.jpg "ONEKEY GmbH")
Cyber Resilience Act Passed – A Paradigm Shift in Product Cybersecurity
Cyber Resilience Act Passed – A Paradigm Shift in Product Cybersecurity
Jan Wendenburg: “The Cyber Resilience Act was passed by the EU Council on October 10th, making cybersecurity mandatory for all manufacturers. Connected devices must be designed to remain protected against cyberattacks with up-to-date software throughout their entire lifecycle.”
Duesseldorf, October 24, 2024 – “With the Cyber Resilience Act (CRA), the principle of ‘Security by Design’ is being incorporated into European technology law for the first time,” says Jan Wendenburg, CEO of the Düsseldorf-based cybersecurity company ONEKEY. This "paradigm shift" has immediate consequences for all manufacturers and distributors of connected devices, highlighting the far-reaching implications of the upcoming regulations for securing digital products against hacker attacks.
In future, products with digital components will need to do more than simply comply with the CRA at the time of market launch. Continuous risk assessments and, if necessary, updates to the software and firmware within devices will be required. “Manufacturers will need to build a mechanism from the very beginning that enables new software versions to be deployed, addressing any security vulnerabilities that arise after the product has been delivered,” explains Jan Wendenburg. He further emphasizes that failing to implement this essential design feature will mean that these products cannot be sold within the European Union, underlining the serious consequences of failing to comply with the Cyber Resilience Act.
"Extremely Broad" Range of Affected Product Categories
The range of affected product categories is "extremely broad," says Jan Wendenburg. He provides examples: devices for Smart Home and Smart Security, connected household appliances of all kinds, Wi-Fi-enabled toys, VoIP phones, networking equipment such as routers, switches, or firewalls, connected medical devices, vehicles, Industrial Internet of Things (IIoT) devices, and industrial control systems used across departments in manufacturing and logistics.
Jan Wendenburg explains: "Practically all areas of industrial automation are now digitalised. Equipment, machines and systems that used to be purely mechanical have long since been equipped with control electronics and connected to the network. However, many manufacturers of these automation products have not actually taken the path from mechanical engineering to software development, but rather source the digital components and the corresponding programmes from suppliers. With the CRA regulation, these manufacturers are now directly responsible for the digital technology in their networked devices. Many companies are not yet sufficiently prepared for this."
Software Expertise Among Industrial Equipment Manufacturers Varies Widely
"The level of software expertise among manufacturers of industrial automation components is very diverse," notes Jan Wendenburg, drawing from numerous projects. He explains: "Keeping connected products updated throughout their entire lifecycle to address emerging security vulnerabilities is a significant challenge for many predominantly mid-sized industrial automation manufacturers." He points out that the database of publicly known software vulnerabilities exploitable by hackers (the CVE Database: Common Vulnerabilities and Exposures) contains over 240,000 entries. "Even for IT departments in large corporations, it is difficult to stay on top of cybersecurity vulnerabilities. For mid-sized companies, it's practically impossible," warns Jan Wendenburg.
The security expert points to the classic example of an IoT hack in cyber security: the world-famous Stuxnet wave of attacks in 2010, in which so-called Scada systems (Supervisory Control and Data Acquisition) from Siemens were attacked via the internet. These industrial control systems are used globally in industrial plants, power stations and pipelines. Stuxnet's aim was to change the speed of the motors controlled by the SCADA systems and thus physically destroy the machines. At the time, the computer virus infected thousands of plant control systems and, among other things, sabotaged the nuclear power plants under construction in Iran. According to the prevailing expert opinion, it was developed specifically for this purpose and launched by a state authority.
“Since at least 2010, it has been clear that cyberattacks can cause irreparable damage to machines and systems. With the implementation of the EU Cyber Resilience Act, manufacturers and distributors are now responsible for ensuring that their digital control systems are designed from the ground up to support continuous updates with the latest software, providing optimal protection against cyber threats,” states Jan Wendenburg.
As a first step, the ONEKEY CEO recommends that providers of connected devices, machines, and systems create a "Software Bill of Materials" (SBOM), which is a detailed inventory of all components used in their products. ONEKEY operates a Product Cybersecurity & Compliance Platform (OCP) that automatically generates SBOMs while identifying potential security vulnerabilities. This lays the groundwork for tracking and effectively addressing any security gaps. “With our platform, manufacturers can largely automate compliance with the Cyber Resilience Act, significantly reducing additional efforts,” says Jan Wendenburg.
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes - without source code, device, or network access. Proactively audit software supply chains with integrated Software Bill Of Materials (SBOM) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH, Kaiserswerther Str. 45, 40477 Duesseldorf, Germany, Sara Fortmann, email: sara.fortmann@onekey.com, website: https://onekey.com PR Agency: euromarcom public relations GmbH, Muehlhohle 2, 65205 Wiesbaden, Germany, email: team@euromarcom.de, website: www.euromarcom.de
- - - -