11.10.2024 09:59
Research/knowledge transfer, organizational matters
Note on the use of image material: The use of the image material for the press release is permitted free of charge provided the source is mentioned. The images may only be used in connection with the content of this press release. If you need the image in a higher resolution or have any questions about further use, please contact the press office that published it directly.
In its Secure Engineering Lab in Paderborn, Fraunhofer IEM supports companies in adapting their processes and products to the new EU guidelines.
| Those:
Fraunhofer IEM
| Copyright:
Fraunhofer IEM
| Download
The Cyber Resilience Act (CRA) was announced for a long time, now it is official: it was passed on October 10, 2024. This means that from November 2027, new EU-wide minimum requirements in terms of security will apply to a large number of networked devices and their software – vulnerability reporting obligations will even apply from August 2026. Product manufacturers in particular will be held responsible: They must ensure that their products meet the safety criteria for the European market, with a few exceptions, regardless of the industry.
Fraunhofer IEM has been developing security measures with companies such as adesso mobile solutions, Connext, Phoenix Contact and Kraft Maschinenbau for many years – and gives tips on how companies can prepare for the CRA. “The transition period until the CRA 2027 must be fully complied with is short. Companies have to reposition themselves in many areas – from conducting security risk analyzes to short-term reporting obligations when vulnerabilities become known to free security updates during the expected lifespan of the product. And delaying is not an option, because failure to comply with the CRA could result in fines running into the millions,” explains Dr. Matthias Meyer, Head of Software Technology and IT Security at Fraunhofer IEM.
The research institute recommends that companies now take three steps to begin the path to CRA-compliant product development. “Rapid response to the discovery of vulnerabilities and systematic risk analyzes are essential measures for meeting CRA requirements: Companies that take these measures now are already doing very well. In addition, an analysis of the current status with regard to the products and processes provides clarity for further action,” emphasizes Dr. Meyer.
First: setting up a rapid response team for emergencies
If manufacturers become aware that vulnerabilities in their products are being exploited, they will in future have to inform the European Union Agency for Cybersecurity (ENISA) immediately: They must give an initial warning within 24 hours and further details about the nature of the vulnerability within 72 hours. possible countermeasures and more. Apart from that, they must be accessible at all times to people who would like to report security gaps and keep an eye on whether vulnerabilities in a supplied software component become known. This is one of the tasks of a Product Security Incident Response Team (PSIRT): Manufacturers who have not yet established a PSIRT should urgently deal with this, because the duties mentioned must be fulfilled from June 2026, for all products on the market , including those that were launched long before the CRA came into force.
Second: threat and risk analyzes as a central tool
Essentially, the CRA requires that manufacturers regularly analyze their products for security risks and integrate security measures adapted to these risks. Companies must integrate the carrying out of threat and risk analyzes for all products into the development process: In this way, they systematically identify threats, evaluate the respective security risk and derive informed and targeted protective and countermeasures. The security level of the software can therefore be increased continuously and, above all, appropriately. Developers gain a new security awareness and expensive but actually unnecessary measures are even avoided.
Third: Overview through current status analysis
The first two measures are important, but will not be enough: Companies need to get an idea of which CRA requirements they meet, both in terms of their product life cycle processes and the specific products. Even if there are no harmonized standards for the CRA yet, experts agree that the existing standard for industrial cybersecurity IEC 62443 provides very good guidance. Companies do not have to wait, but can now carry out current status analyzes for their processes and products and derive measures and thus gain valuable time in implementing the CRA.
Collaboration with Phoenix Contact, Miele and other companies
The expertise of Fraunhofer IEM is based on many years of project experience with companies. In 2018, the scientists supported Phoenix Contact in becoming one of the first companies to be certified according to the cybersecurity standard IEC 62443-4-1 by developing a threat and risk analysis method adapted to Phoenix Contact.
Since then, Fraunhofer IEM has continually developed the method and used it in numerous threat analysis workshops and training courses, e.g. B. with Kraft mechanical engineering. “We not only benefit from a risk assessment for our products. In the workshop with Fraunhofer IEM, our employees also learned a systematic approach for future threat analyzes and increased their security awareness,” says Managing Director Jörg Timmermann.
To ensure that its long-lasting products remain safe even after their market launch, Miele set up its own PSIRT team, the Fraunhofer IEM, in 2021. Through stakeholder interviews, it was possible to build on existing company processes and create clearly defined process interfaces.
In preparation for the industrial cybersecurity standard IEC 62443, KEB determined the current status of its development processes. To this end, Fraunhofer IEM conducted interviews with the company’s managers and safety experts and helped KEB plan further activities necessary to implement the standard, estimate the effort involved and systematically advance the implementation of the standard.
To ensure that all employees involved in software development stay up to date and constantly improve their software development, Fraunhofer IEM also works in the area of employee training, for example with adesso mobile solutions and Connext. Both companies have been using security champions as multipliers for the topic of cybersecurity in their software development for many years.
Scientific contact person:
Dr. Matthias Meyer ([email protected])
Dr. Markus Fockel ([email protected]
Further information:
