[et_pb_section fb_built=”1″ disabled_on=”off|off|off” _builder_version=”4.27.5″ _module_preset=”default” background_image=”https:\/\/blog.microcontrol.net\/wp-content\/uploads\/2026\/05\/CRA_CSAF_Protokollstack02.webp” background_position=”top_left” background_vertical_offset=”59%” max_width=”95%” custom_margin=”0px||||false|false” custom_padding=”130px||0px|||” global_colors_info=”{}”][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.16″ _module_preset=”default” width=”100%” custom_padding=”0px||0px||false|false” global_colors_info=”{}”][et_pb_column type=”1_2″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/blog.microcontrol.net\/wp-content\/uploads\/2021\/10\/MicroControl-Troisdorf-Germany.png” title_text=”MicroControl Troisdorf Germany” _builder_version=”4.16″ _module_preset=”default” width=”75%” module_alignment=”right” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”4.16″ _module_preset=”default” background_enable_color=”off” custom_margin=”||||false|false” custom_padding=”||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.16″ _module_preset=”default” custom_margin=”||||false|false” custom_padding=”||||false|false” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_font=”||||||||” header_font_size=”32px” custom_margin=”||||false|false” custom_padding=”||||false|false” global_colors_info=”{}”]<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”0px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]With the Cyber Resilience Act, or CRA for short, the European Union defines binding cyber security requirements for products with digital elements. The regulation therefore affects not only conventional IT products, but also embedded systems, firmware, software components and industrial communication solutions. The aim of the CRA is to establish a uniform minimum level of cyber security for connected products on the European market and to embed security requirements throughout the entire product life cycle.<\/p>\n
For MicroControl, the CRA is particularly relevant in the field of industrial communication systems. Our products and software components, including CANopen, CANopen FD, J1939 and bootloader solutions, are used in embedded systems and industrial applications. It is precisely in this environment that new requirements arise for risk assessment, vulnerability management, secure updates, technical documentation and traceable communication of security information.<\/p>\n
The bootloader<\/a> plays a special role here. It is a security-relevant basic component for firmware updates, integrity checks and the controlled start-up of an embedded system. As part of CRA implementation, MicroControl is therefore also working on concepts for Secure Boot. The aim is to ensure that only authorised and unmodified firmware is executed on a system. Technical approaches for this include cryptographic signatures, firmware integrity checks and a defined chain of trust from the bootloader through to the application.[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_heading title=”Alignment with the CRA, BSI recommendations and established standards” _builder_version=”4.27.5″ _module_preset=”default” title_level=”h2″ global_colors_info=”{}”][\/et_pb_heading][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”0px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]<\/p>\n MicroControl is not implementing the requirements in isolation, but is closely aligning its approach with the provisions of the CRA and the recommendations of the German Federal Office for Information Security<\/a>, known as the BSI. The BSI describes the CRA as a European regulation that establishes a minimum level of cyber security for connected products placed on the EU market. <\/p>\n An important technical building block is the structured provision of security information. For this, the BSI recommends, among other things, the Common Security Advisory Framework<\/a>, or CSAF for short. CSAF is a standardised, machine-readable format for providing security advisories. It enables manufacturers to publish information on vulnerabilities, affected products, versions, severity levels, remediation measures and references in a consistent manner. For users and operators, this makes automated evaluation easier and enables them to assess quickly whether specific products or versions are affected. <\/p>\n MicroControl is already taking these requirements into account in its own security documentation. On our security policy page, we describe how security vulnerabilities can be reported, what information is helpful for an assessment and how we handle reports as part of coordinated disclosure. <\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_heading title=”Vulnerability management and Coordinated Vulnerability Disclosure” _builder_version=”4.27.5″ _module_preset=”default” title_level=”h2″ global_colors_info=”{}”][\/et_pb_heading][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”0px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]<\/p>\n A central element of CRA implementation is a robust vulnerability management process. This includes the ability to record reported vulnerabilities in a structured manner, validate them technically, assess their impact and derive suitable measures. <\/p>\n For this, MicroControl uses a Coordinated Vulnerability Disclosure process, i.e. coordinated disclosure of vulnerabilities. Once a report has been received, the information provided is reviewed, the issue is analysed and potential effects on products, software versions or configurations are assessed. On this basis, measures for remediation or mitigation are defined. Security advisories may subsequently contain information on affected versions, severity ratings, updates, workarounds, CVE references and a revision history. Where appropriate, such information may also be provided in standardised formats such as CSAF. <\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_heading title=”Impact on CAN-networks” _builder_version=”4.27.5″ _module_preset=”default” title_level=”h2″ global_colors_info=”{}”][\/et_pb_heading][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”0px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]<\/p>\n The CRA is also relevant for products and software components in the CAN environment. This creates the need for a system- and application-specific risk assessment. CAN in Automation e.V.<\/a>, or CiA for short, points out in a position paper<\/a> that SL2 can be achieved in CAN networks with minimal effort. <\/p>\n For CAN-based systems, the assessment always depends on the specific usage scenario. Security measures must therefore be supplemented depending on the system architecture, access options, interfaces, operating environment and required security level. In industrial applications, the following aspects, among others, play a role: <\/p>\n For MicroControl, this context is especially important because our protocol stacks are typically integrated into customer-specific devices, controllers or machines. CRA compliance must therefore not be considered only at the level of individual software components, but always in conjunction with the target hardware, firmware, bootloader, update process, network topology and application. <\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_heading title=”CSAF and SBOM: uniquely assigning components via PURL and SKU” _builder_version=”4.27.5″ _module_preset=”default” title_level=”h2″ global_colors_info=”{}”][\/et_pb_heading][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”0px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]<\/p>\n When processing security reports, the question often arises of how a component mentioned in a vulnerability report can be reliably found again in an existing SBOM. Especially when companies want to evaluate security information automatically, unambiguous identification of the affected products or components is crucial. Without standardised identifiers, matching a security advisory with an SBOM remains prone to error and is often only possible manually. <\/p>\n Security information is increasingly provided in CSAF<\/strong> format. CSAF stands for Common Security Advisory Framework and is a standardised format for the structured publication of security advisories. The CSAF format includes, among other things, the An important component here is the This enables a tool to check automatically whether a particular vulnerability is relevant to a product or software component. The use of standardised identifiers such as the Package URL<\/strong>, or PURL for short, is particularly helpful here. <\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”20px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]<\/p>\n The Package URL is a widely used standard for identifying software packages across different ecosystems. A PURL describes a package in a structured form. This allows it to be read by machines and used for automated comparisons. <\/p>\n For MicroControl protocol stacks, the PURL follows the following scheme:[\/et_pb_text][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” text_font=”||||||||” header_3_text_color=”#ef7c00″ background_color=”#f7f7f7″ custom_margin=”10px||10px||false|false” custom_padding=”15px|15px|15px|15px|false|false” border_width_all=”2px” border_color_all=”#ef7c00″ locked=”off” global_colors_info=”{}”]<\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” text_font_size=”13px” custom_margin=”10px||||false|false” custom_padding=”0px||||false|false” locked=”off” global_colors_info=”{}”]<\/p>\n Scheme of a PURL for protocol stacks<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”20px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]The components mean the following:<\/p>\n – In addition to the PURL, an SKU can also be specified. In this case, the SAP article number is used as the SKU. This creates a second identification option, which is particularly helpful when internal ERP, purchasing or product data are to be matched with security information. <\/p>\n For a J1939 Protocol Stack in version [\/et_pb_text][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” text_font_size=”13px” custom_margin=”10px||||false|false” custom_padding=”0px||||false|false” global_colors_info=”{}”]<\/p>\n Example entry in the CSAF document for J1939 protocol stacks<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_heading title=”Conclusion” _builder_version=”4.27.5″ _module_preset=”default” title_level=”h2″ global_colors_info=”{}”][\/et_pb_heading][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”0px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]<\/p>\n The Cyber Resilience Act fundamentally changes the requirements placed on manufacturers of products with digital elements. For MicroControl, this development is closely linked to industrial communication, embedded software, bootloader technologies and CAN-based systems. <\/p>\n We are consistently implementing the provisions of the CRA, the recommendations of the BSI and the guidance from the CAN\/CANopen environment. The focus is on structured security processes, coordinated vulnerability handling, standardised security advisories, technical documentation and secure update and boot concepts. With our protocol stacks and bootloader solutions, we operate in a technical environment in which cyber resilience is increasingly becoming an integral part of product development. The implementation of Secure Boot approaches, clear vulnerability processes and traceable documentation is therefore an important step for us in supporting customers in the development of secure and future-proof industrial products. Further information on the reporting channel and on the handling of security vulnerabilities can be found on our security policy page<\/a>. <\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_heading title=”Referenzen” _builder_version=”4.27.5″ _module_preset=”default” title_level=”h2″ global_colors_info=”{}”][\/et_pb_heading][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”0px||0px||false|false” custom_padding=”0px||0px||false|false” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n [1] MicroControl Security Policy<\/a> [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”4.16″ _module_preset=”default” background_color=”#f7f7f7″ custom_margin=”||||false|false” custom_padding=”|0px||0px|false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” custom_margin=”||||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.21.2″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”40px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.2″ _module_preset=”default” custom_margin=”-72px||||false|false” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”https:\/\/www.microcontrol.net\/produktdemo\/” url_new_window=”on” button_text=”Advisory service, product demo, sample modules” _builder_version=”4.21.2″ _module_preset=”default” custom_button=”on” button_text_color=”#FFFFFF” button_bg_color=”#ef7c00″ button_border_color=”#ef7c00″ button_border_radius=”8px” custom_margin=”30px||||false|false” button_border_color_last_edited=”off|desktop” global_colors_info=”{}” button_border_color__hover_enabled=”on|hover” button_bg_color__hover_enabled=”on|hover” button_bg_color__hover=”#939393″ button_bg_enable_color__hover=”on” button_border_color__hover=”#939393″][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" Cyber Resilience Act – Technical implementation of security requirementsWith the Cyber Resilience Act, or CRA for short, the European Union defines binding cyber security requirements for products with digital elements. The regulation therefore affects not only conventional IT products, but also embedded systems, firmware, software components and industrial communication solutions. The aim of the CRA […]<\/p>\n","protected":false},"author":7,"featured_media":4434,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[68,54],"tags":[81,84],"class_list":["post-4487","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-i-o-modules","category-protocol-stacks","tag-canopen-en","tag-j1939-en","et-has-post-format-content","et_post_format-et-post-format-standard"],"yoast_head":"\n
The following information is particularly relevant for a technical assessment: <\/p>\n\n
\n
product_tree<\/code> section. This can be used to describe affected products and components. <\/p>\nproduct_identification_helper<\/code> field. This field is not mandatory, but provides a very helpful way of specifying additional identifiers for a product or component. The product_identification_helper<\/code> field facilitates automatic matching between: <\/p>\n\n
Package URL as an identifier<\/h3>\n
pkg:generic\/microcontrol\/<stack-prefix>-protocol-stack@<version-string><\/code><\/pre>\npkg<\/code>: designation as a Package URL;
\n– generic<\/code>: package type when no specific ecosystem such as npm, Maven or PyPI is used;
\n– microcontrol<\/code>: namespace or manufacturer\/organisation reference;
\n– <stack-prefix>-protocol-stack<\/code>: name of the protocol stack;
\n– <version-string><\/code>: specific version of the component.[\/et_pb_text][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” header_3_text_color=”#ef7c00″ custom_margin=”20px||0px||false|false” custom_padding=”0px||0px||false|false” global_colors_info=”{}”]<\/p>\nSupplementary identification via SKU<\/h3>\n
4.12.00<\/code> with the SAP article number 50.04.002<\/code>, the entry in the CSAF document looks as follows:[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row use_custom_gutter=”on” gutter_width=”1″ _builder_version=”4.16″ _module_preset=”default” saved_tabs=”all” locked=”off” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.27.5″ _module_preset=”default” text_font=”||||||||” header_3_text_color=”#ef7c00″ background_color=”#f7f7f7″ custom_margin=”||10px||false|false” custom_padding=”15px|15px|15px|15px|false|false” border_width_all=”2px” border_color_all=”#ef7c00″ global_colors_info=”{}”]<\/p>\n\"product_identification_helper\": {\n \"purl\": \"pkg:generic\/microcontrol\/j1939-protocol-stack@4.12.00\",\n \"skus\": [\n \"50.04.002\"\n ]\n}<\/code><\/pre>\n
[2] BSI: Cyber Resilience Act<\/a>
[3] BSI: Common Security Advisory Framework, CSAF<\/a>
[4] CAN in Automation e.V.: EU Cyber Resilience Act<\/a>
[5] European Commission: Cyber Resilience Act<\/a><\/p>\nBook a technical meeting now:<\/b><\/span><\/h2>\n