27. Mai 2025

Ready for CRA

IEC 62443-4-x
For years, politicians have been stepping up their efforts to improve the security of products, systems, and production processes against cyberattacks. Examples include the Network and Information Systems Directive (NIS Directive) and the Cyber Resilience Act (CRA). By the end of 2027, all new connected products placed on the market must meet the CRA's requirements. Currently, however, one important component is missing: the harmonized standard. It can be assumed, though, that it will be based on the well-known security standard IEC 62443 for the OT sector or will largely contain it. Many places already use this standard to comply with NIS 2, and for manufacturers of industrial control components, IEC 62443-4-x could become the basis for the harmonized standard.

Manufacturer of industrial control components

IEC 62443-4-x addresses procedural and functional requirements. Part 62443-4-1 addresses the development process. According to the "Secure by Design" or "Secure by Default" principles, the device must be developed according to defined standards. The entire process must be documented, and it must be proven which security level (SL) the device should comply with.

Linutronix has now had a control system based on IGLOS (Industrial Grade Linux Operating System; www.iglos.com) certified by TÜV in accordance with IEC 62443-4-2. Due to the standard's requirements, the entire system, including hardware and software, had to be certified. An "embedded device" was defined and certified according to the IEC standard. IGLOS can be adapted at any time to support additional device classes, such as network or host devices.

IEC 62443 defines five security levels (SL) to protect industrial automation and control systems. The types of attacks differ primarily based on the capabilities, resources, and motivation of potential attackers:

Security Level

Type of attack / Attacker profile

SL 0

No specific protective measures, no targeted attacks expected.

SL 1

Protection against unintentional or accidental breaches, e.g. technical failure or errors by non-attackers.

SL 2

Protection against deliberate attacks by individuals with limited resources, motivation, and IT knowledge (e.g., script kiddies).

SL 3

Protection against targeted attacks involving advanced means, moderate motivation, and IACS-specific knowledge, e.g. organized cybercriminals.

SL 4 Protection against highly developed, targeted attacks that require significant effort, motivation, and resources, e.g. state-controlled advanced persistent threats (APTs).

 

The required resistance to more targeted, technically advanced, and resource-intensive attackers increases with each higher level. Linutronix has achieved level 2 security, which will likely become the standard use case for automation in the future.

Linutronix's chosen architecture with Container Runtime allows for easy adaptation to customers' circumstances through the use of corresponding apps. For example, this makes it possible to install additional security applications, such as a firewall or a VPN client. The VPN client enables remote maintenance from external networks and allows users to restrict access.

IGLOS is the central component of our secure Linux operating system for industrial use. It is an "immutable system," meaning it cannot be changed. Along with features like Secure Boot, it ensures that only a defined system can be started. However, updates can be installed at any time as required by the standard. These updates are atomic, and the A/B update structure ensures that a functioning backup is always available. This means that a faulty update will not render the system unusable. Updates can be installed either over the air or via a medium such as a USB stick. Mixed operation is also supported.

All access to the control system is logged and subject to strict access rules. For instance, user access is secured via FIDO2, which is far superior to passwords. All data on the device is encrypted during storage, processing, and transmission. Accessing the data requires both authentication and authorization. Access can only be granted via the secure, certified web application or via SSH login. Accessing a hardware component, such as reading a sensor, is done via a secure D-Bus connection. Interprocess communication is also secure.

In summary, it can be stated that the seven basic requirements (FRs) are fulfilled, namely identification and access control, usage control, system integrity, data confidentiality, restricted data flow, timely response to events and availability of resources.

Modularity is made possible by container apps

Modern control systems often use applications rolled out as containers that run on the device's operating system. This makes it easy to extend functionality while removing dependency on the manufacturer because containers can be developed by third parties.

One important aspect that often receives insufficient attention concerns the operating system used for the container. If a secure OS is not used, it can serve as a gateway for malicious code. For this reason, we at Linutronix use our IEC 62443-certified OS, IGLOS.

Summary

IGLOS, especially the version certified according to 62443-4-2, makes it possible to develop new devices that comply with CRA, as well as raise the safety level of existing components. IGLOS is not limited to the "Embedded Device" class and can be adapted to new classes, as well as to your specific hardware and task, at any time.

The Linutronix team of specialists is always available to help you develop the ideal solution for your needs.