EU Cyber Resilience Act becomes a Tour de Force for the Industry

EU Cyber Resilience Act becomes a Tour de Force for the Industry

Time-to-market becomes a gamble without automated analysis routines

Düsseldorf/Germany, October 10, 2022 – All products with digital elements – from routers to smart refrigerators to televisions and, above all, any modern industrial equipment – should no longer pose cyber risks to users in the future. This is what the EU Commission is demanding, and with the Cyber Resilience Act – a law on “cyber resilience” (Download preliminary PDF version) – it is stipulating that products „with digital elements,“ such as hardware and software, must be protected against vulnerabilities that can be exploited by hackers during their full life cycle in the future. „This law will be a tour de force for the industry. The regulation is overdue and makes a lot of sense, as especially in recent months more and more such vulnerabilities have been mercilessly exploited by smart devices or used as a gateway into networks. However, the time-to-market for new products and equipment will suffer enormously from the set of rules, and without automated analysis and testing routines, the process is almost impossible to map,“ says Jan Wendenburg, CEO of ONEKEY. For the first time, the European IoT security specialist enables software-based automated analysis of binary software to detect previously unknown vulnerabilities – up to zero-day gaps.

Software bill of materials (SBOM) solves many problems  
Until recently, neither users nor producers or distributors were aware of the „ingredients“ that make up products with digital elements and network connections. This is a problem, though, because the use of third-party code is spiraling out of control. In general, software has long since ceased to be developed in a single source, but it is assembled from modules, i.e. components – whether open-source or binary-licensed software. This component construction method is used in order to lower development costs and save time. The challenge is that the components can contain components again – and so deeply nested, the own firmware can contain malware, bugs or other vulnerabilities all of which the developer is unaware. „Without a robust and reliable code review process, companies cannot be sure of the threats and have, according to the Cyber Resilience Act, one foot in the future punishable space,“ Wendenburg continues. ONEKEY is one of the few providers worldwide that can already create the SBOM (Software Bill of Materials) with an automated firmware analysis without source code, and can also continue to maintain this steadily and fully automated during updates.

Industrial control systems particularly at risk  
EU legislation also stipulates that producers must guarantee the security and integrity of components or products and systems for a period of five years or the intended life span of a product – the shorter period being relevant. Here, the ONEKEY security expert sees a need to catch up, especially in the case of industrial control systems: „IoT systems are in use in industry – in factories, in service and manufacturing – much longer, even if the producer discontinues the product after five years. Here, companies must be especially aware that the protection of the EU law ends at some point and personal responsibility begins,“ warns Jan Wendenburg of ONEKEY. Furthermore, in the near future the marketing of products with known vulnerabilities will be prohibited. This will put an end to the copy-paste engineering that is often common today and which frequently re-integrates undetected or even known bugs into new products. In the future, used components or final results must be tested to prevent old vulnerabilities from being copied into new products.

Wondering if you are Cyber Resilience Act ready?
ONEKEY’s Cybersecurity experts are ready to support you. Here, you will find more details.

About ONEKEY:
ONEKEY is a leading European specialist for automatic security & compliance analyses for devices in industry (IIoT), production (OT) and the Internet of Things (IoT). ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations via automatically generated „Digital Twins“ and „Software Bill of Materials (SBOM)“ of the devices, completely without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time and can thus be specifically fixed. Easily integrated into software development and procurement processes, the solution enables manufacturers, distributors, and users of IoT technology to check security and compliance quickly and automatically before use, 24/7 throughout the entire product lifecycle. Leading companies, such as SWISSCOM, VERBUND AG and ZYXEL, use this platform today – universities and research institutions can use the ONEKEY platform for study purposes free of charge.