Cyber Resilience Act bans products with known vulnerabilities
In future, manufacturers will no longer be allowed to place smart products with known security vulnerabilities on the EU market – if they do, they could face severe penalties
Duesseldorf, Germany, 5 June 2024 – In the US alone, 14,286 CVEs have been published on the National Institute of Standards and Technology website so far in 2024. Common Vulnerabilities and Exposures (CVEs) are security gaps and weaknesses in computer systems that could allow a hacker to launch an attack. Under the forthcoming EU Cyber Resilience Act (CRA), devices may soon no longer be allowed to be supplied with known and exploitable vulnerabilities. If such vulnerabilities are present, the manufacturer, seller, or importer, along with the company's entire management, will be held liable. When it comes to cyber resilience, the legislation of the Cyber Resilience Act makes it clear that customers - both residential and commercial - have an effective right to secure software. However, the race to be the first to discover vulnerabilities continues: organisations would be well advised to implement both effective CVE detection and impact assessment now to better scrutinise their own products and protect themselves against the serious consequences of vulnerability scenarios. “The CRA requires all vendors to perform mandatory testing, monitoring and documentation of the cybersecurity of their products, including testing for unknown vulnerabilities known as 'zero days'," said Jan Wendenburg, CEO of ONEKEY, a cybersecurity company based in Duesseldorf, Germany.
Know your own weaknesses
The term "zero-day" refers to newly discovered security vulnerabilities that hackers can exploit before the manufacturer or developer has had a chance to fix them, essentially giving them "zero days" to address the issue. Many manufacturers and distributors are not sufficiently aware of potential vulnerabilities in their own products. For example, in industrial control systems, these vulnerabilities can often be hidden within components containing proprietary firmware from suppliers. In general, hardware and firmware as well as all Internet of Things (IoT) devices can be affected by such vulnerabilities. With the ONEKEY Compliance Wizard, ONEKEY's cybersecurity experts offer a comprehensive cybersecurity assessment of products with digital elements. By combining automated vulnerability detection, CVE prioritisation and filtering with a holistic, interactive compliance questionnaire, the effort and cost of cybersecurity compliance processes are significantly reduced and the risk of fines is minimised. “If you don't want to be at the front of the queue for fines when the CRA starts, you need to create processes now to analyse and patch your own risks," advised ONEKEY's Jan Wendenburg.
Risk Assessment and Software Bill of Materials
A CRA assessment can be used to determine current and future compliance with CRA requirements and identify any potential need for action at an early stage. Companies can draw on the knowledge of ONEKEY's cyber security experts. Under the new requirements, manufacturers and importers must also maintain comprehensive documentation of the software and firmware components of their products. In accordance with the CRA regulations, a Software Bill of Materials (SBOM) must be created and monitored.
This means that the entire supply chain can be documented with regard to the security of products and components – including purchased components with their own firmware. These requirements can only be efficiently mapped with automation at a reasonable cost. With the ONEKEY platform, firmware can be automatically analysed for vulnerabilities and an SBOM can be generated. In future, all devices will require either a security self-declaration or external certification. “Automation can significantly reduce the effort required to prepare for self-declaration or certification. We are making this easily available with the ONEKEY platform. Now it is up to the companies to implement the necessary measures to comply with the CRA,” summarised Jan Wendenburg of ONEKEY.
About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
CONTACT:
Sara Fortmann
Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.