Author:
Mark Patrick, Mouser Electronics
Date
10/21/2024
PDF
Click image to enlarge
In the ever-evolving landscape of data security, electronics engineers face the daunting task of designing systems that not only stop sophisticated cyber threats but also comply with stringent legislative and regulatory frameworks. This challenging requirement stems from a highly dynamic cyber threat landscape, with organised cyber criminals forever finding new ways to target sensitive data and critical infrastructure.
The cyber threat landscape is both broad and deep, encompassing various types of attacks. Supply chain attacks involve bad actors gaining control of an organisation’s IT infrastructure through third-party vendors. Another prevalent issue is ransomware attacks, where malicious software encrypts files, rendering devices and data inaccessible to users. Additionally, data breaches are a major concern, with cybercriminals targeting organisations to steal sensitive information, including personal data, financial records, and intellectual property.
With such multifaceted cyber threats, the risk to individuals and organisations from inadequate data protection and security is immense. For instance, SolarWinds experienced a high-profile supply chain attack when their routine Orion software update was compromised, resulting in unauthorised access to numerous government agencies and private sector companies.
But this is just one example among the many high-profile cases that show data breaches can be extremely costly. Aside from the financial hit of lost business and higher insurance, data breaches also cause enormous damage to reputation and the erosion of customer confidence, which can take years to regain.
Regulatory Environment
To combat emerging cyber threats, electronics engineers are increasingly turning towards hardware-based security. Hardware-based security is an approach that uses physical components, such as processors, secure chips, or cryptographic modules, to strengthen system defences against threats. Unlike software-based measures, which rely on programs and algorithms, hardware-based security embeds security features within the hardware itself, offering physical protection against specific attacks and resistance to tampering due to its embedded nature.
However, hardware-based system design requires a comprehensive understanding of security and legislative frameworks to ensure that systems and components are secure and that final products or solutions are fully compliant with legal requirements. These standards include the EU Cyber Resilience Act, ISO/IEC, and GDPR, to name a few. So, let us look at some of the key regulations and standards shaping the landscape of hardware-based security to understand how they drive the adoption of more secure measures.
EU Cyber Resilience Act
At a headline level, the EU Cyber Resilience Act (CRA)—which gained formal approval by the European Parliament in March 2024—aims to safeguard consumers and businesses buying or using products with a digital component. Through a set of harmonised rules, it puts in place a series of cybersecurity requirements governing the planning, design, development, and maintenance of such products, with obligations to be met at every stage of the value chain. Its purpose is to enhance cybersecurity for digital products across the EU market and hold manufacturers accountable throughout the product’s life cycle. For engineers, this means integrating robust end-to-end security measures, starting from the design phase through to end-of-life. Compliance with the CRA helps engineers design systems that can withstand sophisticated attacks, protecting both users and critical infrastructure.
With the EU CRA, the certification covers the commercially available product. Typically, the developer conducts a risk-based assessment involving consultation with other relevant standards and guidelines to establish whether a product falls into Default (lower cybersecurity risk), Class I (elevated cybersecurity risk), or Class II (highest cybersecurity risk). The Default category usually covers products such as smart speakers and home thermostats. Class I typically covers products such as Industrial Internet of Things (IIoT) devices or consumer electronics with limited access to sensitive data or critical functions. Meanwhile, Class II typically accounts for higher-risk products such as industrial control systems, servers, and crypto-processors.
As the classes advance, the compliance requirements also increase. At Default, manufacturers can assess their products themselves. However, at Class I, manufacturers must assess their products in accordance with a third-party conformity assessment or an equivalent standard. Class II products must undergo a third-party conformity assessment directly, without the option of using an equivalent standard.
ISO/IEC Standards
International standards like ISO/IEC 27001 provide a comprehensive framework for managing information security risks. These standards help design engineers implement best practices for hardware security, including risk assessment, control implementation, and continuous monitoring. By complying with ISO/IEC standards, engineers ensure that hardware designs follow best working practices and incorporate essential security features, such as encryption, access control, and secure boot processes. This helps to make sure that security considerations are embedded in the design phase, reducing the likelihood of vulnerabilities that could be exploited after deployment.
General Data Protection Regulation
The EU's General Data Protection Regulation (GDPR) focuses on consumer data rights and data handling practices, emphasising the protection of personal data. For hardware engineers, this means designing systems that incorporate data privacy and security by default. This includes implementing data encryption, secure data storage, and robust access controls. Adhering to GDPR is a legal requirement at the application/service level. However, it is crucial to factor it in during the design phase, and the inclusion of essential security components into hardware products can mitigate the risk of potential data breaches.
Incorporating GDPR principles into hardware design can improve user trust and confidence, knowing that their data is handled with the highest standards of privacy and security. This proactive approach also facilitates smoother audits and regulatory reviews, potentially reducing the time and resources spent on compliance-related issues.
Building Blocks for Hardware-Based Design
Security and legislative frameworks provide the principles for effective hardware-based security within electronic systems and components. Adherence can result in creating first-class products with state-of-the-art security performance built in. When it comes to choosing between software and hardware security, hardware-centric measures offer certain advantages that software-led approaches may lack. These advantages include:
• Greater resistance to attacks: this is due to its operation at a lower level, independent of potentially vulnerable software layers.
• Acceleration of the encryption processes: this ensures faster and more secure data handling.
• Ability to isolate critical functions: this prevents unauthorised access, even in the event of software compromise.
Increasingly, many design engineers are looking to source the highest-quality components to implement hardware-based security design and comply with stringent legislative and regulatory frameworks. This requirement is being met by a broad range of technology providers, including Analog Devices, Microchip Technology, NXP Semiconductors, and STMicroelectronics, who aim to provide the building blocks for state-of-the-art hardware-based cybersecurity.
For example, for designers looking to create secure IoT devices, NXP Semiconductors EdgeLock SE050 Plug and Trust Secure Element Family (Figure 1) provides high-grade Common Criteria EAL 6+ and FIPS 140-2 certified security.
Click image to enlarge
Figure 1: NXP’s SE050 EdgeLock plug and trust secure element family
The certified security provides strong protection against multiple attack possibilities and an extended feature set for a broad range of IoT applications. This ready-to-use secure element for IoT devices delivers a root of trust at the IC level, which serves as the cornerstone for establishing a secure foundation in device authentication, particularly crucial in the context of IoT and connected systems. It delivers absolute end-to-end security—from edge to cloud—without implementing security code or handling critical keys and credentials.
Alternatively, Microchip Technology’s SAMA5D4 32-Bit Microprocessors provide high-grade hardware-based security as well as a wide range of core functionality. These MPUs, based on the high-performance and power-efficient Arm Cortex-A5 processor, support graphics processing, offer a wide range of communication outputs with up to 152 I/Os, and come with built-in cryptography and Microchip secure boot capabilities. They represent highly integrated solutions designed to deliver functionality without compromising security. These MPUs are ideally suited for applications such as smart inverters and HMIs, which are often categorised as Class II EU CRA products.
Finally, Swissbit’s PU-50n iShield USB Hardware Security Module (Figure 2) represents another flexible, secure solution.
Click image to enlarge
Figure 2: Swissbit’s iShield USB hardware security module
These USB 3.1 solid-state flash drives, which come with a USB Type-A connector, are designed to provide secure storage and management of cryptographic keys. The PU-50n is a plug-and-play USB security anchor that allows system integrators to upgrade existing AWS IoT Greengrass products with a hardware security module. The presence of this feature makes it the perfect choice for retrofitting finished hardware designs and devices already in the field.
Conclusion
There is little doubt that electronic design engineers face a challenging task when developing products that cope with increasingly sophisticated cyber threats. Furthermore, as cyber threats increase, so does the complexity of legislative and regulatory frameworks aimed at guaranteeing performance and protecting end users.
Standards such as the EU Cyber Resilience Act, ISO/IEC, and GDPR help engineers create the safest and most secure products in this dynamic, ever-changing environment, and following these regulations must be backed by selecting the highest-quality components.
