Impact of the Cyber Resilience Act (CRA) on the Operational Technology (OT) Sector

The Cyber Resilience Act (CRA) is poised to significantly reshape the landscape of cybersecurity for products with digital elements, particularly within the Operational Technology (OT) sector. This document outlines the key implications of the CRA for OT, the certification requirements for Original Equipment Manufacturers (OEMs), and the anticipated timelines for compliance. 

Overview of the Cyber Resilience Act (CRA)

The CRA aims to enhance the cybersecurity of hardware and software products by imposing new obligations on manufacturers, importers, and distributors. Its primary goal is to ensure that products placed on the EU market are secure throughout their lifecycle, from design to end-of-life. We wrote a separate article on CRA, requirements and classification that you can read here. This article focuses on CRA and its impact on the OT sector. 

Impact on the OT Sector

The OT sector, encompassing critical infrastructure and industrial control systems, is particularly vulnerable to cyberattacks due to its interconnected nature and the potential for severe physical and economic consequences. The CRA's emphasis on product security will have a profound impact on how OT devices are designed, deployed, and maintained.

Key impacts include:

• Increased Security by Design: Manufacturers of OT components will be required to integrate cybersecurity considerations from the initial design phase, rather than as an afterthought. This includes secure-by-default configurations, vulnerability management processes, and secure software development practices.
  
• Enhanced Transparency and Information Sharing: The CRA mandates that manufacturers provide clear and comprehensive information to users regarding the security features of their products, known vulnerabilities, and available updates. This will foster greater transparency within the OT ecosystem.
  
• Broader Scope of Products Covered: The CRA will cover a wide range of OT products, including programmable logic controllers (PLCs), distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, and other industrial automation and control systems (IACS) components.
  
• Incident Reporting Obligations: Manufacturers will be required to report actively exploited vulnerabilities and serious incidents to the European Union Agency for Cybersecurity (ENISA) and relevant national authorities. This will improve situational awareness and enable faster responses to emerging threats.
  
• Long-term Support and Updates: The CRA emphasizes the need for manufacturers to provide ongoing security updates and support for their products throughout their expected lifespan, addressing the long operational lifecycles often seen in OT environments.

OEM Certification Requirements

The process for an Operational Technology (OT) Original Equipment Manufacturer (OEM) to get CRA certified involves a systematic approach, largely centered around a conformity assessment procedure and continuous adherence to the regulation's requirements. The specific steps and the level of third-party involvement depend on the classification of the product based on its cybersecurity risk.

Phase 1: Initial Assessment and Preparation

1. Determine CRA Applicability:

• • Is your product a "product with digital elements"? The CRA applies to any hardware or software that has a direct or indirect logical or physical connection to a device or network, or is intended to be used in that way. This broadly covers most modern OT devices.
  • Are there any exemptions? Certain products already covered by other specific EU regulations (e.g., medical devices, automotive products already under UN R155 and GSR, certain aviation products) might be partially or fully exempt. However, even if an OT product falls under another regulation, it's crucial to check for potential overlaps or gaps that the CRA might still address.

2. Classify Your Product:

The CRA categorizes products into different risk classes, which dictates the required conformity assessment procedure:

• • Default (Non-Important) Products: Lowest risk.
  • Important Products (Class I): Higher risk (e.g., identity management systems, standalone browsers, password managers, VPNs).
  • Important Products (Class II): Even higher risk (e.g., hypervisors, container runtime systems, firewalls, intrusion detection/prevention systems, tamper-resistant microprocessors/microcontrollers).
  • Critical Products: Highest risk (e.g., hardware devices with security boxes, smart meter gateways, devices for advanced secure cryptoprocessing).
  • OT OEMs will likely find many of their products falling into the "Important" or "Critical" categories due to their role in critical infrastructure and industrial processes.

3. Understand the Essential Requirements:

The CRA outlines two main sets of essential requirements:

• • Cybersecurity requirements relating to the properties of products: This covers "security by design," secure configurations, protection of data, system integrity, access control, and exploitation mitigation.
  • Vulnerability handling requirements: This includes identifying and documenting vulnerabilities (e.g., using SBOMs), establishing robust vulnerability disclosure processes, and providing timely security updates and support throughout the product's expected lifetime.

4. Conduct a Comprehensive Risk Assessment:

• • This is a foundational step. You must identify and document cybersecurity risks associated with your product's intended purpose, foreseeable use, operational environment, and the assets it will protect.
  • This assessment should inform the design and development choices to ensure an appropriate level of cybersecurity.
    

5. Implement Security by Design and by Default:

• • Integrate cybersecurity measures throughout the entire product lifecycle, from initial design to end-of-life.
  • Ensure products are shipped with secure default settings and provide mechanisms for users to revert to a secure state.
  • Minimize attack surfaces and implement state-of-the-art security practices.

6. Establish Vulnerability Management Processes:

Develop and implement robust processes for identifying, documenting, assessing, and remediating vulnerabilities. This includes:

• • Creating and maintaining a Software Bill of Materials (SBOM) for all components, including third-party and open-source software.
  • Setting up clear channels for vulnerability reporting (e.g., a vulnerability disclosure policy).
  • Having processes for developing and distributing security updates in a timely manner.
  • Defining the duration of security support for your products.

Phase 2: Conformity Assessment Procedures (Based on Product Classification)

The CRA specifies different conformity assessment procedures based on the product's risk classification (Annex VIII):

1. For Default (Non-Important) Products:

Internal Control Procedure: The manufacturer can perform a self-assessment. This involves:

• • Ensuring and declaring, on your sole responsibility, that the product meets all essential requirements.
  • Establishing comprehensive technical documentation (Annex VII), detailing the product's design, development, production, risk assessment, and vulnerability handling processes.
  • Drawing up an EU Declaration of Conformity (DoC).
  • Affixing the CE marking to the product.

2. For Important Products (Class I):

• • Option 1 (Self-Assessment with Harmonized Standards/Certification): If the manufacturer fully applies harmonized standards, common specifications, or European cybersecurity certification schemes identified by the Commission, they can still use the Internal Control Procedure (Module A).
  • Option 2 (Third-Party Assessment): If harmonized standards are not fully applied, or the manufacturer chooses to, they must involve a Notified Body through one of the following procedures:
    • EU-Type Examination (Module B) followed by Conformity to EU-Type based on Internal Production Control (Module C): The Notified Body examines the technical design and development of the product and its vulnerability handling processes. Once approved, the manufacturer ensures that subsequent production conforms to the approved type.
    • Conformity based on Full Quality Assurance (Module H): This involves a comprehensive assessment of the manufacturer's quality management system, covering design, development, production, and vulnerability handling. The Notified Body audits the system.

3. For Important Products (Class II):

Mandatory Third-Party Assessment: For these higher-risk products, third-party assessment by a Notified Body is always required, even if harmonized standards are applied. The available procedures are the same as for Class I products where third-party involvement is necessary (Module B+C or Module H).

4. For Critical Products:

• • Mandatory European Cybersecurity Certification: Manufacturers of critical products must obtain a European cybersecurity certificate under a scheme adopted pursuant to the EU Cybersecurity Act (Regulation (EU) 2019/881).
  • Alternatively, they can follow the same third-party conformity assessment procedures as Important Products (Class II) (Module B+C or Module H).

Phase 3: Post-Market Obligations and Ongoing Compliance

1. Maintain Technical Documentation and EU DoC:

Keep these documents for 10 years after the product is placed on the market (or for the entire support period, whichever is longer) and make them available to market surveillance authorities upon request.

2. Affix CE Marking:

Ensure the CE marking is visible, legible, and indelible on the product, its packaging, and accompanying documentation.

3. Incident Reporting:

• • Manufacturers must notify ENISA and national CSIRTs within 24 hours of becoming aware of any actively exploited vulnerabilities or serious cyber incidents affecting their products.
  • Detailed reports are required within 72 hours, and final reports within 14 days or one month, depending on severity.

4. Continuous Vulnerability Management and Updates:

Continue to monitor for vulnerabilities, issue security updates, and provide security support throughout the product's lifecycle (or the specified support period, e.g., 5 years or longer for OT).

5. Cooperate with Authorities:

Be prepared to cooperate with market surveillance authorities regarding any measures taken to eliminate risks posed by your product.

6. Provide Information to Users:

Ensure clear and comprehensive instructions, warnings, and information about cybersecurity aspects are provided to users.

Timelines for Compliance

The CRA is expected to enter into force in the near future, with a phased implementation approach. While the exact dates may be subject to finalization, the general timeline for compliance will likely involve:

OEMs in the OT sector should proactively prepare for these changes by conducting internal assessments, investing in secure development practices, and establishing robust vulnerability management programs. Early preparation will be crucial to ensure a smooth transition and compliance with the Cyber Resilience Act.

--------------------

Author: Vinny Sagar, Field Strategist, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.