1. Introduction to security standards and regulations
Security standards and regulations play a critical role in enhancing the security devices. They are not only subject to specific regional regulatory frameworks, but also to their application contexts, which adds complexity for designers and developers.
In the context of Internet of Things (IoT) the risks are increasing, and many standards and regulations are emerging to protect them, their users, and associated cloud services and infrastructures.
This creates complexity for designers and developers.
1.1. Overview of key standards and regulations
Below a non-exhaustive list of the main regulations.
| Standard / Regulation | Description |
|---|---|
| SESIP | Security evaluation standard for IoT platforms (SESIP), by GlobalPlatform, provides five trustworthy assessment steps to evaluate the security level of IoT devices. |
| PSA Certified | PSA certified provides a comprehensive methodology to determine the level of security of IoT devices. It helps unlock the possibilities of a connected world. |
| ioXt Alliance | The mission of the ioXt Alliance is to build confidence in IoT products through multistakeholder, international, harmonized, and standardized security and privacy requirements, product compliance programs, and public transparency. |
| Cybersecurity Act | Grants a permanent mandate to ENISA and sets out a European cybersecurity certification framework for ICT products, services, and processes, effective from June 28, 2021. |
| IEC 62443 | The ISA/IEC 62443 series define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems, bridging operations and IT security. |
| EN 303 645 | The European standard on connected device security, defining baseline security requirements for consumer IoT devices. |
| AI Act | The artificial intelligence act is a proposed European regulation aiming to create a legal framework for trustworthy AI, ensuring AI systems are safe, transparent, and respect fundamental rights. |
| RED Directive | RED establishes a regulatory framework for placing radio equipment on the market to meet cybersecurity requirements for internet-connected devices, with compliance via self-assessment or notified bodies. |
| Cyber Resilience Act (CRA) | The CRA is a European cyber security law aiming at increasing security of connected digital elements. |
| Cyber Trust Act | The cybersecurity act strengthens the EU cybersecurity certification framework, enhancing trust in digital products and services. |
| NIST Cybersecurity Framework | A voluntary framework developed by the U.S. national institute of standards and technology to provide guidance for organizations to manage and reduce cybersecurity risk. |
| China Cybersecurity Law | The China cybersecurity law regulates network security and data protection requirements in China, effective since June 2017. |
1.2. How ST can help for your conformance
The landscape of IoT security standards and regulations is diverse and continuously evolving. To ensure effective compliance and robust protection, it is crucial to implement tailored security measures that address the specific needs and risks of each project while meeting regulatory demands.
STMicroelectronics offers the STM32Trust[1] platform and portfolio, which provides a comprehensive suite of advanced security features designed to help comply with various regulations. Key capabilities include are:
- Secure boot to guarantee trusted device startup
- Secure firmware update ensuring integrity and authenticity of software
- Life cycle management for secure device provisioning and decommissioning
- Device attestation to verify device identity and integrity
- Integrated cryptographic engines supporting encryption, authentication, and key management
- Hardware-based root of trust to anchor security from silicon level
For more details here below all the security functions provided within our STM32Trust[1] security framework.
These features empower system integrators and developers to build secure, compliant, and future-proof devices and IoT solutions aligned with evolving regulatory frameworks such as CRA, RED, and others.
Meeting regulatory requirements and demands by following a certification strategy that ensures and maintains our robustness. This strategy aligns with the highest IoT certification levels: SESIP3 and PSA certified level 3.
2. Next steps: deep dive on some regulations
Several deep dives related to key regulatory topics are proposed to help our developers gain a thorough understanding of important compliance areas.
2.1. Deep dive on cyber resilience act[2] (CRA)
Cyber resilience act[2] (CRA) deep dive will cover the essential steps to understand what CRA and its impacts is. It also addresses the way using ST products may help for device compliance aspects.
Refer to the full documentation Deep dive on CRA.
A dedicated list of most common questions is provided and tentative to answer them: Q&A for CRA.
2.2. Deep dive on radio equipment directive (RED)
The radio equipment directive (RED), RED directive 2014/53/EU[3], deep dive focuses on the cybersecurity requirements mandated by the directive, highlighting critical compliance aspects. A detailed explanation is available on Deep dive on RED.
A dedicated list of most common questions is provided and tentative to answer them: Q&A for RED.
2.3. References↑
- STM32Trust security framework
- STM32 Security wiki
- STM32 classic-cryptographic library
- Product Security Response Team - PSIRT
- REGULATION (EU) 2024/2847
- Visit ENISA web portal to get latest news and updates
- Further guidance in EC RED Guide
---