Research

EU Cyber Resilience Act becomes a Tour de Force for the Industry

EU Cyber Resilience Act becomes a Tour de Force for the Industry
Sara Fortmann
Sara Fortmann
Senior Marketing Manager
TablE of contents

READY TO UPGRADE YOUR RISK MANAGEMENT?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo

Time-to-market becomes a gamble without automated analysis routines

Düsseldorf/Germany, October 10, 2022  - All products with digital elements – from routers to smart refrigerators to televisions and, above all, any modern industrial equipment – should no longer pose cyber risks to users in the future. This is what the EU Commission is demanding, and with the Cyber Resilience Act – a law on "cyber resilience" (Download preliminary PDF version) – it is stipulating that products "with digital elements," such as hardware and software, must be protected against vulnerabilities that can be exploited by hackers during their full life cycle in the future. "This law will be a tour de force for the industry. The regulation is overdue and makes a lot of sense, as especially in recent months more and more such vulnerabilities have been mercilessly exploited by smart devices or used as a gateway into networks. However, the time-to-market for new products and equipment will suffer enormously from the set of rules, and without automated analysis and testing routines, the process is almost impossible to map," says Jan Wendenburg, CEO of ONEKEY. For the first time, the European IoT/ OT security specialist enables software-based automated analysis of binary software to detect previously unknown vulnerabilities – up to zero-day gaps.

Software bill of materials (SBOM) solves many problems

Until recently, neither users nor producers or distributors were aware of the "ingredients" that make up products with digital elements and network connections. This is a problem, though, because the use of third-party code is spiraling out of control. In general, software has long since ceased to be developed in a single source, but it is assembled from modules, i.e. components – whether open-source or binary-licensed software. This component construction method is used in order to lower development costs and save time. The challenge is that the components can contain components again – and so deeply nested, the own firmware can contain malware, bugs or other vulnerabilities all of which the developer is unaware. "Without a robust and reliable code review process, companies cannot be sure of the threats and have, according to the Cyber Resilience Act, one foot in the future punishable space," Wendenburg continues. ONEKEY is one of the few providers worldwide that can already create the SBOM (Software Bill of Materials) with an automated firmware analysis without source code, and can also continue to maintain this steadily and fully automated during updates.

Industrial control systems particularly at risk

EU legislation also stipulates that producers must guarantee the security and integrity of components or products and systems for a period of five years or the intended life span of a product – the shorter period being relevant. Here, the ONEKEY security expert sees a need to catch up, especially in the case of industrial control systems: "IoT systems are in use in industry – in factories, in service and manufacturing – much longer, even if the producer discontinues the product after five years. Here, companies must be especially aware that the protection of the EU law ends at some point and personal responsibility begins," warns Jan Wendenburg of ONEKEY. Furthermore, in the near future the marketing of products with known vulnerabilities will be prohibited. This will put an end to the copy-paste engineering that is often common today and which frequently re-integrates undetected or even known bugs into new products. In the future, used components or final results must be tested to prevent old vulnerabilities from being copied into new products. 

Wondering if you are Cyber Resilience Act ready?
ONEKEY's Cybersecurity experts are ready to support you. Here, you will find more details.  

Share

About Onekey

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann

Marketing Manager
sara.fortmann@onekey.com

euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de

Ready to automate your Product Cybersecurity & Compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.