable embedded electronics – New regulation for cybersecurity
Electronics manufacturers will soon be under new regulation that demands cybersecurity from their products, and even from their development process. Why is this happening, where does it apply, and what must be done?
Both global and regional new cybersecurity regulations will be introduced during the 2020s. For instance, the European Union is about to introduce several new cybersecurity acts and directives.
“It is expected that a lot of new cybersecurity legislation will come into force around 2023. By and large, this will affect all manufacturers of electronical and electrical devices, because the EU will also start classifying these companies as critical infrastructure according to the upcoming NIS2 directive. Concurrently, the EU is revising general safety and liability regulation of consumer products, and it just published the Artificial Intelligence Act proposal. Overall, it seems that the EU is planning to regulate security of devices and software if their use involves safety, environmental, property or fundamental right risks,” says Etteplan’s Antti Tolvanen, Sales Director for Software & Embedded.
For many years, the EU along with industry and standardization organizations have been developing voluntary cybersecurity standards and guidelines both for critical infrastructure operators and manufacturers of operational technology. Now both the operators and manufacturers need to start preparing for the regulatory change.
“The proposed NIS2 directive will expand the definition of critical infrastructure significantly. Many more industries will be classified among essential and important entities compared with the effective NIS directive. Purchasing, development and maintenance of information systems will be regulated from a security perspective in much more detail than before. Also, the likely adoption of the security related delegated acts in the Radio Equipment Directive is expected to demand a technical security baseline from any devices with radios,” tells Tolvanen.
These are just a few of the new regulations and standards that await around the corner. Globally, the automotive industry will be in the front line to improve cybersecurity. In 2024, components and software in new cars must fulfill a wide set of cybersecure requirements, which the automotive supply chain needs to comply with already during 2022.
What is behind this wave of regulation?
So far, users of any digital technology have simply been left to take all hits that cyberattacks may cause. This has applied to information technology, IT, but also to operational technology, OT. In most cases, manufacturers have not been sanctioned for selling vulnerable products, after something has happened. It has been up to the user to build secure environments.
Operational technology is vital in the critical infrastructure of societies, and it is necessary for running industrial processes in factories. Traditionally, OT is well equipped for functional safety. However, compared to IT, OT lacks elemental security features. If malicious actors first succeed in IT intrusions over the internet, they can quickly access OT as well.
“Therefore, cyberattacks on OT may cause massive financial losses through lost production. But they can also pose huge safety risks to humans, property, and the environment,” Tolvanen says.
Increasing and more sophisticated cyberattacks against OT raise growing concern all over the world. The aim of the new cybersecurity regulations is to reduce the risks in a proactive way. Ultimately, only products that are secure by design and by default will be allowed in the market or accepted for purchasing.
From voluntary to mandatory requirements and certifications
At first, some regulation will introduce voluntary requirements that become mandatory over time. Some regulation will be mandatory early on.
“In the end and even with mandatory requirements, there might not be proactive control to confirm that the requirements have been implemented before the product is placed on the market. However, if a cybersecurity incident occurs, a company should expect that the competent authorities will knock on the door. Then it will be necessary to prove regulatory compliance to minimize the risk of legal consequences,” Antti Tolvanen explains.
It will not be enough to ensure that only the product fulfills the given criteria. Also, the hardware and software development processes need to take security in consideration. In certain product categories and industries, accredited security certifications of products and development processes will become mandatory. Security must have a high priority during the complete product lifecycle that can span decades in industrial environments.
“If a company does not care about the upcoming security regulations or product security in general, its business will certainly be suffering by lost customers. Regardless of industry and size, every company better assume that the next product generations need to be secure by design and default,” Tolvanen says.