DeepSec 2024 Talk: “EU Cyber Resilience Act” – Maintain control and not just liability for your products – Michael Walser
The new EU Directive EU 2019/1020, also known as the “Cyber Resilience Act” or “CRA” for short, defines new rules for manufacturers of hardware and software with “digital elements”. For device manufacturers in the medical, industrial and entertainment sectors, the time to act is now. Security updates, vulnerabilities and an extended duty of care for the life cycle are now enforced by law. However, hardware production, such as IoT devices, poses new challenges. What many do not know: Many vulnerabilities are because of physics and are not “bugs” in the conventional sense. As part of the “DeepSec Secure Coding” series, we put the spotlight on the challenges of developing secure hardware and show the vulnerabilities using the example implementation of a bootloader for embedded systems. How to keep control over updates? What is “Secure Boot” and why does the compiler work against the developer?
We asked Michael Walser a few more questions about his talk.
Please tell us the top 5 facts about your talk.
The new EU Cyber Resilience Act will force us to put more maintenance effort into our products. We must care about security risks and, as a result, we face the challenge of opening our systems for future updates and patches. One of the major topics at DeepSec from now on will be “Secure Coding”. This talk is another piece of this puzzle. We do not deal with “general secure coding” here but go back to the – often ignored – basics. Many security problems are not because of the programming, but the hardware used. Physics is a powerful and underestimated opponent, and the compiler is its accomplice. When fighting cyber-attacks, we must consider the hardware that the program runs on. Using the implementation of a sample bootloader, we show the pitfalls and potential solutions. The examples benefit from real-world practical work with our customers. This is the “Secure Coding Hardware Special” only available at DeepSec.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We do a lot of security consulting for hardware designers. In the process or review of a design, we often see security flaws which result from the implementation and the used hardware. The idea was to put the “top issues” together in a talk to start a discussion on hardware security.
Why do you think this is an important topic?
Forgetting the basics renders most secure coding efforts for designing secure software useless. And therefore it is important to take the hardware and the software into consideration.
Is there something you want everybody to know – some good advice for our readers, maybe?
Wouldn’t it be great if you’d have a basic experience with the C programming language and basic knowledge of how a microcontroller works? And how you can debug it and the running software with JTAG, for example?
We’re also holding the talk on the “Tech Track,” which means it won’t be recorded. So, what we’re talking about stays in the room, which will probably help to start an open and exciting discussion, to which we would like to invite you.
A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?
Security is more and more important when designing hardware or the necessary software stack. Topics like “Software Supply Chain”, “Secure Boot” and “Secure Coding” are getting more attention and budget. We have a lot of experience in the field and are learning continuously. We hope we can show the designers that secure coding is just another style of programming and self-criticism but no rocket science.
Michael Walser is a member of the Management Board and the CTO of the Munich-based industrial security company sematicon AG. In this role, he handles the company’s technical strategy and advises customers on the secure implementation of digital transformation in the industrial sector. He is a recognized expert for OT cyber security in industry and KRITIS environments. After graduating in electrical engineering, he worked for many years as a consultant and advisor on successful IT security projects with a focus on cryptography worldwide and handled their implementation.
sematicon AG is a Munich-based company that specializes in industrial security and embedded cryptography. We support you in successfully and securely mastering digital transformation. With a focus on industry and electrical engineering, we offer specialized security solutions that we have developed based on industry requirements. For example, industry experts consider our “Zero Trust” solution for secure and isolated remote access to industrial plants and systems an innovation. We also support and advise you in the planning and implementation of your OT security concepts. We thus offer comprehensive security services for the industrial and electronics sectors from a single source.