Products that contain digital elements must be secure throughout their entire life cycle – from development to disposal. This is stipulated by the Cyber Resilience Act (CRA). Manufacturers, integrators and operators of these products must act now. The key to CRA compliance is a public key infrastructure (PKI) for networking IoT devices and a secure development lifecycle.
The European Parliament has launched the Cyber Resilience Act (CRA), the EU law on cyber resilience. Once it has been adopted by the European Council, the parties concerned have 36 months to implement the requirements.
The CRA affects all products with digital elements – hardware and software – and therefore also industry and its connected production in the Industrial Internet of Things (IIOT), where devices, machines and components generate, collect and exchange data and process it using industrial control systems. Devices and products that the EU categorises as safety-critical are listed in Annex III of the CRA: These include firewalls, routers, modems and switches for industrial use as well as industrial automation and control systems (IACS).
CRA Annex I: The specific requirements for cyber security
According to the CRA, they must fulfil the following requirements:
Products with digital elements must be protected against unauthorised access. Risk assessment is the basis for establishing control mechanisms, such as authentication, identity or access management systems. In addition, the integrity of stored, transmitted or otherwise processed data, commands, programs and configurations must be protected against manipulation.
IEC 62443, an international series of standards for the cyber security of industrial automation systems, provides comprehensive guidelines and requirements that already cover many aspects of cyber security that are also addressed in the CRA. By implementing IEC 62443, both the requirements of the industry and those of the CRA can be met at the same time.
Public key infrastructure (PKI) as the key to CRA compliance
The most important security requirements of the CRA can be met with a public key infrastructure (PKI), the most secure method for connecting IoT devices and industrial control systems.
As an asymmetric cryptography technology with public and private keys, the PKI enables confidential data exchange. It is implemented by signing and encrypting data, while the authenticity of the keys is guaranteed by digital certificates. This results in four different protective mechanisms:
Secure development lifecycle for CRA-compliant development
CRA-compliant development of control units and systems, taking into account industrial security standards in accordance with IEC 62443, is achieved with a Secure Development Lifecycle (SDL) approach. The entire development process ensures that the final product has no weak points.
The first step here is an inventory with a gap analysis to identify the gaps in CRA requirements that need to be closed. This is followed by a threat and vulnerability analysis as well as a risk assessment as part of security requirements engineering / TARA. They form the basis for specifying the necessary safety requirements. The security concept and architecture can now be developed in the security architecture engineering process. Embedded security engineering ensures that the update and boot processes of the ICS components are also secure – by implementing cryptographic functions.
In the next step, the ICSs are tested to ensure that they comply with IEC 62443 and other individual security requirements. achelos provides powerful test tools for robustness tests, code analyses and penetration tests. Subsequently, product evaluations in accordance with IEC 62443 have proven to be useful.
Achieving the CRA's cyber security goals with the help of IEC 62443
achelos provides professional and efficient support for the CRA compliance of ICS products, taking into account industrial safety standards in accordance with IEC 62443. Our security engineers support the development of the products and ensure integrated cyber security right from the start.
The European Parliament has launched the Cyber Resilience Act (CRA), the EU law on cyber resilience. Once it has been adopted by the European Council, the parties concerned have 36 months to implement the requirements.
The CRA affects all products with digital elements – hardware and software – and therefore also industry and its connected production in the Industrial Internet of Things (IIOT), where devices, machines and components generate, collect and exchange data and process it using industrial control systems. Devices and products that the EU categorises as safety-critical are listed in Annex III of the CRA: These include firewalls, routers, modems and switches for industrial use as well as industrial automation and control systems (IACS).
CRA Annex I: The specific requirements for cyber security
According to the CRA, they must fulfil the following requirements:
- A secure product and development life cycle (security by design) ensures cyber security throughout the entire life cycle.
- Continuous vulnerability management is used to document cyber security risks; manufacturers must actively report exploited vulnerabilities and incidents.
- Software update management ensures that weak points in products are rectified even after the sale: Security updates and patches are required for the expected service life of the product.
Products with digital elements must be protected against unauthorised access. Risk assessment is the basis for establishing control mechanisms, such as authentication, identity or access management systems. In addition, the integrity of stored, transmitted or otherwise processed data, commands, programs and configurations must be protected against manipulation.
IEC 62443, an international series of standards for the cyber security of industrial automation systems, provides comprehensive guidelines and requirements that already cover many aspects of cyber security that are also addressed in the CRA. By implementing IEC 62443, both the requirements of the industry and those of the CRA can be met at the same time.
Public key infrastructure (PKI) as the key to CRA compliance
The most important security requirements of the CRA can be met with a public key infrastructure (PKI), the most secure method for connecting IoT devices and industrial control systems.
As an asymmetric cryptography technology with public and private keys, the PKI enables confidential data exchange. It is implemented by signing and encrypting data, while the authenticity of the keys is guaranteed by digital certificates. This results in four different protective mechanisms:
- The device is given an identity – it is given a birth certificate by the manufacturer during production, which can authenticate it in the network. This ensures that a secure communication channel to the Internet can be established.
- Update management is secured with electronic certificates, which the PKI uses to check the authenticity of the software. This prevents unauthorised changes from being made or malware from being introduced. The manufacturer signs firmware updates to identify them as permissible, and updates from third-party providers are also authorised and controlled via certificates.
- Secure boot involves checking the integrity code of the device firmware before each start and ensures authentication.
- The PKI also enables secure commissioning of a new device at the operator's premises. To do this, the device is authenticated and then assigned a local device identity.
Secure development lifecycle for CRA-compliant development
CRA-compliant development of control units and systems, taking into account industrial security standards in accordance with IEC 62443, is achieved with a Secure Development Lifecycle (SDL) approach. The entire development process ensures that the final product has no weak points.
The first step here is an inventory with a gap analysis to identify the gaps in CRA requirements that need to be closed. This is followed by a threat and vulnerability analysis as well as a risk assessment as part of security requirements engineering / TARA. They form the basis for specifying the necessary safety requirements. The security concept and architecture can now be developed in the security architecture engineering process. Embedded security engineering ensures that the update and boot processes of the ICS components are also secure – by implementing cryptographic functions.
In the next step, the ICSs are tested to ensure that they comply with IEC 62443 and other individual security requirements. achelos provides powerful test tools for robustness tests, code analyses and penetration tests. Subsequently, product evaluations in accordance with IEC 62443 have proven to be useful.
Achieving the CRA's cyber security goals with the help of IEC 62443
achelos provides professional and efficient support for the CRA compliance of ICS products, taking into account industrial safety standards in accordance with IEC 62443. Our security engineers support the development of the products and ensure integrated cyber security right from the start.
