Three Ways to Prepare for the EU CRA
Proekspert’s Terry London explains the EU Cyber Resilience Act and offers three ways to begin to prepare
IPEC 2024 conference speech at Germany Nurenberg, watch here:
What is the EU Cyber Resilience Act?
There has been lots of confusion about the EU Cyber Resilience Act (CRA), but one thing is sure: it will be introduced quite soon. It was originally to be released in spring but was postponed to the autumn of 2024.
The CRA’s purpose is simple – to unify cybersecurity rules across the EU market. It will become a CE marking for digital products. The CRA covers almost any software and hardware products that connect to the internet. There are some exceptions, such as medical and automotive products. Also excluded are open-source software and software-as-a-service solutions.
The European Commission announced the first draft of the act in the autumn of 2022, but it didn’t get a warm welcome from software developers, because it was considered too restrictive and burdening for them. But it’s quite a good initiative by the EU.
The CRA aspires to achieve two main things. It wants to protect the end-users of internet-connected devices. And, when considering all the IoT devices around our homes and offices, the CRA wants to put a little more responsibility on the shoulders of the software developers and device manufacturers regarding device security.
Cyber threats are real
One thing is sure: cyber threats are real. The number of cyberattacks against companies has been growing constantly and damages are costly.
Many may still think that this doesn’t affect industrial automation since shop floor environments are typically isolated from the internet. But when we look at history, we see that isolation doesn’t help when hackers target a company.
There are common myths regarding industrial control systems, but we have seen that digital attacks against control systems can be done without the internet and result in physical damage. Being offline doesn’t protect a facility from a person with a USB stick or mobile internet.
Keeping devices offline is one measure against cyber risks. However, significant issues come from the need to connect devices to the internet. Manufacturing companies are increasingly implementing digital systems for efficiency and productivity. With connected systems, we have to figure out how to mitigate the cyber risks that come with connectivity.
The CRA’s main requirements
From the CRA, I have distilled four primary requirements for industrial device manufacturers:
- Get products certified.
- Start compiling a software bill of materials.
- Start reporting vulnerabilities.
- Provide security updates to fix vulnerabilities.
I will cover each topic in more detail later.
What we’re doing today
How are we related to the topic? Proekspert is a software development company. Our focus is on serving industrial device manufacturers. Typically, our clients are experts in developing highly reliable devices like electric motor frequency converters or HVAC devices. These devices are meant to work autonomously for months or years without much attention from their owners.
Our client companies are experts in hardware development. And they know how to make the software that runs their devices. Our role is to support our clients in fields outside their core competencies, such as device security, internet connectivity, and digital user interfaces. These fields are very IT-oriented and may change too fast for a company to keep up with if their main focus is machine- and electronics engineering.
Why our experience matters
Proekspert has been around for 31 years. Since our beginnings we have worked on specialized devices to create software that monitors and controls devices remotely or protects the data they process during operation.
We started with writing control software for Applikon bioreactors. That experience led us to the industrial automation systems field. We have been part of Danfoss’s frequency converter development for the last 20 years. We also worked on early ATM development that used smart cards. It was ground-breaking technology because it was very fast and very secure. That experience brought us to the data and device security field. Today, we combine industrial automation with modern cybersecurity.
Product certification categories
Returning to the topic of the EU CRA. First, be aware that it is an umbrella act. It does not specify the exact technical standards your product must comply with. Its main requirement is that every product must be certified or assessed.
Products are divided into three main categories, depending on how critical of a task they must perform. For example, internet-connected, smart-home devices and toys are in the lowest category and require only self-assessment. However, more critical products require third-party assessment or certification if they are security-related products.
An important note here is that everything starts with self-assessment, and that is where device manufacturers can start.
Requirements for device manufacturers
With the following requirements, we are moving very close to the software development world:
- Product companies must compile and provide a software bill of materials (SBOM). You have to understand where your software comes from. And who is responsible for each software component inside the device.
- Device manufacturers must start monitoring and reporting the vulnerabilities of their devices or software. The exact way in which the reporting process is going to be organized is yet to be decided. However, from the software development aspect, discovering vulnerabilities is essential. Again, this is very closely tied to SBOM management.
- Companies must provide security updates for their products. That responsibility comes together with a requirement to decide the expected lifetime of their product.
What is SBOM?
The software bill of materials is one crucial element in the CRA requirements. On a very simplified level, it is a list of ingredients that describes the components of a software application. More technically, it is a list of all the open-source and third-party components in a system’s code. It shows the licenses and the component versions we use in our code, and if those components are up to date. This enables us to quickly identify any security or license risks.
SBOM management and the ability to report vulnerabilities are the same thing.
An SBOM is created and maintained by the manufacturer or the software supplier. And, as every professional software development specialist has experienced, even if the software’s dependencies don’t change, their vulnerabilities can change frequently. As software ages, more exploitable risks will likely be found in the code.
That means we must use proper software development tools and implement strict processes, which is nothing unusual. However, it may get overwhelming for companies that are not experienced in software development. Implementing such processes takes work and requires years of practice.
Ways of delivering security updates securely
Traditionally, industrial devices are not protected by software measures because internal processes usually work well. If we are talking about devices that are in physically isolated areas, protection with user passwords may sound good enough. However, we already see that companies are moving forward from that practice. More and more industrial devices are connected to the internet directly or through secure gateways.
Two main cybersecurity measures are used to protect devices against malicious software updates.
- Secure communication channels like https are used for software update distribution.
- Device-level encryption is used where a device verifies whether a downloaded data package comes from an authorized source.
There is also a third option where, with the help of crypto chips, we can turn each device into a unique identity and gain the highest security. The idea is that device manufacturers can have maximum control over software updates, and it is not possible to share the same firmware package between two devices.
Such cybersecurity measures require IT infrastructure to manage certificates and encryption keys, plus all user roles for those who operate with devices and permissions.
How we help our clients
Preparing our clients for the EU CRA is our everyday job, in addition to writing software for their devices.
- We help companies with self-assessment. We focus on the IEC 62443 framework covering industrial automation and control systems cyber risks. Our engineers identify and map product development processes and vulnerabilities and suggest security measures to mitigate security risks in product source code and development processes.
- Managing SBOM and documenting vulnerabilities. We set up and manage a software development toolset that supports and helps monitor vulnerabilities in our clients’ products.
- We implement security update mechanisms. This part is dependent on our client’s business and devices. It may vary from a simple firmware update to something quite complex. Technology changes quickly, and there is no one size fits all.
In addition, we suggest putting together a long-term plan for maintaining and updating your IT and device security infrastructure.
In conclusion, the EU CRA is an umbrella act that boils down to relatively obvious focus points. By focusing on the three activities mentioned above, you can already prepare yourself.
IPEC is an acronym for the International Production Environmental Community located in Nuremberg, Germany. On March 13, 2024, Terry London, Proekspert’s Product Manager of Device Security Solutions, shared our experience about preparing industrial device manufacturers for the upcoming EU Cyber Resilience Act – from a secure embedded software development perspective.