In contrast to classic safety precautions, safety problems are difficult to get under control because they are usually unexpected and difficult to predict. Security weaknesses are spied on and exploited by unpredictable, intelligent attackers.
However, a very systematic approach is required to obtain a meaningful and comprehensive assessment of technological safety within a determinable test period. Especially when carrying out safety analyses on electronic systems, the international IEC 62443 series of standards, for example, repeatedly presents developers and testers with completely new challenges.
But even experienced technology security experts have to keep learning new methods and approaches in order to be able to carry out practical tests on electronics efficiently. The spectrum ranges from analyzing a circuit board to attacks at semiconductor and bus level, security of crypto chips, CAN firewalls, UDS fuzzing, binary analysis and the analysis of protocols for wireless interfaces.
Hardware developers must shield control units permanently and reliably against unauthorized access; hardware security modules (HSM) are an indispensable basis for this. The increasing connection of devices and vehicles to the Internet (Internet of Things – IoT) is making device IT more vulnerable. It must protect itself against unauthorized interference with the aim of manipulating the embedded software (e.g. tuning) or manipulating access protection (e.g. immobilizer in vehicles). There is a risk that criminals could penetrate the control electronics via the Internet interface and change the device behavior through targeted manipulation. If in an automated process a layer of paint is applied too thinly, this only becomes apparent much later during quality testing or as a result of increasing numbers of complaints. Weaknesses of traditional public key infrastructure (PKI) solutions should also be avoided – by focusing on devices (not users) and taking long life cycles into account.
What is cyber security all about?
Cyber security measures are intended to protect against attacks, unauthorized interventions, manipulation or even destruction of computer-controlled systems. Spying on data, devices or processes and sabotaging them should be prevented.
Cyber security requires robust systems and components.
NTC Systems is committed to ensuring that the requirements of the Cyber Resiliance Act (CRA) are taken into account and implemented from the beginning to the end of the development of systems and components. This makes it possible to ensure compliance with a manageable amount of effort, create the necessary documentation and ultimately release a product that is protected against cyber attacks.
Securing programmable E/E systems against attacks
It takes a great depth of expertise and experience to protect electrical and electronic systems from unauthorized attacks using suitable measures and procedures. NTC Systems makes this contribution in security-critical customer projects:
- Cyber security assessment: Identification of the risks of an attack and potential points of attack
- Specification of technical and organizational measures to reduce risks
- Implementation of measures to detect and communicate attacks
- Ensuring consistent implementation and documentation
- Definition of measures and processes for monitoring products in operation at the customer’s premises
- Specification of reactions and measures in the event of attempted attacks
Cyber security measures – option or necessity?
The Cyber Resiliance Act is an EU directive that has no direct legal effect, but it obliges EU countries to transpose the requirements into national law. Therefore, a breach of the relevant requirements is punished as a violation of the law – for cyber security as well as for functional safety. In addition to averting the threat of penalties, cyber security primarily makes it possible to develop and offer a product with additional relevant quality features and improved reliability. The integration of communication interfaces for monitoring generates further added value for the customer.
Of course, we at NTC Systems use the cyber security requirements to improve our own development processes and results. The requirements are integrated into our existing development processes in a very streamlined way. The necessary analysis of our own processes sharpens our view. We identify any weaknesses and gaps that may have crept into our processes and take care to rectify them and continuously adapt them to the current status.
We are convinced that cyber security is no longer an option in today’s networked world, but must be applied to all systems, not just critical ones.
Let’s talk about cyber security in your application environment. We will be happy to explain how we approach system development and what services we can provide to support you.
Questions and answers about cyber security
What are the benefits of the Cyber Resiliance Act – CRA?
- Objective
Increasing the cyber security of products with digital elements within the EU - Focus
Products as well as digital services - Content
- Ensuring resilience against cyber attacks
- Essential security requirements, security by design, dealing with vulnerabilities
- Obligation to report
Security incidents discovered, but also security vulnerabilities are reportable. - Penalties
Up to 15 million euros or 2.5% of annual turnover
More details ▶ Cyber Resilience Act | Federal Office for Security
Information Technology (IT) versus Operational Technology (OT)
- Information Technology (IT)
- In IT, the focus is on information and communication systems, especially in business operations. It is about servers and workstation systems with office, financial and management applications.
- IT is based more computer science.
- The life cycle of IT hardware is 3 to 5 years
- IT is primarily about the confidential handling of data.
- Operational Technology (OT)
- OT focuses on physical processes in industrial control systems, controllers, sensors and embedded systems.
- OT is based more on engineering sciences.
- The life cycle of industrial systems, even just a pump, reaches 20-30 years and often even longer.
- OT is all about the availability and integrity of the systems.
Cyber Security versus Functional Safety
Both are crucial for ensuring safe and reliable systems, but with different objectives:
- Cyber security protects systems against external threats such as hacking, data loss, malicious manipulation or destruction. The focus is on protection against and defense against targeted attacks.
- Functional safety is intended to ensure that technical systems function safely even in the event of internal faults and do not pose a risk to people or the environment. The focus is on reducing risks due to hardware or software malfunctions.