Hardware-based security solutions are necessary for electronics engineers to combat evolving cyber threats and to maximise market opportunities in the face of tightening regulations.
In today’s rapidly changing digital landscape, ensuring designs can meet the latest regulatory requirements and sufficiently combat emerging cybersecurity threats is critical to many engineers’ jobs. These demanding requirements arise from an ever-changing cyber threat landscape, where organised cyber criminals are constantly finding new methods to exploit sensitive data and critical infrastructure.
Cyber threats are far-reaching and multifaceted, including a diverse range of attack types. Cybercriminals attack businesses to steal sensitive data, including financial records, intellectual property, and personal information, making data breaches a significant concern. In supply chain attacks, malicious attackers seize control of an organisation’s IT infrastructure by exploiting vulnerabilities in third-party vendors. Ransomware attacks are another prevalent issue, as they can encrypt files and leave devices and data completely inaccessible to users..
With the complex nature of cyber threats and the absence of proper data protection and security, individuals and organisations are exposed to considerable risks, underscoring the need to establish effective security measures. Additionally, as stricter regulations are emerging in key European markets, manufacturers intending to sell in this territory must ensure that their designs comply with new security requirements.
Creating Secure Designs
In order to address the rising cyber threats, electronics engineers are increasingly relying on hardware-based security measures. To strengthen defences against possible attacks, hardware-based security makes use of physical components such as processors, secure chips, or cryptographic modules. Hardware-based security differs from software-based measures by incorporating security features directly into the physical components. This provides enhanced protection against targeted attacks and makes it difficult to tamper with due to its embedded nature.
When deciding between software and hardware security, opting for hardware-centric measures provides several advantages that software-led approaches may not have. Some of these advantages include:
- Ability to isolate critical functions: This ensures that no one can access without authorisation, even if the software is compromised.
- Faster encryption processes: This guarantees safer and quicker data handling.
- Increased ability to withstand attacks: This is a result of the fact that it runs independently of potentially weaker software layers and at a lower level.
Integrating high-performance hardware-based security designs has become a top priority for many design engineers to enhance the security of their designs and ensure compliance with strict legislative and regulatory frameworks. To fulfil this requirement, a diverse array of technology providers, such as Analog Devices, Microchip Technology, NXP Semiconductors, and STMicroelectronics, are supplying the foundational elements for advanced hardware-based cybersecurity.
For instance, Microchip Technology’s SAMA5D4 32-Bit Microprocessors offer robust hardware-based security features and diverse core capabilities. These MPUs are equipped with the advanced Arm® Cortex®-A5 processor, allowing for graphics processing, extensive communication outputs featuring up to 152 I/Os, and integrated cryptography and Microchip secure boot functionalities. These solutions not only offer suitable functionalities but also prioritise a high level of security. These are particularly well-suited for critical applications like smart inverters and Human Machine Interfaces (HMIs)that require enhanced security.
Alternatively, NXP Semiconductors addresses the needs of designers striving for secure IoT devices. Their EdgeLock® SE050 Plug and Trust Secure Element Family provides certified security at the highest level, including Common Criteria EAL 6+ and FIPS 140-2 (Figure 1).
This secure element for IoT devices provides a strong foundation for device authentication by establishing a root of trust at the IC level, ensuring security in the context of IoT and connected systems. It provides a seamless and secure experience, ensuring end-to-end protection without the hassle of security coding or managing critical keys and credentials. Since this secure element complies with many security standards like IEC 62443, DLMS/COSEM, OPC-UA, and ISO15118, users can rest assured knowing that their IoT devices are safeguarded against a multitude of attack scenarios.
Another popular and flexible solution is Swissbit’sPU-50n iShield USB Hardware Security Module (Figure 2).
With a USB Type-A connector, these USB 3.1 solid-state flash drives are specifically engineered to offer secure storage and management of cryptographic keys. By using the PU-50n, system integrators can effortlessly upgrade their AWS IoT Greengrass products with a hardware security module, ensuring enhanced security. This feature makes it the ideal option for adding to existing hardware designs and devices already in use.
Understanding the Regulatory Environment for Hardware-Based Security
Hardware-based security solutions provide a variety of features that can improve the security of a design. However, their implementation requires knowledge of both the hardware and relevant frameworks to ensure that final products or solutions are secure and fully compliant with legal requirements. Electronic security regulations across Asia differ from country to country, with each having its own set of specific standards and compliance requirements. These regulations encompass various aspects, including data protection laws, encryption standards, and industry-specific mandates.
On a broader scale, specific industry ISO/IEC standards must be followed, as along with emerging regulations in territories that are key to many Asian electronic manufacturers. For the countless electronic and digital solutions produced in Asia that are sold in Europe, the introduction of new EU Cyber Resilience Act will significantly impact future designs.
EU Cyber Resilience Act
At a headline level, the EU Cyber Resilience Act (CRA)—which gained formal approval by the European Parliament in March 2024 and is projected to take effect within 36 months—aims to safeguard consumers and businesses buying or using products with a digital component. It applies to any products sold within the EU, regardless of their manufacturing origin.
Implementation of a comprehensive set of standardised regulations establishes a framework of cybersecurity prerequisites that oversee the products’ strategic, conceptual, developmental, and operational aspects., encompassing obligations to be fulfilled throughout the entire value chain. The objective is to strengthen cybersecurity measures for digital products sold into the EU market and enforce accountability for manufacturers throughout the product’s entire life cycle.
For engineers in Asia selling products in Europe, this means integrating robust end-to-end security measures, starting from the design phase to end-of-life. Compliance with the CRA helps engineers design systems capable of withstanding sophisticated attacks, protecting users and critical infrastructure.
Under the EU CRA, the certification covers the commercially available products. The developer typically performs a risk-based analysis, consulting with appropriate standards and guidelines, to determine if the products belong to Default (low cybersecurity risk), Class I (moderate cybersecurity risk), or Class II (high cybersecurity risk).
- Default category: This usually covers products such as smart speakers and home thermostats.
- Class I: Typically cover products such as Industrial Internet of Things (IIoT) devices or consumer electronics with limited access to sensitive data or critical functions.
- Class II: This accounts for higher-risk products, such as industrial control systems, servers, and crypto-processors.
With the advancement of classes, the level of compliance requirements also rises. At Default level, manufacturers can self-assess their products. However, manufacturers in the Class I category must assess their products through a third-party conformity assessment or a comparable standard. Class II products must go through a third-party evaluation directly, and using an equivalent standard is not allowed.
ISO/IEC Standards
Comprehensive guidelines such as ISO/IEC 27001 establish a robust framework to effectively handle the risks associated with the information security. With the support of these standards, design engineers can execute best practices in hardware security, such as risk assessment, control implementation, and continuous monitoring.. By following ISO/IEC standards, engineers can ensure that hardware designs meet best practices and incorporate crucial security features like encryption, access control, and safe boot procedures. This lowers the possibility of vulnerabilities that could potentially be exploited after deployment by embedding security concerns into the design phase.
Conclusion
Engineers face a daunting task in developing products that can withstand ever-evolving cyber threats. As these threats multiply, so does the intricacy of the legislative and regulatory frameworks designed to ensure performance and safeguard end users.
Compliance with regulations such as the EU Cyber Resilience Act is imperative for any applicable product aiming to enter the European market regardless of its origin. These standards offer engineers valuable guidance in developing secure and resilient products in an ever-changing environment, but failure to comply with these standards can result in significant losses in sales and substantial fines.
Adherence to these regulations requires careful selection of high-quality components from trusted distributors, such as Mouser, who stock a wide range of hardware-based security solutions from the world’s leading electronic manufacturers.