Isolating Open-Source Software with Virtualization to Comply with the CRA

The Cyber Resilience Act (CRA) is a regulatory measure introduced by the European Union aimed at enhancing cybersecurity standards across all products containing digital elements. The Act took effect in January 2024, with vendors required to ensure compliance by January 2027. While open-source software (OSS) is exempt from the CRA, companies that integrate OSS into their commercial offerings assume responsibility for maintaining the security of those components. This distinction places the onus on vendors to monitor vulnerabilities and provide timely fixes when OSS is part of their products. To illustrate the challenges posed by incorporating OSS in critical environments, consider a smart heating system embedded device. This device manages a home's central heating unit, a system whose improper operation can lead to costly damage. It also monitors and adjusts temperatures across various radiators. The device’s web server offers users access to status information and control options via a user interface built upon popular OSS like the express.js web framework running on the node.js JavaScript runtime. This framework depends on approximately 65 additional OSS packages, highlighting the extensive reliance on open-source components in such products. Running the web server directly on the embedded device introduces significant security risks. If the server handles user input validation and regulates heating configurations, any compromise could allow an attacker to manipulate the system dangerously. Under the CRA, the vendor must ensure a high level of cybersecurity, whether they develop software in-house or integrate third-party solutions. Although OSS components themselves are exempt, commercial use effectively transfers security responsibility to the vendor, who must then comply with CRA mandates. One mitigation approach is to separate the heating control functions. The web server and its dependencies can manage the interface and general control, while a secure, minimal component validates commands to prevent unsafe configurations. This layered approach limits the impact of a compromised web server but still leaves a broad attack surface for privilege escalation, necessitating further protections. Virtualization technologies, specifically hypervisors, offer a powerful solution by sandboxing software components. A hypervisor runs software within isolated virtual machines (VMs), restricting interaction to defined interfaces such as virtual device emulation. The hypervisor itself is classified by the CRA as a critical product, placing responsibility for its security on its vendor. When connecting VMs to external networks, vendors can use firewall configurations on the host to confine VM communications strictly to necessary traffic, such as web server requests. This isolation significantly reduces the risk of exploitation while maintaining essential network functionality. Cyberus provides specialized solutions to assist vendors in meeting CRA requirements. Their Cyberus Hypervisor, combined with CtrlOS—an embedded operating system designed for CRA compliance—offers features like auditable firewall configurations and other security hardening capabilities. These tools help vendors incorporate open-source software safely into their products, reducing the complexity and cost associated with ensuring regulatory compliance. Interested parties are encouraged to engage with Cyberus for tailored sessions to explore appropriate security strategies for their embedded systems.