The Cyber Resilience Act (CRA), which is being drafted together with industry, is intended to ensure greater security for digital products. The CRA is intended to regulate by law that all products used in the EU, and which are used digitally even to a certain extent, are secure. This applies not only to production and delivery, but also to the entire life cycle of a product.
This means that manufacturers must ensure that there are security updates for the products, which users can install to subsequently close any security gaps that are found. In industry and in the professional environment, this is usually already the case.
However, the CRA also covers devices used in smart homes. In addition to WLAN cameras, baby monitors, smart thermostats, smart door locks and toys, IoT devices must also be protected in all areas, both private and professional. The responsibility for this lies with the manufacturer. They must support end-users in using the products safely throughout the entire life cycle of the products.
The IoT is growing and thriving, but dangers are looming
The need for CRA is demonstrated by the growth of the Internet-of-Things (IoT) alone. Statistics suggest that more than 75 billion IoT devices will be in use by 2025. The figures clearly show that the IoT and digitalization have reached a high degree of penetration throughout society – and with it comes a high risk potential.
More than a third of all companies now use devices that are controlled remotely via the Internet of Things. These devices perform a wide range of tasks and are used as technologies for energy management, machine maintenance, tracking customer behavior and for production processes.
In addition, one third of all private households use networked devices to control lighting, for alarm systems, digital locking systems and for video surveillance. Many heating systems are also often connected to the Internet. The number of cyberattacks is increasing at the same rate and even faster than predicted.
So it is high time to react. The CRA is intended to create the framework so that in the future we will be able to control and use even more devices on the move without having to sacrifice the necessary security.
The demands on products are increasing
The safety challenges directly addressed by the CRA also increase the demands placed on products. Manufacturers must ensure that their products are as secure as possible right from the design stage. The security-by-design approach already applies to many products in the professional environment. In the future, all products should already be optimized for security during development, production and, of course, later operation, supported by regular updates.
This is one of the central areas of the CRA: companies must create the possibility for end users to update their products throughout the entire lifecycle. To do this, many producers must first create internal structures for how updates can be developed and also provided across the lifecycle of products in the future.
Vulnerability management is not included in all products, but will be necessary in the future. Companies will have to plan and calculate the effort required for this and set up the corresponding infrastructure. Vulnerability management also has the task of supporting the discovery of security gaps so that vulnerabilities can be identified more quickly.
The potential for danger in cyberspace is growing
Due to the constantly increasing number of links between our world and the Internet, not only are the benefits increasing in various places, but so does the potential for danger. One example is stalkingware. Stalkingware is malware that installs itself on the victim’s device and then gives access to all functions and data.
To protect oneself, only maximally secured end devices with up-to-date software that is also regularly updated can help. End users should be prepared for this and take advantage of the new security optimizations.
This includes secure operation of the end devices and updating the firmware of privately used devices. In companies, administrators take on this task; at home, everyone has to do it themselves. Manufacturers must optimize their products so that they are as easy to operate and update as possible, while remaining as secure as possible.
There are challenges in the future
Of course, the CRA cannot ensure comprehensive security in all products, and it will take years for companies to build vulnerability management for all their digital products. New firmware is not a panacea for using a product securely.
In the future, security functions such as Secure Access Service Edge (SASE) will play an increasing role in this area. This is a modern security concept for network infrastructures. A service provider takes care of all the security services and functions of a cloud network. SASE is not so much a new technology as a holistic approach.
As defined by Gartner in 2019, SASE connects and secures all enterprise entities. With this approach, manufacturers can secure the virtual network between vulnerability management and connected IoT devices, ensuring that the protection of the environment happens right where the attacks happen: In cyberspace.