IoT Security in EU: The Cyber Resilience Act Explained

EU announced its Cyber Resilience Act in October 2022, in a bid to standardize security practices for digital products in the EU market. This could pave the way for similar laws across the world for IoT.

The current IoT security framework is scattered. Some laws are in place but differ according to geographical areas and are extremely inadequate. However, many organizations across the world are now making an effort to change this. Connected devices are a treasure trove of potential, and with it comes the security risk. The more connected the world becomes, the more possibilities of hacks and vulnerabilities arise.

Recently, The European Union announced its Cyber Resilience Act, which is a positive step towards standardizing security measures and protocols for digital products but especially, for IoT.

Let us take a look at the key factors of the act and what it implies.

Key requirements of the Cyber Resilience Act

The Cyber Resilience Act, 2022 is a very important step towards setting security standards in the digital space. Therefore, it is important to understand the exact requirements of the Act. European Commission President Ursula von der Leyen said,

“With the economy and society relying more and more on digital solutions, it is crucial to ensure that we can defend ourselves in a world increasingly prone to the hacking of connected products and associated services”

The Cyber Resilience Act has a few key factors which makes it crucial for IoT development and security.

Part one: Manufacturing

The Act specifies that any digital products (including connected devices for IoT) be manufactured in a secure manner.

“Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks”

Part two: Distribution

Even if a product is designed to be secure, vulnerabilities and backdoors can always be introduced to them at a later stage. The Act specifies the need to deliver the products safely.

“Products with digital elements shall be delivered without any known exploitable vulnerabilities and with a secure by default configuration, including the possibility to reset the product to its original state”

Part three: Access

The Act also underlines the need for access management:

“Products with digital elements shall ensure protection from unauthorized access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems”

Part four: Data Protection

The CRA doubles down on EU’s GDPR requirements for data protection, and asks of device manufacturers to only collect data which is relevant and store, transmit, or process this data with extreme caution.

“Products with digital elements shall:

protect the integrity of stored, transmitted, or otherwise processed data, personal or other, commands, programs, and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions;

process only data, personal or other, that are adequate, relevant, and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’)”

Part five: Defensive security

The most important detail in the CRA are the security requirements, which ask all digital elements to have the ability to avoid attacks, limit them in case they occur, or fight them off. It also includes logging and patching requirements.

“Products with digital elements shall:

protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks;

be designed, developed, and produced to limit attack surfaces, including external interfaces;

be designed, developed, and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;

provide security-related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services, or functions;

ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.”

Impact on the global IoT industry

The IoT community is used to the aphorism, “The S in IoT stands for security!”

While hilarious, it speaks to a common issue, which is that security is often an afterthought when it comes to IoT products. With the EU implementing the CRA, chances are that the IoT security landscape changes as much as the data protection landscape did with GDPR.

There are some bold requirements that CRA has put forth that we can’t gloss over. Mainly, that the CRA expects ALL data to be handled with utmost importance and caution, not just personal data. This is what sets the CRA apart from GDPR.

Also, it is important to note that any violations in regard to data protection will invoke heavy penalties for both GDPR and CRA for IoT device providers.

The IoT community hasn’t been entirely chuffed with the introduction of CRA though. Some experts argue that while standardization seems like a simple solution, certification does not solve for the lack of security.

Another major concern being voiced among experts is that the CRA might affect open source developments adversely. Given that a lot of open source developers are hobbyists or tech enthusiasts, they may not want to comply with EU regulations and thus geo restrict their licenses.

Of course, at this point, all of these are speculations. It remains to be seen whether CRA becomes the big bad wolf for independent developers or sets a new precedent for security regulations in IoT.