Ensuring Compliance for Critical Devices For the Cyber Resilience Act
December 12, 2022
The Cyber Resilience Act brings new requirements for IoT Devices in Europe, find out how TrustInSoft can help meet them and put you ahead of the curve
Table of Contents
- Introduction
- Breakdown of Objectives
- Cyber Resilience Act Classes
- How TrustInSoft Analyzer Can Help
- How to Go Beyond Compliance
Introduction
The Cyber Resilience Act, proposed on September 15, 2022, is an act that sets out to define “essential cybersecurity requirements and obligations” in Europe for IoT devices.
This act addresses the increasing cyberattacks which consequently are creating increased costs for companies to combat them. This security compromise has consequences for private citizens and companies that handle sensitive data. This is also concerning due to the increased attack surface with the proliferation of these devices. More and more connectivity means more and more room for attackers to find vulnerabilities to exploit.
This proposal is an important development in IoT security because little regulation like this existed in Europe on a large scale prior to this. Previous regulations included the NIS 2 (an update from the original NIS directive in 2016), recently updated in 2021. This directive was very general and oriented towards networks and information systems, which isn’t as easily applicable to IoT devices.
The Cyber Resilience Act proposal includes new cybersecurity requirements for devices with digital elements, however with current technology so much more is possible, and consumers and manufacturers are likely to demand higher standards.
Breakdown of the 4 main objectives of the Cyber Resilience Act
The Cyber Resilience Act was created with 4 main objectives:
- Ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout the whole life cycle;
- Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
- Enhance the transparency of security properties of products with digital elements, and
- Enable businesses and consumers to use products with digital elements securely.
These objectives will help companies to start putting cybersecurity at the beginning of their projects and adopt a security-by-design mindset. This will benefit manufacturers and consumers alike.
The Cyber Resilience Act also has 6 annexes that help define more specifically which new expectations will be in place for different digitally connected products. Discover the content of these annexes by downloading them here: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act.
Cyber Resilience Act Classes
The Cyber Resilience Act defines 3 classes of devices with varying degrees of stringent requirements.
Class I contains lower cybersecurity risk than class II (more info in Annex 3), including password managers, remote access software, browsers, etc.
Class II includes higher-risk products with digital elements that require critical cybersecurity assurance. These could include hypervisors, modems, operating systems, routers, etc.
Class III contains 90% of devices and applications that are not considered cybersecurity critical and will be self-assessed by the companies themselves.
TrustInSoft is particularly recommended for higher security classes.
How TrustInSoft Analyzer Can Help
Security By Design
By implementing safe coding practices from the conception of the source code to exhaustive testing of all possible inputs, TrustInSoft Analyzer allows developers and testers to easily use the power of formal methods to guarantee the safety and cybersecurity of their code while they design and develop the software. This analysis enables them to exhaustively detect and fix undefined behavior like buffer overflows, non-initialized variables, divisions by zero, signed overflows, etc. that can cause applications to behave in unpredictable fashions and are typically the type of vulnerabilities that are exploited by hackers. These analysis techniques, backed by mathematical techniques called formal methods, are used to discover these dangerous vulnerabilities early in the development process. This helps companies to avoid brand image crises following exploits due to bugs and vulnerabilities on the field not detected during the standard software testing and verification processes.
Securing Connected Devices
Think about the number of connected devices you’ve already interacted with today.
These could be everyday devices like cell phones, smart watches, smart meters, routers, modems, smart robots, or smart home devices.
This also includes devices that are more invisible to the public such as microcontrollers, OS, HSM, smart cards, and embedded devices using C/C++.
All of these devices could be susceptible to cyberattacks and software bugs that cause unexpected outcomes and circumstances. It could allow hackers to hack into health devices such as pacemakers, or retrieve personal information from cell phones because of potential vulnerabilities in the underlying low-level software in those devices.
Ensuring safety is critical, and TrustInSoft Analyzer helps you secure connected devices and low-level code written in C or C++, making use of formal methods to exhaustively test all code values during the early phases of software development and testing. You can even obtain a mathematical guarantee that the software implementation behaves exactly as per its specification for components that require the highest levels of cybersecurity.
Protection of the integrity of stored and transmitted data
Testing for irregularities helps ensure that hackers do not have a gateway into the source code. TrustInSoft helps you find every bug that could allow a hacker to alter stored and transmitted data within an application.
This way, you know that the ever-growing amount of data that is stored is safe from hackers with malicious intent.
The fact of the matter is that every business is at risk of having their data compromised if their source code is not well protected, even small businesses.
Provide means for regular testing and reviews of product security
TrustInSoft Analyzer lets you run not only your own test suites for exhaustive static analysis but also offers input generalization. You can use the tool to speed up the testing process by testing all possible inputs, thus eliminating the possibility of unexpected and unpredictable program behavior. It can be easily integrated into the CI to run tests at every new software commit.
No news is good news: helps you have nothing to report
Under this new act, manufacturers will have to publicly report their vulnerabilities. You can eliminate the possibility of having to report vulnerabilities in your devices by identifying the bugs before they end up in the product postproduction.
TrustInSoft Analyzer allows you to get mathematically guaranteed proof that your software does not contain any vulnerabilities.
Keep your reputation positive and avoid having to make these communications.
TrustInSoft can help you be compliant with all the Cyber Resilience Act objectives.
There’s More to Do: How to Go Beyond Compliance
The scope of the Cyber Resilience Act is a great start. There are ways to position your software and products to meet the guidelines of tomorrow.
With TrustInSoft Analyzer you can get ahead of the curve and go far beyond these basic regulations. These requirements are only the tip of the iceberg.
With this in mind, you must also consider that with the rapid rates of technology and innovation, these standards will simply not be enough to truly ensure cybersecurity for these industries. The growth and needs of the market will expand much quicker than the regulation.
You can easily meet these requirements and go much further with a secure development life cycle and exhaustive testing that is made accessible to development and testing teams using formal methods along with static and dynamic testing techniques.
Going beyond the CRA for greater software security and safety: what else can be done
Fortunately, IoT devices that were not previously regulated now need to be compliant with this new cybersecurity standard, to better protect companies and consumers from costly cyberattacks.
This new regulation serves as a baseline for hardening the cybersecurity of connected products.
What else can/should companies do to protect themselves and consumers?
Motivations for security shouldn’t be exclusively regulatory. Regulations are the bare minimum requirements and are often behind by several years once they are finally enforced, especially in a growing tech economy.
To achieve a high level of protection, it’s a must to exhaustively eliminate the vulnerabilities at the source. Undefined behavior like buffer overflow, non-initialized variables, divisions by zero, and signed overflows are typically the type of bugs that are exploited by hackers to get access to secret data, take control of the software remotely and execute their own code instead of the code initially planned. Undefined behavior is complex to detect by standard testing processes. When a test campaign is run with standard methods and tools for a certain number of inputs (e.g. typical and at the limits), they may remain undetected. These bugs may appear suddenly in the field due to a different memory environment even for a specific input that was tested and marked as “all fine” during the test campaign. Hackers will also do their best to find inputs that software teams have forgotten to test that can create unexpected behavior which they may take advantage of.
It’s therefore a must to exhaustively test your software with formal methods to test all possible inputs and make sure that vulnerabilities are exhaustively detected.
Security is first and foremost a business necessity. IoT devices represent:
- Compelling targets for hackers
- Potential damages of all kindsPoliticalFinancialEspionageTerrorism
- Disastrous reputational and financial damages i.e., litigations in cases of exploited security breaches
Start from the beginning by ensuring connected device software is immune to cyberattacks with true security by design at the source code level. By checking for and solving vulnerabilities earlier in the development process, you can help secure your devices from their foundations. Following a software verification process that supports thorough testing of the source code is key to this approach.
TrustInSoft Analyzer can help take your cyber compliance goals to the next level by protecting your company from the financial and brand risks associated with cyberattacks, with its innovative exhaustive static analysis based on formal methods to test the superset of all possible code values. With no false negatives and no to few false positives, you can eliminate vulnerabilities in your source code before they are ever released into the field and exploited in a cyberattack.
Learn more about TrustInSoft Analyzer here.