How to Prepare For and Get Ahead of Security Requirement Changes
Posted 10/27/2023 by Eric Sivertson, VP of Security Business
There’s a complex regulatory storm on the horizon as nation-states and industry leaders announce a slew of new cybersecurity requirements. Primarily driven by three key trends: Growing vulnerability in firmware, an expanding attack surface due to 5G connectivity, and the arrival of post-quantum cryptography (PQC) – these incoming regulations will deeply impact developers.
Lattice hosted its quarterly security seminar with Secure-IC and Xiphera to discuss incoming security requirement changes and how organizations can navigate this new regulatory environment.
The Most Pressing Regulations Facing Security System Engineers and Architects
These new regulations are driven by the macro trends and threats modern organizations are experiencing today and are centered around: Implementing PQC, hardware root of trust (HRoT) security, and zero trust security.
Within these new regulations, one of the most pressing is the Commercial National Security Algorithm Suite (CNSA) 2.0 timeline. CNSA, the commercial arm of the U.S. National Security Agency (NSA), has put out cybersecurity and PQC requirements for service providers with specific timelines for each critical industry. For example, servers and cloud services must be compliant by January 2025, and telecoms must be compliant by 2026.
Another pressing regulation, particularly for those in the European Union (EU) or selling to providers in the EU, is the European Cyber Resilience Act (CRA). The CRA is mandating hardware-level security for protection against a wide range of attacks. Products must remain secure throughout their lifecycle, taking into account new attacks we haven’t seen today. After the CRA becomes legislation – which is expected to happen soon – manufacturers selling IoT products will have a grace period of 36 months to implement or fulfill the requirements. They must also report any actively exploited vulnerability within 24 hours of becoming aware of it. Noncompliance will likely result in financial penalties.
Regulations aren’t only coming from nation-states and standards bodies. We’re also seeing certification bodies, like Trusted Computing Group, 3GPP, O-RAN Alliance, and others, provide new recommendations and rules—emphasizing the importance for organizations to monitor which emerging regulations could impact them.
The Transition to PQC
Many of the new requirements integrate stipulations and guidelines around PQC. The journey to PQC migration is not to be taken lightly. Although quantum computers are not expected to be online until 2030, we must remember that it took around a decade to develop and implement a secure environment when the internet arrived. This increases the urgency to begin PQC migration now.
Fortunately, some aspects of PQC are already available today. The United States National Institute of Standards and Technology (NIST) has been conducting ongoing development around PQC algorithms, with the first set arriving in 2016. Since then, NIST has announced four candidates for standardization, plus additional candidates for a fourth round of analysis. These will become the new NIST-approved standards. For some devices, particularly those managing firmware, developers should consider implementing these early PQC standards as a starting point for data migration.
At its core, PQC migration is about shifting away from legacy public key infrastructure (PKI) -based cryptography to post-quantum cryptography that will be resilient to quantum computer attacks. Bad actors are adopting a ‘steal now, decrypt later’ stance that puts significant confidential data stored on the cloud today at risk of future disaster as more and more capable quantum computers come online. While PQC standards are not set in stone yet, during the security seminar, panel experts encouraged developers to implement a hybrid approach: Utilizing a cryptographic system that combines PKI with PQC. In the world of cybersecurity, new is not always better and since these PQC standards are still being worked on, they haven’t seen the same mileage and scrutiny that classic cryptography has seen. A hybrid system can provide developers with the benefits of both classic PKI with incoming PQC as well as a safeguard if one fails.
The Best Solution for New Regulations
As developers begin moving towards PQC, they need “crypto agile” solutions that can be updated to align with new security requirements as the threat landscape evolves.
The programmable nature of Field Programmable Gate Arrays (FPGAs) makes them a powerful crypto agile solution for the recommended hybrid approach. In fact, Lattice’s new generation of FPGAs gives customers the ability to update algorithms post-deployment. This means developers can begin with elliptic PKI algorithms, but then pivot to updated PQC algorithms when new standards are implemented.
This flexibility makes FPGAs more effective for PQC migration than Trusted Platform Modules (TPMs) and microcontrollers (MCUs) that are not quantum resistant and cannot be easily upgraded. FPGAs enable developers to run and optimize various implementations – regardless of size and complexity – to help prepare for and mitigate post quantum attacks.
The Trailblazing Industries
Industries that operate in critical environments are leading the pack for PQC migration: defense, energy and utilities, automotive, telecoms, and datacenters.
These industries will be the first to migrate because their data and infrastructure must be secured. For example, many automotive manufacturers are already adopting full PQC or hybrid models because their vehicles will still be on the road when quantum computers come online. Telecoms and datacenters are also quickly picking up these requirements, especially around quantum secure boot and key exchange, zero trust and HRoT, to provide full security in their systems.
Despite the complex regulatory storm that's headed our way, developers have a myriad of solutions at their disposal. Lattice, Secure-IC, and Xiphera can help you navigate your options and get ahead of the incoming requirements to ensure your products are secure and compliant.
To learn more about how Lattice FPGAs and our solution stack portfolio can help prepare for and get ahead of incoming security requirements, contact our team today.