As cybersecurity risks continue to mount, European regulators are looking to tame this digital frontier, with far-reaching implications for any companies with a business footprint in the EU. This is primarily though two new pieces of legislation due to be enacted in 2024 –
the EU Cyber Resilience Act (CRA) and the Network and Information Security 2 (NIS2) Directive.
To address these challenges and comply with regulatory requirements, organizations are turning to innovative solutions to enhance visibility and trust in their systems and supply chain.
These solutions included software bill of materials (SBOM), hardware bill of materials (HBOM) and root of trust (RoT) technology, such as the open-source OpenTitan silicon RoT, which has recently achieved commercial availability.
The Cyber Resilience Act
The CRA is proposed legislation, now at an advanced stage of preparation, which will introduce mandatory cybersecurity requirements for hardware and software products throughout their lifecycle.
The theory behind the CRA is that it will reduce the number of products with cybersecurity vulnerabilities that are on the European market, improve transparency about security measures for the benefit of consumers and ensure that manufacturers remain responsible for product security.
The EU Commission states that the current proposal is due to come into force in 2024, with 36 months for EU members and affected companies to comply. The CRA will create significant penalties for a lack of compliance with the obligations, with fines of up to €15m ($16.2m) or 2.5% of annual worldwide turnover for the preceding financial year, whichever is greater.
The obligations placed on manufacturers, importers and distributors are significant, requiring products to be designed and developed in line with particular cybersecurity standards and for risks and vulnerabilities of the products to be reported throughout their lifecycle, including for uses that were not intended in the development of the product.
NIS2: A More Immediate Concern
On 16 January 2023, EU Directive 2022/2555 (the NIS2 Directive) came into force. The NIS2 Directive must be transposed by EU member states into national law by 17 October 2024, after which time companies in sectors deemed highly critical and critical with operations in the EU will need to be compliant.
Companies in sectors such as energy, transport, banking and finance, health and digital infrastructure that meet certain criteria (such as having 50 or more employees and an annual turnover of more than €10m) are affected.
Companies should also be aware that the NIS2 Directive empowers EU member states to expand the scope of the companies and sectors that will need to be compliant at a national level, which is something that we are already seeing in Germany's draft regulation.
To achieve compliance, these companies must have measures in place by October 2024, such as business continuity plans, cybersecurity risk management policies and procedures, appropriate cybersecurity training for staff and compliance with regulatory audits and reporting obligations.
As with the CRA, the penalties for failing to comply with the NIS2 Directive are severe and can result in fines of up to €10m ($10.8m) or 2% of the annual worldwide turnover of the company's group, whichever is greater, and the suspension of relevant operating licenses.
In addition, there are compliance duties placed upon management bodies such as company boards and senior executives within the company, which if breached can result in personal liability for damages.
Enhancing Transparency and Supply Chain Security
At the heart of this cybersecurity paradigm shift are the SBOM and HBOM. These frameworks offer detailed inventories of software and hardware components, including version details, licensing information, origins and dependencies. By providing transparency into the software and hardware supply chains, SBOMs and HBOMs empower organizations to make informed decisions about the products they deploy and manage potential vulnerabilities effectively.
One significant catalyst for the adoption of SBOMs and HBOMs was US President Joe Biden's Executive Order on Improving the Nation's Cybersecurity in 2021. This directive mandated federal agencies to implement SBOM requirements, laying the groundwork for broader industry adoption. Additionally, US regulatory bodies like the Department of Defense (DOD), General Services Administration (GSA) and NASA have integrated SBOM and HBOM requirements into their procurement processes, further driving their adoption across sectors.
The HBOM Framework is designed to offer a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain and boosting resilience.
The Silicon Root of Trust
If SBOM and HBOM are the heart of cybersecurity resilience, then the SiRoT is its mind – and that mind is a steel trap.
The SiRoT sits below the operating system in the stack, providing a bounded and trusted secure execution environment, and delivers a suite of hardware-based security features designed to ensure that a system's fundamental components can be trusted from the moment of power-on and throughout its operational lifecycle.
In the context of compliance with regulations such as the CRA, the SiRoT plays a crucial role in achieving its emphasis on cybersecurity through the planning, design and development phases of products.
Manufacturers can leverage a SiRoT, such as OpenTitan, to implement secure boot processes, detect and report unauthorized modifications to the system, monitor its integrity throughout its lifecycle, ensure trustworthy execution of cryptographic updates and facilitate secure software updates.
With its inbuilt hardening against side-channel and fault-injection attacks, a well-engineered SiRoT can contribute strongly to its host’s tamper resistance, making it harder for attackers to compromise the integrity of a product. Manufacturers can leverage the SiRot’s functions to detect and report any attempted unauthorized modifications to the system, aligning with regulatory requirements to document and report cybersecurity risks and incidents.
Additionally, a SiRoT can facilitate secure remote software updates by ensuring that only authenticated and verified changes are applied. This supports regulatory requirements for manufacturers to make security updates available for the entire lifespan of a product, and also provides a way to roll-back to a ‘known good’ state in the event a system is compromised through some vulnerability in its higher-level stack that was unforeseen at the time of release.
Bringing it all Together
The convergence of SBOMs, HBOMs and SiRoTs mitigates cybersecurity risk by addressing vulnerabilities at different levels of the software / hardware stack. Adhering to these security measures can help organizations comply with evolving regulatory requirements that focus on deployed system security, such as NIS2.
For manufacturers, adopting SBOMs and HBOMs enables them to comply with regulatory requirements such as the forthcoming CRA, enhance their supply chain security, and demonstrate commitment to cybersecurity best practices. By incorporating SiRoT technology into their products, manufacturers can significantly strengthen their defenses against cyber threats, safeguarding their assets and customers' trust.
For end-users, the adoption of SBOMs, HBOMs and SiRoTs represents a beneficial step change in the security and integrity of the products they use, and will go a long way to instilling confidence in the manufacturers embracing them. With greater transparency about software and hardware components, such as the flexibility and accessibility open source software offers, users can make informed decisions about their digital investments and take proactive measures to protect their data and privacy.