Meeting the Cyber Resilience Act with a new security provisioning service

Europe is driving cyber security and with the latest Cyber Resilience Act manufacturers of embedded systems will need deliver the security which meets this new legal framework for cybersecurity.

The cyber resilience that embedded systems need will mean providing security for all of the keys. Typically, one key would be needed to secure the boot, another key to secure the firmware update, and a third key to secure access to the cloud.

To simplify the ability to meet the increased level of security demanded by the Cyber Resilience Act, Microchip has introduced a fourth provisioning service.

Building on the existing Trust Platform provisioning services, TrustMANAGER still uses a secure element as a vault, but offers a significant difference which streamlines and adds flexibility to the provisioning process.

The secure element is used to prevent external access to keys, as well as to credentials, certificates and immutable data. The element also provides a unique identity for the lifetime of the embedded system device.

To provision the keys into the secure element, Microchip already offers three different provisioning services. Trust&Go provisioning is used for cloud authentication, and TrustFLEX or TrustCUSTOM is used to provision the silicon with the keys and certificates received from the embedded system manufacturer. These approaches mean that the silicon is pre-configured and provisioned before being shipped to the embedded system manufacturer.

TrustMANAGER no longer means that the silicon will be provisioned with the security keys at the Microchip factory. The difference is that the embedded system manufacturer will complete the provisioning after the silicon has been delivered to the end user (in-field).

The need for the manufacturer to procure and provision a number of secure elements with different keys, is replaced by procuring a single chip which is pre-configured with a root of trust. The root of trust allows the manufacturer to customize the chip remotely and securely from the field, at the first connection to the cloud.

This approach also comes with Root CA services, code signing services and allows the credentials to be managed in the field, including being revoked, rotated or renewed, throughout the lifetime of the end product.

TrustMANAGER, brings together advanced silicon from Microchip with a secure cloud environment, Keystream, which is provided by the remote key and credential management experts, Kudelsky.

With the new in-field provisioning service, manufacturers of embedded systems will gain greater flexibility and security to meet the demands of the Cyber Resilience Act.

Request the free EV10E69A CryptoAuth Trust Manager board to evaluate in-field provisioning