Foundries.io, in collaboration with Arduino, has integrated its security software on the board Arduino Portenta X8. In this way, this module has become the first SoM (System on Module) that complies with the CRA regulations of the European Union. Quite an achievement, and something that will allow the creation of many projects that need to be compatible with this law.
As you know, the Arduino Portenta X8 is a development board like any other Arduino, but it was the first to use a Arm-based processor capable of running the GNU/Linux operating system and with expansion capabilities through plugins known as HAT.
What is CRA?
La Cyber Resilience Act (CRA) aims to protect consumers and businesses that use products or software with digital components by addressing cybersecurity concerns. It seeks to eliminate security deficiencies by introducing mandatory cybersecurity requirements for manufacturers and retailers. The law addresses two main problems:
- The lack of adequate cybersecurity in many products and the inability of users to determine the cybersecurity of the products.
- The CRA will establish harmonized standards, a framework of cybersecurity requirements and obligations for the entire life cycle of products.
When it comes into force, products will carry the CE marking to indicate compliance with the new standards, allowing consumers to make informed decisions about cybersecurity. It will apply to products connected to the Internet, excluding specific cases such as open source software. It is expected that enters into force in early 2024, with manufacturers applying the standards 36 months later. The Commission will periodically review the law.
The new EU CRA Regulations specifies the minimum security for all IoT devices in Europe, including:
- Set standards for secure products with digital elements across the EU.
- Require manufacturers to focus on safety as a priority.
- Increase user awareness of the importance of cybersecurity features.
- Require Original Equipment Manufacturers (OEMs) to quickly address vulnerabilities in devices already in use.
The Cyber attacks have caused costly problems, affecting companies, governments and individuals. The economic losses resulting from the interruption of business operations, theft of confidential data, extortion and damage to business reputation are significant. In addition to direct costs, cyberattacks also generate additional expenses to improve cybersecurity, repair affected systems, and address legal and regulatory consequences. The increasing sophistication of attacks and wide variety of targets underscore the critical need for effective measures to prevent, detect and mitigate cyber threats. And this is the US CRA…
Details of the Arduino Portenta X8 with CRA
As I have discussed, under upcoming EU regulations, all digital products must meet new safety standards, except in specific categories such as certain medical devices, aviation equipment and motor vehicles. Depending on their risk levels, some products will require an independent safety assessment. In addition, Original Equipment Manufacturers (OEMs) must ensure that these products pass these safety assessments for sale in countries within the EU, and compliance with this Law will be monitored.
In this way, Arduino Portenta X8 can be certified for products labeled “highly critical” who need additional security. The EU estimates that this new standard could save between 180 and 290 billion euros each year by reducing cyberattacks, since these have become a serious problem for organizations and companies, as well as for individual users.
To ensure that the Arduino Portenta X8 is CRA compliant, both Foundries.io and Arduino have collaborated to implement security improvements in this SoM. As you know, Foundries.io is a company that offers cloud-native development and deployment solutions for secure IoT and Edge devices, and is therefore a good ally with Arduino to comply with these European security standards.
Thanks to this collaboration, Arduino Portenta X8 users can easily manage device security, data protection and software management efficiently in one cloud based environment. It will also offer additional security against all known forms of cyberattacks and malware, and ensure rapid responses to new vulnerabilities, enabling rapid firmware updating to patch these risks.
The Arduino Portenta X8 offers a set of security features provided by the Linux Micro platform and the FoundriesFactory platform, which include:
- Secure Boot
- A trusted execution environment
- Remote management
- Installing secure keys
- Cloud authentication
- Secure OTA (Over-The-Air) updates with TUF support
- A software bill of materials (SBOM) that is automatically generated after each software update
All are not advantages, since this implementation involves complexity to simplify the software interface of Foundries.io and the tool known as X8 Board Manager, although in this sense they have done a good job, and the new interface is simple and compatible with Arduino IDE for developers.
Fabio Violante, CEO of Arduino, said:
“When we deploy Linux-based edge devices, security cannot be an afterthought. That's why we designed the Arduino Portenta X8 with top priority on safety features, from start to finish. This ranges from hardware and firmware to Linux distribution and device management powered by FoundriesFactory. “This allowed us to naturally comply with CRA regulations from the beginning.”