Cybersecurity for embedded systems

Numerous laws specify a wide variety of security requirements for digital, networked products. EU laws formulate binding requirements. 

• Cyber Resilience Act (CRA)
• NIS 2 Directive for critical infrastructures or industry-specific regulations
• Medical Device Regulation (MDR)
• Radio Equipment Directive (RED)
• Machinery Directive
• UNECE R155 and R156
• Industry-specific requirements (FDA, NIST, BSI, NSH, etc.) and others

The often vague and imprecise requirements imposed by legislators pose a challenge for many manufacturers, and it is not always clear how the compliance requirements of overarching and industry-specific laws relate to each other. 

The regulations leave open how the requirements can be implemented in practice. It is helpful to take a look at the relevant standards – such as IEC 62443 (IT security for industrial communication networks and systems), EN 18031 (cybersecurity for radio equipment), IEC 81001-5-1 (development and maintenance of cyber-secure health software), ISO/SAE 21434 (cyber-secure development, production and operation of road vehicles), IEC 18031 (cybersecurity for radio equipment) or the technical specification TS 50701 (cybersecurity in the railway sector). 

Three pillars of security engineering

Security engineering does not begin with the development of a product and end with its market launch. For comprehensive cyber resilience, everything from development processes and competence management to system design and decommissioning must be taken into account.
 
We distinguish between three overarching pillars of security engineering:

• The first pillar is about enabling the organisation. The aim is to implement processes that comply with laws and standards and to equip the development team with the skills they need to develop cyber-secure products. 
• The second pillar covers classic product development according to the V-model with a design phase, implementation phase, and testing and validation phase.
• The third pillar is about ensuring secure operation. 

Good to know: IT security, OT security, embedded security – a distinction

The development and operation of cyber-secure products are subject to different objectives and requirements than those for securing servers or networks.

• IT security: Securing IT systems and networks against cyber attacks – with the aim of ensuring data flows and communication and guaranteeing the integrity, confidentiality and availability of information.
• OT security (operational technology): Protection of industrial control systems (ICS), machines and critical infrastructures – with the aim of ensuring the security, function and availability of industrial processes.
• Embedded security: Securing systems integrated into machines, devices and products – with the aim of ensuring reliability, functional safety and availability. Embedded security is a sub-area of OT security and product security.

Find out more in our knowledge article ‘What is cybersecurity?’