Pairing critical cybersecurity regulations with trusted computing

By Thorsten Stremlau, Marketing Work Group Co-Chair, Trusted Computing Group (TGP) and Systems Principle Architect, NVIDIA

An enhanced directive for Europe

That isn’t to say there wasn’t legislation in place across the continent already. From July 2016, the Network and Information Systems (NIS) Directive was put in place by the European Union (EU) to improve the security of information systems, ensuring stronger security for critical infrastructure and essential services.

Based on the experience of applying NIS, by July 2020 the European Commission was already launching a consultation for potential reform. A number of areas where improvement could be made were identified. These include the limited scope of the legislation, the many differences in implementation by EU member states, and the poor enforcement of its provisions.

The resulting NIS2 Directive was entered into force in January 2023. Mitigating previous issues regarding clarity and scope, NIS2 classifies organisations into two categories – essential and important entities. Those deemed critical sectors for societal and economic activities, such as energy, transportation, banking, and healthcare, are deemed essential. Industries such as postal and courier services, waste management, manufacturing, and food, fall under the second category.

Ensuring optimal protection

Another anticipated piece of legislation from the European Commission is the proposed Cyber Resilience Act (CRA). With the rising number of ‘smart’ devices across Europe, the CRA will impose essential security-related obligations on manufacturers, importers, and distributors of products ‘with digital elements’, including software, hardware, and any remote data processing necessary for the product to perform its functions.

The CRA covers a wider range of products, from identity management system software, password managers, and biometric readers, to smart home assistants and private security cameras. And, under the remit of the Act, any entity that makes significant modifications to products is effectively accountable in the event of an attack, underscoring the broad scope and impact of the new regulations.

Much like the NIS2, categorisation is key. The CRA places products in three different categories depending on their criticality. Those deemed important or critical may need to be assessed for compliance by an independent body, while the rest may undergo a less-severe, manufacturer led process to generate a manufacturer self-declaration of conformity.

The penalties for non-conformance

Under Article 23 of NIS2, any potential breach must be reported in basic terms within 24 hours of the initial detection. A follow-up report must then be issued 72 hours after the incident, proceeding a thorough audit covering the extent of the attack, and suitable preventative measures which will be put in
place to protect systems. Businesses will be regularly requested for information and be the host of both on and off-site security checks.

The scope and scale of the penalties should provide a firm deterrent to negligence. Those deemed ‘essential’ entities will face fines up to €10 million, or 2% of their annual turnover, whichever is greater. For important entities, the fine is slightly less severe – €7 million, or 1.4% of their annual turnover. The penalties for the CRA are even stronger.

Should non-compliance with the outlined obligations be detected, manufacturers will be hit with up to a €15 million fine, or 2.5% of their annual turnover worldwide (whichever is greater). For other obligations within the CRA, manufacturers, importers, and distributors would be required to pay up to €10 million or 2% of their total annual turnover worldwide (again, whichever is greater).

Radio-specific security

For radio and wireless equipment, many devices will be covered by regulatory frameworks outlined by the Radio Equipment Directive (RED). For example, Article 3.3(e) focuses on the protection of personal data and privacy, to ensure that measures to prevent unauthorised access or transmission of a user’s sensitive data are built into devices. Concerns over fraudulent electronic payments and monetary transfers are covered under Article 3.3(f), as manufacturers must include fraud protecting measures. This is understood as relevant to technical measures that include integrity control, measures to validate integrity and e.g., enabling for supervisory controls and remediation activities.

While the RED will be put in place in 2025, the requirements for products with digital elements proposed in the CRA are likely to surpass the RED requirements and may eventually lead to a repeal of the RED delegated act for products covered under the CRA.

Setting the standard

These acts represent a strong effort to enhanced device security within Europe, but businesses can still do more. For optimal device protection, they should look to adopt internationally regarded standards and specifications one can use, including those from bodies like the Trusted Computing Group (TCG). The cornerstone of device security is trust. Manufacturers, operators, and retailers must be able to help assure the end user of the integrity of their devices. This means helping to protect them from compromise, and ensuring devices work predictably.

By adopting the latest standards, specifications, components, and technologies designed to make computing more secure – whether through hardware upgrades or software modifications – businesses can ensure that their devices only boot up and operate in the manner they’d expect. They also enable users to shield sensitive data, to determine exactly which software is running on a device, and, through attestation principles, to avoid the transmission of data to and from a compromised system.

Solutions for a strong root of trust

Certain technologies enabling trusted computing are already commonplace. For example, the Trusted Platform Module (TPM) – a crypto processor which can act as the root of trust for the device that it’s part of. A TPM helps to protect a user’s identity and data by storing the necessary keys for encryption, decryption, and authentication. Once the device is booted up, the TPM will only allow the keys to be used by the device if it’s in a trustworthy state. It also offers enhanced security through the signing and verifying of data.

Businesses can also use the Device Identifier Composition Engine (DICE) to enhance device security. Offering similar capabilities as the TPM but for smaller devices, DICE ensures that a foundational Unique Device Secret (UDS) is held by the hardware and each software layer gets its own secret. If an
attack is executed against a particular layer, the secret associated with it can’t be used to breach further layers, containing the potential damage. DICE’s layered security approach can also help with recovery after a potential compromise by facilitating a rapid re-keying process.

Making systems more resilient

For businesses looking to reduce the likelihood of malware persistence, the Cyber Resilient Module and Building Block Requirements (CyRes) specification is essential. CyRes establishes three key security principles: the protection of updatable code and data, the detection of vulnerabilities or corruption, and the reliable recovery. It helps to identify and fix misconfigured or unpatched code and deploy reliable, trusted updates, so that in the event that a device is compromised or corrupted, it can return it to a previous, trusted state.

Adopting standards like TPM, DICE, and CyRes gives businesses the best chance to align with stringent requirements set out by current and future pieces of legislation. Further to that, they provide the fundamental building blocks for device security from which a strong line of defense can be established. A combination of standards and legislation places businesses in the best possible position to mitigate potential attacks and keep their secrets and operations secure.

This article originally appeared in the November'24 magazine issue of Electronic Specifier Design – see ES's Magazine Archives for more featured publications.