03/07/2025
Comply with different Global Cybersecurity Regulations easily by using pre-certified components
Comply with different Global Cybersecurity Regulations easily by using pre-certified components

In our series of posts, we have looked at several different methods device manufacturers can use to comply with global cybersecurity regulations including self-assessment tools and third party assessments. In this webinar, from NXP Semiconductors and Doulos Training, we learn about yet another different approach, device manufacturers can use to comply with global cybersecurity regulations using certified components. The presenters explain how pre-certified components like CPUs, SDKs, Operating Systems, and MCUs can be used to self assess and prove compliance to global cybersecurity regulations.

Webinar Objectives

The webinar’s key objectives were:

  1. To provide an overview of some of the emerging IoT security regulations and standards globally.
  2. To understand the common principles in all the different regulations.
  3. To explain how certified components like MCUs, CPUs, Operating Systems and SDKs can help with compliance to regulations.

Target Audience

The webinar is designed for companies at the beginning of their cybersecurity journey, particularly manufacturers who create products with extensive software features.

The webinar is fairly technical and especially useful to the following roles:

    • Software Developers and Architects: These roles are responsible for  designing the software architecture, and developing the software and security features needed in the product.
    • Engineering and Project Managers: These roles are usually planning the different cybersecurity work including penetration testing, vulnerability management, etc., that are needed for the product.

While it provides a useful overview, this webinar is too technical for non-technical roles like product managers, certification managers, C-suite executives, business owners, supply chain managers, etc.,

 

Presenters and their profiles:

  1. Dr. David Long: Principal Member Technical Staff at Doulos Training, with about 30 years of experience in embedded devices domain . Author of several papers and conference presentations at global technical events.

  2. Carlos Serratos: IoT Certification Expert at NXP Semiconductors and Ecosystem adoption working group chair for GlobalPlatform’s SESIP committee.

Summary of the Webinar

Security Regulations and Requirements

FCC Cybertrust Mark, Radio Equipment Directive and EU Cyber Resilience Act are expected to be the biggest drivers in term of cybersecurity for embedded and IoT products because of the scope of the regulations and the size of the market that is controlled by the regulations.

    • Product Security and Telecommunications Infrastructure (PSTI) in effect for all consumer connected product sold in UK from 2024. PSTI includes only 3 basic requirements.
    • US Cyber Trust Mark (US CTM) is a voluntary program for consumer smart IoT product. Includes both technical requirements and also requirements on processes that the device manufacturer must follow. Expected to come into effect from 2026.
    • Radio Equipment Directive (RED) updated to include the cybersecurity risks associated with product. Applicable for devices capable of communicating via the internet, toys, childcare equipment and wearables. Uses the EN 18031 series of standards for compliance and comes into effect August 2025. It is mandatory for selling a product in the EU.
    • EU Cyber Resilience Act (CRA) applies to any hardware capable of running code and any software that is executed on a hardware. It is mandatory to comply within the EU and comes into effect from 2027. Involves both product related requirements and cybersecurity processes requirements. 

Core Principles in all regulations

All standards affect embedded devices connected to external networks. A vulnerability in any part of the system could threaten the entire ecosystem. 

    • Security by Design forces software engineers to think about security all the way from ideation to retirement of the product. NIST 800-218 provides recommendations for implementing this and helping companies reduce security vulnerabilities in their product. It is important that the Secure Development Life Cycle policy matches with the business requirements of the products in consideration. Creating a threat model and performing a risk analysis is a mandatory step when doing security by design.
    • Vulnerability Management requirements in the different regulations mandate that there are no exploitable vulnerabilities in the product. The manufacturer is expected to have ways where anyone can report vulnerabilities on their products and the manufacturer has methods to communicate about vulnerabilities to the external world and roll out fixes for vulnerabilities.
    • Secure Supply Chain involves several security techniques, beginning with the Chip’s Root-of-Trust provisioning. Software vendor development involves verification of SBOMs and delivering encypted files. The contract manufacturer has their own attestation keys to ensure the devices are programmed in the correct way. During on boarding and registration of the end-device at the end user, the user implements more security in the form of keys on the product.

Technical Requirements

  1. Strong Cryptography ensures that proper encryption, using “state of the art” mechanisms must be used.
  2. Secure Communication ensures that messages are kept secret, the message has not been modified and the message is coming from a trusted source.
  3. Secure Storage ensures that data that is stored in a device is maintained a secret and also is not modified by unauthorized actors.
  4. Access Management ensures that mechanisms are put in place to prevent unauthorized actors from making changes to the cybersecurity posture of a product.
  5. Secure Update Process ensures that products can be securely updated and the patches needed are made “in a timely manner”.

Using pre-certified components

Security by modularity principles explain that any component with a specific security feature will offer the same security feature as a service for the layers on top of it. Serratos explains this with an example of a PLC using the CRA regulation.

The PLC usually includes an operating system, Software Development Kit, MCU, Secure Elements, etc., and falls into the default category under CRA. When each of these sub-components provide evidence of conformance with CRA at different levels, the PLC can easily be self-assessed and declared to be in conformance to the CRA.

Security Evaluation Standard for IoT Platforms (SESIP) is a method for evaluating security for components and modules. It follows the EN 17927 standard from CENELEC.  SESIP certification for IoT components can be used as evidence of compliance to regulations, for risk management and also product differentiation. SESIP certification can be mapped to different standards like EN 18031, NIST 8425 and UNECE WP29.

Conclusions from webinar

    • The core requirements are similar across different global cybersecurity regulations.
    • Developers need new skills to implement the Secure by Design approach
    • Using pre-certified components removes the need for building in-house cybersecurity expertise or working with a third party. Several NXP Semiconductor products are certified for SESIP and can be used for this purpose.

It is crucial to understand that while certified components streamline compliance, they do not eliminate the final manufacturer’s responsibility. The manufacturer must still ensure the component is integrated securely and that the overall product meets all regulatory requirements. The primary benefit is a massive reduction in the initial testing and documentation burden for that specific part of the system.

Other tools and methods available

This webinar was focused on performing conformance assessment using pre-certified components. It helps device manufacturers to comply with different global cybersecurity regulations easily by using pre-certified components. This method comes handy for regulations that allow self-assessment, for example, RED and CRA. For products that are not categorized as Important (Class 1 and Class 2) or Critical, a self-assessment is enough under EU CRA and this could be one way forward for device manufacturers. However, there are several tools under development, both commercial and open source, that can help manufacturers with self assessment. We have covered webinars about CRA-AI, CRACoWi and OCCTET.

In another article, we covered how tools like CRA-AI and OCCTET can be used together with pre-certified components to speed up self-assessment to EU CRA. We discussed how PSA Certified SoCs and MCUs can be used to speed up self-assessment to CRA by combining more than one method.

The method of using pre-certified components, can also come handy when applying for the US Cyber Trust Mark. Based on the SESIP certification on its components, manufacturers can understand what level of testing their product will withstand under the US CTM. Use of pre-certified components can also come handy for Important and Critical product manufacturers under CRA. The fact that pre-certified components have been used in the product designs helps when the notified bodies evaluate the product.

The actual webinar from Doulos and NXP Semiconductor can be watched here: https://register.gotowebinar.com/recording/1014175679673820676

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

PSA Certified Level 2 or higher MCUs can simplify obtaining the FCC Cyber Trust Mark

How to get the US FCC Cyber Trust Mark using PSA Certified MCUs and NIST 8425

28/06/2025
The FCC has chosen NIST 8425 as the standard that IoT manufacturers must comply with for acquiring the US Cyber Trust Mark

How to Get the FCC Cyber Trust Mark: An Analysis of NIST 8425 Requirements

26/06/2025

You may have missed

PSA Certified Level 2 or higher MCUs can simplify obtaining the FCC Cyber Trust Mark

How to get the US FCC Cyber Trust Mark using PSA Certified MCUs and NIST 8425

28/06/2025
The FCC has chosen NIST 8425 as the standard that IoT manufacturers must comply with for acquiring the US Cyber Trust Mark

How to Get the FCC Cyber Trust Mark: An Analysis of NIST 8425 Requirements

26/06/2025
how to Comply with CRA using pre-certified components

Speed up compliance with EU CRA using PSA Certified components

25/06/2025
Nemko Group held a technical deepdive webinar on how EN 18031 standards are used to meet RED cybersecurity requirements

How to use ETSI EN 18031 to meet RED cybersecurity requirements

23/06/2025
Comply with different Global Cybersecurity Regulations easily by using pre-certified components

Complying with Global Cybersecurity Regulations using certified components

23/06/2025
Cyberstand.eu and TIC council explain the role of third party assessment labs in the EU CRA

When do device manufacturers need third party assessment under EU Cyber Resilience Act?

21/06/2025