Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber resilience law and industrial environments: a regulation in time?
Although it comes in the midst of a major international storm, it's never too late if it's too late. The implementing regulation on the Cyber Resilience Law was published on December 1, the first step towards its final approval (by the European Parliament) and publication in the EU Official Journal.
Once it enters into force, manufacturers, importers and distributors of software and hardware products will have 36 months to adapt to its application. It seems like enough time, but many will have to adapt, and a lot will have to change.
It has not been an easy road, like any kind of standard or regulation that involves so many countries, but the road that started in 2020 has concluded just 3 years later with this regulation that we are going to review below. We will specifically review some important points for its application oriented to the EO field.
Key aspects of the law: scope, responsibility, management, and notification
As in any law, the fundamental aspects of the law are related to the concepts indicated in the title of this section, but to what extent?
- Scope: in addition to establishing the type of product to which this regulation applies (literally: "all connectable products consisting of hardware and software" or "products with digital elements"), several levels are established when classifying products according to their criticality and the associated cyber security risk. While criticality is determined by considering the impact of potential vulnerabilities present in the product, Cyber Security risk is determined by taking into account the Cybersecurity-related functionality of the product and its intended use in sensitive environments, such as, for example, industrial environments (explicitly mentioned in the document).
Also, within the critical products, two classes are established to which they would belong: "Class I" and "Class II". The difference between the two is that within Class II are introduced those critical products that present a higher risk with respect to the impact of a vulnerability on essential services and critical infrastructures. This therefore implies that the same product can be found in both classes, which can lead to confusion and directly involves the user of these products (the customer). An example in reference to the industrial field is as follows:
Clase I
"Industrial automation control systems not included in Class II, such as programmable logic controllers, distributed control systems, computer numerical controllers for machine tools (CNC), and supervisory control and data acquisition (SCADA) systems."Class II
As we mentioned before, in the end the destination and use of this type of systems will depend on the customer, so this aspect will be of great importance for them.
"Industrial automation control systems intended for use by essential entities of the type referred to in [Annex I to Directive 2022/2555 (NIS2)], such as programmable logic controllers, distributed control systems, computerized numerical controllers for machine tools (CNC) and supervisory control and data acquisition (SCADA) systems." - Responsibility: rules are established to rebalance the responsibility of compliance towards manufacturers, who must evaluate the status of their product (software or hardware). Risk assessments, declarations of conformity and procedures for collaboration with the authorities if required are examples of this. In addition, the supply chain is expressly mentioned and those involved in the supply chain are held responsible.
Also, with regard to liability, this law complements EEC Directive 85/374. This directive establishes rules on liability for damage caused by defective products. The manufacturer of a product is being held liable for damages caused by the lack of security of its product, which is a remarkable leap from the current paradigm.
⚠️ In addition, the manufacturer's liability could be applied if the lack of security is considered to be related to the lack of updates. If these types of responsibilities and penalties are properly landed, we are talking about a before and after in this matter.
All this is especially relevant the more critical the systems to be treated are, since they are more appetizing for a possible attacker and the damage caused by one of these systems would be greater (which equals a higher cost). Therefore,
The industrial field seems to be one of the most affected by the new requirements regarding liabilities.
Although industrial devices are usually robust, we must not forget that they are increasingly under attack and their manipulation, shutdown or deterioration leads to large losses in a few minutes.
- Management and procedures: taking responsibility for what happens to the products requires procedures and management that serve to allocate these responsibilities and possible penalties in the event that something is not in accordance with the standard. In this area, several concepts are indicated below:
- Lower limits are established for the (expected) useful life of the product. Specifically, we talk about 5 years in a generic way. The arrival of IT and IoT devices in industrial environments means that this type of measure reinforces the entire ecosystem, since industrial devices tend to have longer useful lives and support is always sought accordingly.
- The existence of management processes for vulnerabilities detected is required. This also affects importers and distributors, although manufacturers take the lion's share of this requirement. In this sense, more and more manufacturers of industrial devices have their own equipment to do this management. However, it is good news to stop taking it for granted and to make it the “norm”.
- Measures are regulated to improve transparency regarding the Cyber Security of products for consumers, which is a major step forward in all areas, but especially in the IoT and its industrial twin “Industrial IoT”.
- Notifications: in this aspect, the law reinforces the need to notify cybersecurity breaches already highlighted in the NIS Directive (and its subsequent versions). The procedure and need for notification, as well as the establishment of contact points at national and supranational level, are indicated in this section. All this strengthens the entire European cyber structure, which benefits us all.
Also, requiring notifications allows earlier action on critical infrastructure protection, where, as we can all sense, industrial environments are often present.
Other concepts: the importance of details
In addition to all this, the law makes constant reference to other terms as cornerstones of European cyber security legislation.
One of those cornerstones are references to other EU regulations, which serve to link this law to the rest of the European framework. The law, therefore, is not a whole, but is a column within a building with many neighbors (the EU). More columns, the stronger the building. Many or few columns, problems in sight.
The essential services and critical infrastructures of the European Union countries are also mentioned throughout the document, making clear the more restrictive scope of this regulation and the relevance it acquires in the European Union area.
Other terms and concepts such as “digital operators”, “digital infrastructure providers”, “supply chain” or “Cloud Computing” also make it clear that the intention is to introduce under the umbrella of this law access to the Internet and its services in a general way.
References to security by design are also found in the document, recognizing the fundamental importance of this concept as an element of security in the face of the advance of time.
The law also establishes the need for national and supranational bodies to ensure compliance with the concepts mentioned in the law. These bodies will have to have their own operating procedures and internal coordination so that there is standardization when evaluating devices and their suitability in each of the areas indicated in the law. Also, when notifying a vulnerability or threat since notification should only be the first step in the management of this type of incident.
In short, the documents cover the current state of the art, giving a broad dimension to the law and providing it with mechanisms to regulate and transform itself to the new realities of the future.
Haste makes waste
The European Union has been working for years on cyber security regulations. Although it may seem to us that they are going slowly and late, the reality is that it is not easy to draw up regulations of this magnitude that positively affect countries as different as those that are part of the Union. It has been hard work and will continue to be so for years to come, because technology is advancing, the bad guys and the good guys are competing in an eternal race (it sounds familiar)
However, it is critical to lay the groundwork for a legal framework in which regulations are related in a way that allows for the minimum number of holes through which anything can slip through. By establishing a general framework, the aim is to protect not only what is fundamental to the functioning of a country (or several countries), but also to protect those who make use of everything, which is the citizenry in general terms.
The new rules will apply three years after the entry into force of the legislative act, which should give manufacturers sufficient time to adapt to the new requirements. However, a grace period of an extra 21 months is provided for with regard to the obligation for manufacturers to report incidents and vulnerabilities.
◾The law documents, and more information, are available here: EU Cyber Resilience Act.
It looks like it's all done and we're just getting started.
