Special
Cyber Resilience Act - Security requirements for embedded Linux systems
The increasing networking of devices, as well as the growing use of IoT technologies, present ever greater challenges for companies that develop electronic products in the area of cybersecurity.
![[Translate to Englisch:]](/fileadmin/_processed_/9/0/csm_Cyber_Security_f97907d80d.jpeg "[Translate to Englisch:]")
With the increasing networking of devices and the growing use of IoT technologies, companies that develop electronic products are facing ever greater challenges in the area of cybersecurity. The EU's Cyber Resilience Act (CRA), which will come into force from 2027, aims to increase the security of digital products and regulates detailed requirements that manufacturers of embedded systems must meet.
An overview
Cyber Resilience Act (CRA)
The Cyber Resilience Act was introduced to improve the cybersecurity of “products with digital elements”. These products may be connected to other devices or networks and are therefore exposed to potential cyberattacks. The CRA stipulates that cybersecurity must be taken into account not only during product development, but throughout a product's entire lifecycle.
The key requirements of the CRA include:
- Security by design: Products must be developed according to the principle of “security by design”. This means that cybersecurity measures must be integrated from the very beginning of development.
- Software Bill of Materials (SBoM): Manufacturers must provide a detailed list of all software components used in order to make it easier to identify vulnerabilities.
- Continuous security updates: Manufacturers must be able to quickly close security gaps and provide appropriate updates throughout the entire life cycle of a product.
- Protection against unauthorized access: Products must contain mechanisms that prevent unauthorized persons from accessing systems and data.
- Reporting requirements: If a security vulnerability is detected, it must be reported to the relevant authorities within 24 hours and users must be informed within 72 hours.
The CRA also requires that products be designed and produced in such a way that they have no known vulnerabilities, have a secure default configuration and are continuously monitored. For companies, this means that they must ensure ongoing cybersecurity not only in the development phase but also during the ongoing operation of a product.
GELin
Security and maintenance for embedded Linux systems
For over 15 years, Ginzinger electronic systems has been providing a Linux-based platform designed to meet the specific requirements of embedded systems that helps companies meet the CRA's requirements: the GELin embedded systems software distribution.
GELin offers a variety of features that enable manufacturers to design their products to be secure and easy to maintain. A central component is the automated monitoring of the software used for vulnerabilities. This continuous monitoring ensures that security vulnerabilities are detected and closed at an early stage.
“From the very beginning, the Ginzinger Embedded Linux Distribution GELin was designed in such a way that the root file system (the main directory containing programs and data required for the system) is very small and contains only the bare essentials to make the system functional. The advantages of this are, in addition to the lower memory consumption, above all the reduced attack vectors for potential hackers. In addition to GELin, the bootloader and kernel are also maintained for a long time precisely because of the security aspect, which is only done to a very limited extent with manufacturer-specific kernels. That's why we also provide LTS (long term support) mainline kernels for each platform.”
In addition, GELin is designed to generate the Software Bill of Materials (SBoM) required by the CRA. This SBoM lists all software packages and their dependencies, so that manufacturers always know which components are integrated into the system and which vulnerabilities may need to be addressed. Another important aspect is the provision of security updates. GELin makes it possible to distribute security updates quickly and easily. Security vulnerabilities can thus be closed quickly without affecting the functionality of the product. This meets the CRA's requirements for regular product maintenance and care. In addition, GELin supports secure boot processes and a read-only file system that protects against unauthorized changes. These measures help to prevent unauthorized access and ensure the integrity of the system.
Implementation of the safety requirements with GELin
For companies that rely on embedded Linux systems, implementing the requirements of the Cyber Resilience Act is a complex task. Ginzinger offers a platform, GELin, that already has many of the security mechanisms required by the CRA integrated by default. This makes it easier for companies to implement a security-by-design concept and make their products secure. Continuous security updates and checks of the software components used are already being carried out as part of the GELin maintenance contracts
“Although we are not yet 100% CRA-compliant, we are already on the right track. Thanks to GELin, we are already in an excellent position. A software license bill of materials (BOM) has been available in Ginzinger's distribution for many years, as has monthly security monitoring. Of course, further measures are required to fully comply with the legal requirements, including daily security monitoring, an SBOM in SPDX or CycloneDX format, and standardized processes in accordance with IEC 62443. We will implement the required features in due time.”
Cyber security with GELin
The Cyber Resilience Act places high demands on the development, monitoring and maintenance of embedded systems. In particular, manufacturers that rely on embedded Linux must ensure that their products meet the new security requirements. With the GELin platform, Ginzinger electronic systems offers a proven solution that has been specifically designed for the needs of embedded systems and supports the implementation of the CRA requirements.
“For end customers, the CRA is an important step in ensuring that customer products can remain in use for a long time and without any security problems. Challenges on the manufacturer side must be addressed early enough and taken into account at the project level.”
GELin enables companies to identify security risks at an early stage, quickly fix security vulnerabilities and operate customer products at a high security level over the long term. The Ginzinger distribution thus provides a solid basis for meeting the requirements of the CRA while at the same time utilizing the efficiency and flexibility of embedded Linux. Ginzinger electronic systems is also supported by a strong partner network, such as OSADL, or long-standing security partners, such as LIMES Security, which provide advice.
