Cyber Resilience ActAn Initial Look

A European proposal for a regulation that ‘bolsters cybersecurity rules to ensure more secure hardware and software products’ within European Union internal markets has been published (Sept 15th).

The Eu Cyber Resilience Act (CRA) – or ‘horizontal cybersecurity requirements for products with digital elements and amending Regulation’, is the current culmination of a thorough process and, according to the proposal, has had input from all 27 European Union Member states, and ‘key SME stakeholders’.

At IoTSF we have championed the need for baseline regulation since our inception and have participated in numerous consultations in a number of regions along the way. Getting regulation ‘just right’ is hard – really hard; too light and it’s a pointless exercise, too heavy and it stifles markets and innovation. We’ve also been tracking the most relevant international standards and making sure we help manufacturers and developers to understand and use them. One method that has proven particularly effective is to map the micro requirements that make up the IoT Security Assurance Framework to those higher-level standards-based ‘outcomes’.

We’re still working our way through the details of the proposed CRA and how it stacks up to legislation and standards in other regions including the work done by NIST (USA) (plus state level legislation), ETSI (Eu), Singapore, Germany, Finland etc., but there are a few things we are immediately drawn to that visitors to our site will find interesting. There are a number of immediate question’s:

What are the Security Requirements?

SECURITY REQUIREMENTS RELATING TO THE PROPERTIES OF PRODUCTS WITH DIGITAL ELEMENTS

NOTE: ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately;

These are identified in Annex 1: ESSENTIAL CYBERSECURITY REQUIREMENTS and reproduced here:

  1. Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;
  2. Products with digital elements shall be delivered without any known exploitable vulnerabilities;
  3. On the basis of the risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall:

(a)  be delivered with a secure by default configuration, including the possibility to reset the product to its original state;

(b)  ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems;

(c)  protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms;

(d)  protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions;

(e)  process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’);

(f)  protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks;

(g)  minimise their own negative impact on the availability of services provided by other devices or networks;

(h)  be designed, developed and produced to limit attack surfaces, including external interfaces;

(i)  be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;

(j)  provide security related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services or functions;

(k)  ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.

2. Who is the Regulation targeted at?

The short version is ‘economic operators’ – these are described as ‘the manufacturer, the authorised representative, the importer, the distributor, or any other natural or legal person who is subject to obligations laid down by [the] Regulation’

3. When will the legislation take effect?

To allow manufacturers, notified bodies and Member States time to adapt to the new requirements, the proposed Regulation will become applicable [24 months] after its entry into force, except for the reporting obligation on manufacturers, which would apply from [12 months] after the date of entry into force.

4. What is the burden on the manufacturer once the ‘product with digital elements’ is placed on the market?

… for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in [the Vulnerability Handling Requirements] – see below.

Vulnerability Handling Requirements

Manufacturers of the products with digital elements shall:

  1. identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product;
  2. in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates;
  3. apply effective and regular tests and reviews of the security of the product with digital elements;
  4. once a security update has been made available, publically disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities;
  5. put in place and enforce a policy on coordinated vulnerability disclosure;
  6. take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements;
  7. provide for mechanisms to securely distribute updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner;
  8. ensure that, where security patches or updates are available to address identified security issues, they are disseminated without delay and free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.

Given the global standing of the European market, this regulation will have a much greater impact than ‘the internal market’ and affect global producers. As such, we expect to be discussing and dissecting the implications of the proposed CRA over the coming months with our members as we seek to gain greater clarity. In the meantime, you might like to browse the official Q&A from the European Commission.

If you are a developer or manufacturer of consumer IoT products, why not check out our Consumer IoT Guidance pages.

Did you know?

Our IoT Security Assurance Framework is aimed at developers who need to satisfy global (i.e. ‘varying’) regulations and standards. The ‘developer friendly’ micro requirements that are contained within the Framework can be directly mapped to any standard initiative we’ve come across. That’s why many see it as a ‘pre-compliance’ tool.

And with over 10,000 downloads from our website, it’s a very popular publication… oh, and it’s free!