EU Cyber Resilience Act & Threat Modeling

EU Cyber Resilience Act & Threat Modeling

Introduction

The primary goal of cyber resilience is to protect an entire organization. Since the consequences of a data breach can be technical, social and financial, it is imperative for any organization to prioritize cyber resilience by integrating business operations with IT.

The EU Cyber Resilience Act is a proposal for a regulation on cybersecurity for products with digital elements. The reason that led to this proposal is that these products suffer from two major problems: a low level of cybersecurity and an insufficient understanding on how to choose or use products with adequate cybersecurity properties.

The EU Cyber Resilience Act has two main objectives:

• Create conditions for the development of secure products by:

• Ensuring that hardware and software products are released with fewer vulnerabilities
• Ensure that manufacturers put sufficient effort on security throughout a product’s life cycle

• Create conditions to allow users to take cybersecurity into account when selecting and using products

IriusRisk fits perfectly to identify threats and mitigate weaknesses from the design phase and release products with fewer vulnerabilities and, at the same time, allow manufacturers to take security into account when developing products.

Additionally, the EU Cyber Resilience Act defines four specific objectives:

1. Ensure that manufacturers improve the security since the design and development phase and throughout the whole life cycle
2. Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers
3. Enhance the transparency of security properties of products
4. Enable businesses and consumers to use products securely

Cybersecurity requirements

Annex I of the EU Cyber Resilience Act defines the essential cybersecurity requirements and the vulnerability handling requirements:

Security requirements relating to the properties of products with digital elements

1. Products shall be designed and developed with the right level of cybersecurity
2. Product shall be released without any known exploitable vulnerabilities
3. Products shall be released with the most common issues regarding cybersecurity (secure default configuration, proper IAM, logging, recurrent vulnerability scanning, protection against DDoS, etc.) solved or minimized.

Vulnerability handling requirements

Manufacturers of the products with digital elements shall:

1. Identify and document vulnerabilities and components contained in the product
2. Address and remediate vulnerabilities without delay
3. Apply effective and regular tests and reviews of the security of the product with digital elements;
4. Publicly disclose information about fixed vulnerabilities after a security update
5. Put in place and enforce a policy on coordinated vulnerability disclosure;
6. Take measures to facilitate the sharing of information about potential vulnerabilities as well as in third party components contained in that product
7. Provide for mechanisms to securely distribute updates
8. Ensure that security patches or updates are disseminated without delay and free of charge accompanied by advisory messages

Article 10, which describes the obligations of manufacturers, references Annex I in its first section and it makes clear that the first issue to tackle is the design, development and production based on these requirements.

Product with digital elements

The term “product with digital elements” appears frequently in the EU Cyber Resilience Act. This refers to any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.

“Critical product with digital elements” means a product with digital elements, as defined before, that presents a cybersecurity risk in accordance with the criteria laid down in Article 6(2) and whose core functionality is set out in Annex III.

Among the products with digital elements listed in Annex III are: password managers, network management systems, embedded browsers, firewalls, IoT products or HSMs.

Conclusions

In the current digital age, the security of data, applications and processes is paramount. Cyber ​​resilience is a concept that is rapidly gaining acceptance. It is a broad umbrella that includes information security, IT infrastructure, business processes and organizational continuity.

Having products that are “secured by design with IriusRisk” can help companies and consumers to identify which products in the market are secure enough. IriusRisk provides companies the opportunity to prove that they took security into account from the beginning of the development of a product.

References: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

‍