Secure by Design: Compliance with the EU Cyber Resilience Act

Key Takeaways: 

• Cyber Resilience Act (CRA): Enacted by the European Parliament to enhance cybersecurity for digital products, including certain vehicles.
• Scope of CRA: Applies to off-road vehicles like construction, mining equipment, boats, and agricultural equipment, excluding on-road vehicles under UNECE WP.29 R155 and R156.
• Compliance Requirements: Manufacturers must adopt secure software practices, continuous vulnerability monitoring, and prompt security updates.
• CRA Annexes: Outline requirements for cybersecurity design, user information, product classification by risk, technical documentation, and conformity assessment procedures.
• Enforcement: Managed by market surveillance authorities with potential penalties for non-compliance, including fines, recalls, or market bans.
• Vehicle Data Monitoring and OTA Updates: Critical for compliance; ensures security updates are delivered, vulnerabilities are monitored, and incidents are reported swiftly.
• How Sibros Helps: Offers end-to-end encryption, security key management, continuous vehicle data monitoring, and secure OTA updates in one system

Ongoing advances in technology and their inherent vulnerabilities make ensuring the cybersecurity of connected devices and systems more critical than ever before. The Cyber Resilience Act (CRA) stands as a pivotal regulation aimed at enhancing the cybersecurity of products with digital elements, including certain vehicles. This blog explores the intricacies of the CRA, its implications for Original Equipment Manufacturers (OEMs), and the importance of adopting a connected vehicle solution that can detect and address vulnerabilities to facilitate compliance. 

The CRA Explained

The Cyber Resilience Act was voted into force by the European Parliament on March 12, 2024. It seeks to address the low level of cybersecurity in hardware and software products by creating a unified cybersecurity framework across all member states. Manufacturers must address the entire lifecycle of their digital products, from design through to decommissioning. The CRA emphasizes the need for robust security measures and mandates that manufacturers implement cybersecurity and vulnerability handling processes to ensure product safety and data protection for users. The regulation includes obligations for importers and distributors to ensure all relevant products meet cybersecurity requirements.

While the CRA can apply to connected vehicles, as these increasingly rely on software and connectivity for their operation, it does not pertain to vehicles that fall under the jurisdiction of UNECE WP.29 R155 and R156. It does, however, apply to vehicles outside the scope of WP.29 R155 and R156, which focuses mainly on on-road vehicles. Vehicles like construction, mining equipment, boats, agricultural equipment, and other off-road vehicles which incorporate digital controls, telematics, and other connected systems, do fall under the jurisdiction of the CRA. Given their complex and interconnected systems, these vehicles are subject to similar cybersecurity risks as on-road vehicles.

CRA Requirements for Off-road Vehicle Manufacturers

CRA requirements include secure software development practices, continuous monitoring for vulnerabilities, and swift response protocols, including security updates, for addressing identified threats. The CRA Annexes outline the specific requirements that off-road vehicle manufacturers must consider.

Essential Cybersecurity and Vulnerability Handling Requirements  (Annex I)

Annex I outlines the cybersecurity requirements that must be met including procedures manufacturers must follow to identify, document, and address vulnerabilities in their products. It focuses on secure design, development, and production, stating that vehicles must be:

• Designed, developed, and produced to ensure an appropriate level of cybersecurity.
• Delivered without known exploitable vulnerabilities.
• Secure by default configuration and protection against unauthorized access.
• Ensure data confidentiality, integrity, and availability.
• Minimize data usage and impact on other services.
• Limit attack surfaces and include mechanisms for exploitation mitigation.
• Provide security-related information and ensure vulnerabilities can be addressed through updates.

Additionally, manufacturers shall:

• Identify and document vulnerabilities and components.
• Address and remediate vulnerabilities promptly, including security updates.
• Regularly test and review vehicle security.
• Publicly disclose information about fixed vulnerabilities.
• Enforce a policy on coordinated vulnerability disclosure.
• Facilitate the sharing of information about potential vulnerabilities.
• Securely distribute updates to fix or mitigate vulnerabilities promptly.

User Information and Instructions (Annex II)

This annex outlines the information and instructions that must accompany products to ensure that users are adequately informed about the product's cybersecurity features, potential risks, and safe usage practices. It requires the disclosure of detailed information such as manufacturer contact details, security environment, essential functionalities, known risks, and instructions for secure use. Additionally, manufacturers must provide a software bill of materials and an EU declaration of conformity.

Critical Products with Digital Elements (Annex III):

This annex classifies products into Class I and Class II based on cybersecurity risk levels. Examples of Class II critical components that are relevant to vehicles include:

• Operating systems for vehicle control units
• Network management systems within the vehicle
• Remote access/sharing software for vehicle diagnostics
• Microprocessors and secure vehicle systems elements

EU Declaration of Conformity (Annex IV)

Annex IV describes the EU Declaration of Conformity, which manufacturers must provide to confirm their product meets the essential cybersecurity requirements. It includes product identification, manufacturer details, applied standards, and references to conformity assessment procedures.

Contents of the Technical Documentation (Annex V)

Annex V details the required contents of the technical documentation that manufacturers must prepare and maintain to demonstrate compliance with the essential cybersecurity requirements for products with digital elements. This documentation is crucial for the conformity assessment procedures outlined in Annex VI.

Manufacturers must maintain detailed technical documentation that covers all aspects of the product's design, development, production, vulnerability handling, and compliance with cybersecurity requirements, including: 

• Design
• Development
• Production
• Vulnerability handling processes
• Risk assessment
• Applied standards
• Cybersecurity certification schemes applied to the product
• Test reports
• EU declaration of conformity.

This technical documentation must be comprehensive and readily available for inspection by market surveillance authorities for at least 10 years after the product is placed on the market.

Conformity Assessment Procedures (Annex VI)

Annex VII outlines the conformity assessment procedures that manufacturers must follow to ensure their products with digital elements meet the essential cybersecurity requirements. The annex provides a detailed framework for different types of conformity assessments, including internal control, EU-type examination, conformity to type, and full quality assurance.

Internal Control

This procedure allows manufacturers to declare on their sole responsibility that their products comply with the essential requirements without involving a notified body. Manufacturers must: 

• Prepare technical documentation that includes a general description of the product, design and development details, vulnerability handling processes, risk assessments, applied standards, and test reports.
• Take all necessary measures to ensure compliance throughout the product's lifecycle.
• Affix the CE marking to each product that satisfies the requirements.
• Draw up and maintain a declaration of conformity for each product, which should be kept for 10 years and made available to authorities upon request.

EU-type Examination

This procedure involves a notified body examining the technical design and development of a product and the manufacturer's vulnerability handling processes.

• The manufacturer submits an application to a notified body, including technical documentation and supporting evidence.
• The notified body examines the technical design and development of the product, including vulnerability handling processes.
• The notified body prepares a report detailing the assessment activities and outcomes.
• EU-type Examination Certificate issued if the product meets essential requirements, containing details about the manufacturer, product, and conditions of validity.
• The notified body monitors the product to ensure ongoing compliance.

Additional Conformities

Manufacturers must ensure that production is consistent with the approved type described in the EU-type examination certificate. This includes affixing the CE marking to each product in conformity with the approved type and maintaining the declaration for each product model for 10 years.

They must also inform the notified body of any changes to the quality system, which must be assessed and approved, as well as perform periodic audits to verify the quality system's effectiveness and compliance.

CRA Deadlines and Due Dates

As mentioned, the European Parliament approved the CRA on March 12, 2024, and it is expected to be published in the Official Journal by Autumn 2024. To give manufacturers time to adapt, most of the CRA's provisions will become applicable 36 months after its entry into force, which means compliance will be required by late 2027. The exception is reporting obligations for severe incidents and actively exploited vulnerabilities which will become enforceable 21 months after the CRA's entry into force, anticipated around mid-2026.

Cyber Resilience Act Impacts OEMs

This increased focus on security and transparency presents several challenges for OEMs in impacted sectors. The first challenge is having the ability to effectively and safely update components on the vehicle to address and protect against novel security threats. Manufacturers must be prepared to update every part of the vehicle to prevent unanticipated vulnerabilities. For example, let’s say the tire pressure monitoring system on a tractor is not updated with the latest security patch. While this is not considered a safety-critical ECU, the sensor in the system utilizes a wireless connection that hackers can exploit to access the rest of the vehicle. In other words, if you compromise one module you compromise the entire vehicle. 

In addition to comprehensive OTA updates, OEMs need a way of monitoring attempted attacks to help identify places where extra security is needed. Lastly, off-road vehicle manufacturers need to ensure that the OTA solution itself does not serve as a point of vulnerability. As such, thorough testing and validation of OTA updates are crucial to avoid introducing new vulnerabilities or disrupting device functionality.

What Does Enforcement Look Like?

The enforcement of the Cyber Resilience Act (CRA) will be managed by market surveillance authorities in each EU member state. These authorities will conduct regular checks and audits on manufacturers to verify compliance, including inspecting technical documentation and assessing the security of digital elements. They have the power to request evidence of compliance from manufacturers, importers, and distributors. 

Non-compliance with the CRA can result in significant penalties, such as fines, product recalls, or bans on placing non-compliant products on the market. The severity of penalties depends on the nature and extent of the non-compliance, with severe breaches attracting higher fines and stricter sanctions. Additionally, non-compliance can damage a company’s reputation and lead to a loss of consumer trust.

Manufacturers are also required to report severe incidents and actively exploited vulnerabilities to the relevant authorities, such as the European Union Agency for Cybersecurity (ENISA), within a specified timeframe. This reporting helps authorities monitor and respond to emerging cybersecurity threats and ensures that manufacturers address vulnerabilities promptly. Regular security audits and assessments are essential to ensure that cybersecurity measures remain effective and compliant with the CRA's requirements.

How to Achieve Compliance with CRA

Achieving compliance with the CRA requires a strategic approach encompassing secure design, effective risk management, and continuous improvement. Sibros’ Deep Connected Platform product suite is designed to help OEMs across all vehicle sectors meet stringent requirements while maintaining a high level of security. Sibros' products are developed with a secure-by-design philosophy, ensuring that security is integrated into every aspect of the product life cycle. Unlike many OTA solutions, Sibros emphasizes robust security measures from the ground up to provide OEMs with a reliable path to compliance. 

Key Features of Sibros Solutions

1. End-to-End Encryption: Sibros utilizes mutual TLS for secure communications, ensuring data integrity and confidentiality during transmission. This is crucial for maintaining secure in-vehicle communications and secure delivery of updates.
2. Comprehensive Key Management: Secure key handling and management are integral to Sibros' solutions, utilizing Hardware Security Modules (HSM) for key storage and management. This includes secure key handling for OTA updates, firmware integrity, and secure communications.
3. Continuous Monitoring and Vulnerability Management: Sibros' Deep Logger solution includes continuous monitoring capabilities to detect vulnerabilities and attack attempts and Deep Updater provides the means of immediate attack mitigation. 
4. Robust Incident Response: Sibros provides a structured incident response framework, enabling OEMs to quickly address and remediate security breaches. This includes coordinated vulnerability disclosure policies and mechanisms for secure distribution of updates.
5. Streamlined Technical Documentation: Track vehicle features, attributes, update status, risk assessments, and more via Deep Logger. Access information in Sibros’ user-friendly dashboard to help streamline compliance documentation.

Prepare for CRA with Sibros

The Cyber Resilience Act sets a new standard in cybersecurity for connected devices and vehicles, necessitating a proactive and comprehensive approach to compliance. Off-road vehicle OEMs must integrate secure design principles and robust security measures into their product development processes. Sibros' solutions are trusted by OEMs around the globe not only to meet regulatory requirements but also to enhance the overall security posture of their connected vehicles. Test drive our solutions today.