CRA Week: Step 2 Security by Design

CRA Week: Step 2 Security by Design

Day 2 of CRA Week covers the 2nd major step in CRA Compliance, Security by Design. NXP security expert Marc Vauclair explains that CRA security is about managing risk, and that Security by Design reduces risk compared to adding security later.

The episode outlines the following CRA expectations:

• Shipping products in a secure state
• Enabling security features by default
• Using encryption and data minimization
• Minimizing components and unused interfaces to reduce attack surface
• Ensuring only trusted software runs at startup

Marc encourages threat modeling, security into product requirements alongside traditional constraints, and accurate risk assessments.

Apply what is discussed with a wireless keyboard example. It illustrates threats such as snooping, data injection, and denial-of-service via wireless flooding, and explains decomposing threats into risk factors, asset-centric impact analysis, and using threat intelligence and vulnerability severity to derive project-specific risk levels. At the end threats are mapped to mitigations like authentication to prevent spoofing and cryptographic integrity checks to prevent tampering.

Marc also highlights NXP technologies that support Security by Design:

• Encrypted firmware and key installation
• Secure debug/configuration
• Remote key provisioning
• Memory encryption
• Isolation between secure and non-secure areas
• Secure connectivity features (origin attestation, secure communication, accelerated networking, remote key management)
• Incident detection/response/recovery with measured boot, runtime attestation, cyber resilience recovery, tamper detection, and battery-backed monitoring

Don't miss this detailed episode to better understand Security by Design for CRA!

Episode Resources:

• NXP CRA page: EU Cyber Resilience Act (CRA)
• NXP page: Security Certification

00:00 Welcome to CRA Week Day 2

00:48 Meet Marc Vauclair

01:49 What Security by Design Means

02:54 CRA Secure by Default Requirements

04:13 Lifecycle Threat Modeling

06:02 Making It Practical in Development

07:30 Right Sizing Security Effort

09:23 Threat Modeling Keyboard Example

12:13 Risk Assessment Basics and Factors

14:25 NXP Technologies for Security

16:14 Recap and Step 3 Teaser