More and more successful cyberattacks are targeting hardware and software products, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021 according to the EU commission. This is due mainly, on one side, to the lack of appropriate security in such products who often go to market including inherent vulnerabilities and on the other side, to the lack of awareness of the consumers or enterprises adopting those products due to an insufficient transparency of the manufacturers when it comes expressing their level of security.

This is why, on September 15, 2022, the European Commission published the EU Cyber Resilience Act (CRA) regulation proposal necessary to increase the level of trust among users and the attractiveness of EU products with digital elements while providing legal certainty.

The regulation is very exhaustive, and we would recommend you to go through it in details. In the meantime, here are the top 8 things you should know about the EU Cyber Resilience Act that we just picked for you…

 

1- Am I concerned?

Yes, if you are a manufacturer, importer or distributor of connected products (Hardware/Software) with digital elements (e.g. smart sensors, smart cameras, mobile devices, network devices, etc.). All market sectors are concerned in a horizontal way except sectors where some other EU regulations already applies such as in the medical, civil aviation, motor vehicles domains. Note that this can consist also of non-embedded software (software that can be made available without hardware). For instance services such as SaaS applications are not
within the scope of this regulation unless these are used to remote processing the product at a distance which is under the responsibility of the product manufacturer and the absence of which would prevent such product from performing one of its functions. Finally, Free and
open-source software supplied outside of a commercial activity should not be covered by this regulation.

 

2- What are my obligations?

One of the main goals of the CRA is to cover the entire lifecycle of digital products. So your first obligation would be to insure that a list of essential cybersecurity requirements and harmonized rules have been considered at all stages including the design phase, delivery,
actual product use, maintenance decommission, and disposal. Security by design, security by default, the security of the supply chain and vulnerability handling will be the main domains to be addressed. Secondly you need to conduct and document a security risk assessment and
provide user guidance. You must report actively exploited vulnerabilities and provide security updates for at least five years. If you know or have reason to believe that the product or the processes put in place by the manufacturer are not in conformity with the CRA essential requirements, you shall immediately take the corrective measures necessary, to withdraw or to recall the product as appropriate and notify ENISA within 24 hours.

 

3- How should I demonstrate conformity?

Most common families of digital products belong to non-critical risk category requiring a conformity self-assessment that should be carried out under your responsibility. Some other products considered belonging to higher risk categories will be qualified critical (Class I) and might require additional assurance requirements to be satisfied by applying harmonised standards or the EU cybersecurity certification schemes such as the EUCC or the EUCS and that could be under your responsibility or through a third-party CAB. Some other highly critical (Class II) products should always involve a third-party CAB. Finally, certified products according to the EU cybersecurity certification schemes such as the EUCC developed under the CSA are supposed to satisfy by default the EU Cyber Resilience Act requirements and can provide a presumption of conformity.

 

4- How does it relate to other EU policies?

The CRA complements the existing Directive on the security of Network and Information Systems (NIS2) and the existing EU Cybersecurity Act (EU CSA). It is also based on the New Legislative Framework (NLF) for industrial products, which aims to improve market surveillance and the quality of conformity assessments. It is expected to satisfy the Radio Equipment Directive (RED) cybersecurity-related requirements. This means that RED-related harmonised cybersecurity standards (under development) will most probably serve as basis for the EU CRA essential requirements.

 

5- What are the potential Costs vs Benefits?

It is estimated that any compliance costs for businesses would be outweighed by the benefits brought by a higher level of security of products, by preventing divergent security requirements and an increase of trust of users and market adoption. It also increases positive competitiveness and quality standards by levelling the playing field. It would reduce the number of incidents, incident handling costs and reputational damage. For the EU this means roughly 180 to 290 billion Euros of consequence costs could be avoided. Finally, non-compliance with the CRA essential cybersecurity requirements and all relevant obligations shall be subject to fines of up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of its total annual turnover for the preceding financial year, whichever is higher.

 

6- By when it will be applicable?

The proposal will now pass to the European Parliament and Council that will form their own positions before coming together for the trialogue negotiations in Q3/Q4 2023. So in order for all stakeholders (manufacturers, distributors, importers, CABs, Member States, ENISA, etc.) to adapt to the new requirements, the proposed CRA regulation will become applicable 24 months (at the latest by Q1 2026) after its entry into force, except for the reporting obligation on the manufacturer, which would apply from 12 months (most probably by Q1 2025) after the date of entry into force.

 

7- How could I recognize a conformant product?

I’m sure you’re all familiar with CE marking which you could find on all products circulating in the EU. This same mark will indicate the conformity of all products with digital elements with this regulation. Only beta releases for testing purposes could be issued without that mark as long as these are time limited to testing purposes. Most importantly, importers of products with digital elements must ensure in addition to checking on the CE marking that the appropriate assessment procedures have been carried out by the manufacturer depending on the risk assessment and that the manufacturer has created all required technical documentation.

 

8- Yes, you could appoint an authorized representative

Indeed, as a manufacturer you could mandate an external authorised representative who could discharge you from the EU declaration of conformity management and for market surveillance purposes.

Finally, it’s not too early to start planning accordingly, adapt your digital product strategy and chose the right specialized partners to avoid missing the EU single market access opportunity.

 

This guest blog is published with the kind permission of Red Alerts Lab and originally appeared here.

If you want to learn more about the CRA and its impact, join our Roundtable  on 17. April, where you can listen to the position of the European Commission, the US NIST, standardization organizations, and industry. For agenda and registration, please go to https://iotac.eu/iot-day-roundtable-2023/!

Consumers have been concerned about the security of IoT devices for some time, placing much pressure on manufacturers to demonstrate that their products are secure and trustworthy. As a device manufacturer, it’s important to recognize the challenges you’ll face as you aim to gain consumer confidence in your product. Here are the top 5 cybersecurity challenges facing IoT device managers:                                     

1. Misconfiguration issues

According to a whitepaper by Deloitte, 70% of IoT devices are configured to use factory-set usernames and passwords. Many users never change the default credentials, which cybercriminals are quick to take advantage of. When manufacturing your product, it becomes your responsibility to prevent weak authentication and provide secure default configuration settings for the operating system. Look into FIDO Device Onboard (FDO) technology, which is a device onboarding protocol developed by the FIDO Alliance. It is an automatic onboarding mechanism for IoT devices, meaning it is invoked autonomously and performs only limited, specific interactions with its environment to complete.

2. Lack of control once it’s in the hands of the end-user

It doesn’t matter how secure you’ve developed your product to be if the end-user ends up configuring it incorrectly, making it vulnerable to attacks. It may feel that this is no fault of yours that consumers ignore your directions and warnings about the consequences of improperly configuring your devices. However, any attacks involving your devices consequently damage your reputation. You may be able to address these issues by investing in services that ensure end-users properly configure their devices on-site.

3. Toolsets to verify product security

While there are many emerging IoT technologies being introduced into the market, toolsets for secure embedded development are rare, and the ones that do exist are limited. Manufacturers find themselves burdened by the responsibility to develop their own tools for validating the security of their products. And this may require hiring an in-house development team or partnering with a third-party vendor, which may involve stretching out your budget more than expected. Take a look at innovative and trending product cybersecurity assessment tools such as CyberPass.

4. Complexities of having multiple suppliers for hardware and software

The more third parties that are introduced into your process, the higher the risks for threats and vulnerabilities. After all, a software supplier may have different processes compared to your hardware vendor. Because you don’t have control over the security processes of these channels, it becomes your responsibility to assess and minimize any potential risks and security issues they may introduce into your development process. You can lessen the risk of passing security threats to your customers by identifying vulnerabilities across the various channels of your supply chain.

5. Late-development vulnerabilities and threats

Sophisticated threats can enter in the final stages of the development process, making vulnerability management crucial. A good vulnerability management system proactively mitigates the potential for vulnerabilities rather than managing attacks after they’ve happened. To ensure all device components are secure, you should keep an eye for potential vulnerabilities, write and release constant updates and patches, and prepare for more advanced attacks.

Finally, to be cyber resilient, IoT manufacturers need to spend more time on security measures in the product development stage supported by domain specialists when necessary. Connected products that come with reliable protection and detailed monitoring infrastructure are well-placed to meet these security challenges and provide trust to the market.

This guest blog is published with the kind permission of Red Alerts Lab and originally appeared here.