Time-to-market becomes a gamble without automated analysis routines
Düsseldorf/Germany, October 10, 2022 – All products with digital elements – from routers to smart refrigerators to televisions and, above all, any modern industrial equipment – should no longer pose cyber risks to users in the future. This is what the EU Commission is demanding, and with the Cyber Resilience Act – a law on “cyber resilience” (Download preliminary PDF version) – it is stipulating that products “with digital elements,” such as hardware and software, must be protected against vulnerabilities that can be exploited by hackers during their full life cycle in the future. “This law will be a tour de force for the industry. The regulation is overdue and makes a lot of sense, as especially in recent months more and more such vulnerabilities have been mercilessly exploited by smart devices or used as a gateway into networks. However, the time-to-market for new products and equipment will suffer enormously from the set of rules, and without automated analysis and testing routines, the process is almost impossible to map,” says Jan Wendenburg, CEO of ONEKEY. For the first time, the European IoT/ OT security specialist enables software-based automated analysis of binary software to detect previously unknown vulnerabilities – up to zero-day gaps.
Software bill of materials (SBOM) solves many problems
Until recently, neither users nor producers or distributors were aware of the “ingredients” that make up products with digital elements and network connections. This is a problem, though, because the use of third-party code is spiraling out of control. In general, software has long since ceased to be developed in a single source, but it is assembled from modules, i.e. components – whether open-source or binary-licensed software. This component construction method is used in order to lower development costs and save time. The challenge is that the components can contain components again – and so deeply nested, the own firmware can contain malware, bugs or other vulnerabilities all of which the developer is unaware. “Without a robust and reliable code review process, companies cannot be sure of the threats and have, according to the Cyber Resilience Act, one foot in the future punishable space,” Wendenburg continues. ONEKEY is one of the few providers worldwide that can already create the SBOM (Software Bill of Materials) with an automated firmware analysis without source code, and can also continue to maintain this steadily and fully automated during updates.
Industrial control systems particularly at risk
EU legislation also stipulates that producers must guarantee the security and integrity of components or products and systems for a period of five years or the intended life span of a product – the shorter period being relevant. Here, the ONEKEY security expert sees a need to catch up, especially in the case of industrial control systems: “IoT systems are in use in industry – in factories, in service and manufacturing – much longer, even if the producer discontinues the product after five years. Here, companies must be especially aware that the protection of the EU law ends at some point and personal responsibility begins,” warns Jan Wendenburg of ONEKEY. Furthermore, in the near future the marketing of products with known vulnerabilities will be prohibited. This will put an end to the copy-paste engineering that is often common today and which frequently re-integrates undetected or even known bugs into new products. In the future, used components or final results must be tested to prevent old vulnerabilities from being copied into new products.
Wondering if you are Cyber Resilience Act ready?ONEKEY’s Cybersecurity experts are ready to support you. Here, you will find more details.
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management. The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
Integrated compliance checking already covers the upcoming EU Cyber Resilience Act and existing requirements according to IEC62443-4-2, EN303645, UNR155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
euromarcom public relations GmbH
+49 611 973 150