Cyber Resilience Act bans products with known vulnerabilities

Common Vulnerabilities and Exposures (CVEs) are security gaps and weaknesses in computer systems that could allow a hacker to launch an attack. Under the forthcoming EU Cyber Resilience Act (CRA), devices may soon no longer be allowed to be supplied with known and exploitable vulnerabilities. If such vulnerabilities are present, the manufacturer, seller, or importer, along with the company's entire management, will be held liable. When it comes to cyber resilience, the legislation of the Cyber Resilience Act makes it clear that customers – both residential and commercial – have an effective right to secure software. However, the race to be the first to discover vulnerabilities continues: organisations would be well advised to implement both effective CVE detection and impact assessment now to better scrutinise their own products and protect themselves against the serious consequences of vulnerability scenarios.

“The CRA requires all vendors to perform mandatory testing, monitoring and documentation of the cybersecurity of their products, including testing for unknown vulnerabilities known as 'zero days',” said Jan Wendenburg, CEO of ONEKEY, a cybersecurity company based in Duesseldorf, Germany.

Know your own weaknesses

The term ‘zero-day’ refers to newly discovered security vulnerabilities that hackers can exploit before the manufacturer or developer has had a chance to fix them, essentially giving them ‘zero days’ to address the issue. Many manufacturers and distributors are not sufficiently aware of potential vulnerabilities in their own products. For example, in industrial control systems, these vulnerabilities can often be hidden within components containing proprietary firmware from suppliers. In general, hardware and firmware as well as all Internet of Things (IoT) devices can be affected by such vulnerabilities. With the ONEKEY Compliance Wizard, ONEKEY's cybersecurity experts offer a comprehensive cybersecurity assessment of products with digital elements. By combining automated vulnerability detection, CVE prioritisation and filtering with a holistic, interactive compliance questionnaire, the effort and cost of cybersecurity compliance processes are significantly reduced, and the risk of fines is minimised.

“If you don't want to be at the front of the queue for fines when the CRA starts, you need to create processes now to analyse and patch your own risks,” advised ONEKEY's Jan Wendenburg.

Risk assessment and Software Bill of Materials

A CRA assessment can be used to determine current and future compliance with CRA requirements and identify any potential need for action at an early stage. Companies can draw on the knowledge of ONEKEY's cybersecurity experts. Under the new requirements, manufacturers and importers must also maintain comprehensive documentation of the software and firmware components of their products. In accordance with the CRA regulations, a Software Bill of Materials (SBOM) must be created and monitored. This means that the entire supply chain can be documented with regard to the security of products and components – including purchased components with their own firmware. These requirements can only be efficiently mapped with automation at a reasonable cost. With the ONEKEY platform, firmware can be automatically analysed for vulnerabilities and an SBOM can be generated. In future, all devices will require either a security self-declaration or external certification.

“Automation can significantly reduce the effort required to prepare for self-declaration or certification. We are making this easily available with the ONEKEY platform. Now it is up to the companies to implement the necessary measures to comply with the CRA,” summarised Jan Wendenburg of ONEKEY.

ONEKEY is a European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. ‘Digital Cyber Twins’ enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155, and many others. The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation. Leading international companies in Asia, Europe, and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.