The cost of cybercrime is expected to hit USD$10.5 trillion annually by 2025, which would make cybercrime—if it were a country—the third largest economy after the U.S. and China. Ransomware is just one of many weapons in the cyber criminal's arsenal, which may also include phishing, malware, email compromise, supply chain attacks, denial of service (DoS) and distributed DoS (DDoS) (fig 1).
APAC, Europe and North America saw the greatest increases in ransomware attacks in the past year—+29%, 21% and 15%, respectively—according to a global survey by Check Point Research (fig 2).
While many countries and regions are working hard to combat all forms of cybercrime, no economic region has been more productive than the European Union. In the past few years, the EU has developed and enacted multiple measures to help secure personal data and harden various industries against cyber attacks.
The EU Commission and Parliament recognize the growing importance of securing connected devices, including machines, sensors and networks that make up the Internet of Things (IoT) and Industrial IoT (IIoT). The publication of the First EU Cybersecurity Strategy in 2012 denoted the establishment of cybersecurity as a new and important policy focus.
In 2018, the General Data Protection Regulation (GDPR), arguably the toughest privacy and security law in the world, was enacted by the EU. The GDPR imposes obligations onto organizations anywhere in the world, as long as they target or collect data related to people in the EU. Violation of the GDPR carries harsh fines, with penalties reaching into the tens of millions of Euros.
The adoption of and compliance with the GDPR has led to stricter data protection laws in many other countries, including the U.S. One highly visible consequence of the GDPR is the trend in recent years of web sites to ask for your permission to use cookies to track your online activities.
New Cyber Resilience Act
In September 2022, the European Commission published a draft of the Cyber Resilience Act (CRA), which proposes to achieve two main objectives:
- Create conditions for the development of secure products with digital elements (PDEs) by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product's life cycle; and
- Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
The CRA is currently under review by EU Parliamentary Committees. Once both Parliament and Council have approved the final text of the CRA, it will be jointly signed by the Presidents and Secretaries General of both institutions. After signature, the texts are published in the EU Official Journal and enter into effect (EIF) (fig 3).
The new rules are intended to rebalance responsibility towards manufacturers—as well as distributors and importers—who must ensure conformity with security requirements of products with digital elements that are made available on the EU market (fig 4). The CRA will benefit consumers, as well as businesses using digital products, by enhancing the transparency of security properties and promoting trust.
Under the CRA, manufacturers of PDEs would undergo a process of conformity assessment to demonstrate whether the specified requirements relating to a product have been fulfilled. This could be done via self-assessment or a third-party conformity assessment, depending on the criticality of the product in question.
Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers would draw up an EU declaration of conformity and will be able to affix the CE marking. The CE marking will indicate the conformity of PDEs with the CRA, so that they can move freely within the internal market.
No time to waste
"We are anticipating that the new Cyber Resilience Act is likely to be adopted and go into effect in the spring of 2024," notes FM Approvals' Khalid Ansari, a senior cyber engineering specialist in the FM Approvals Cybersecurity Laboratory. "While the Act is being formalized, it pays for product manufacturers to start working towards compliance from now on by, for instance, adopting a secure development lifecycle process for their products. We are ready to assist manufacturers and others who believe they will have an obligation to comply with the proposed law."
The full provisions of the new CRA would apply fully within 24 months after entry into force—the date the legislative proposal is signed into law. However, manufacturers of PDEs, as well as those that outsource the design, development and manufacturing to a third party, will have 12 months from the adoption date to begin reporting any actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of it.
The CRA, as proposed, does not apply to cloud computing services and software-as-a-service (SaaS), which are both covered under another new EU cyber law, the Network and Information Systems regulations (NIS2), which entered into force in January 2023 and replaces an earlier version of the law. It also does not apply to free software, medical devices, civil aviation, motor vehicles and products developed exclusively for national security or the military.
Examples abound
The CRA takes a "horizontal" view of the marketplace by encompassing products with digital elements and non-embedded or standalone software. Products with digital elements covered by the new CRA are contained in Annex 3 of the act.
PDEs covered under the CRA are grouped into classes of criticality: non-critical, critical, and highly critical (fig 5). Non-critical PDEs include consumer-oriented products such as photo editing and word processing software, smart speakers, games, etc. The critical category of PDEs is subdivided into Class I and Class II.
Some examples (see CRA Annex 3 for complete list) of Class I and Class II products are as follows:
Critical Class I --
- Standalone and embedded browsers;
- Password managers;
- Software that searches for, removes, or quarantines malicious software;
- Products with digital elements with the function of virtual private network (VPN);
- Routers and modems intended for the connection to the internet, and switches, not covered by class II;
- Microprocessors not covered by class II;
- Microcontrollers;
- Application specific integrated circuits (ASIC) and field-programmable gate arrays (FPGA) intended for the use by essential entities [Annex I to NIS2];
- Industrial Automation & Control Systems (IACS) not covered by class II, such as programmable logic controllers (PLC), distributed control systems (DCS), computerized numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
- Industrial Internet of Things not covered by class II.
Critical Class II --
- Operating systems for servers, desktops, and mobile devices;
- Public key infrastructure and digital certificate issuers;
- Firewalls, intrusion detection and/or prevention systems intended for industrial use;
- General purpose microprocessors;
- Microprocessors intended for integration in programmable logic controllers and secure elements;
- Routers, modems intended for the connection to the internet, and switches, intended for industrial use;
- Smartcards, smartcard readers and tokens;
- Industrial Automation & Control Systems (IACS) intended for the use by essential entities of the type referred to in NIS2 Annex I, such as programmable logic controllers (PLC), distributed control systems (DCS), computerized numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA);
- Industrial Internet of Things devices intended for the use by essential entities of the type referred to in NIS2 Annex I;
- Robot sensing and actuator components and robot controllers;
- Smart meters.
Implementation assistance
"Large makers of products with digital elements are already involved in the CRA development process," notes Witali Engelhardt, FM Approvals operations vice president and manager of new business development for EMEA. "It is small to mid-size PDE developers who are most likely to be caught off guard by the requirements of this new law. Anyone developing a product now for the EU market needs to be aware of and start now to plan for these new requirements."
The FM Approvals Cybersecurity Lab began offering certifications early last year. The lab is accredited by both the Standards Council of Canada (SCC) and ISASecure® as a certification body (CB) to the ISA/IEC 62443 series of standards. FM Approvals cybersecurity certification helps developers of Industrial Internet of Things (IIoT), operational technology (OT) and industrial control systems (ICS) meet the need for greater security and help differentiate their products in competitive markets.
ICS/OT/IIoT products that successfully complete FM Approvals' 62443-based evaluation program will bear the FM Diamond along with a specific security level which signifies that the product is robust against cyber-attacks and free from known vulnerabilities. These products will be listed in a special ICS/IIoT Cyber Security section of the Approval Guide and listed on the official ISASecure certified product registration list available for view at www.isasecure.org.
It should be noted that cybersecurity has also become a front and center issue for the National Fire Protection Association (NFPA) as many fire alarm systems installed today have some connectivity to the outside world, making them IIoT systems.
The 2022 edition of NFPA 72 contains the new Chapter 11, entitled "Cybersecurity", as a placeholder for technical committees to develop for the 2025 edition. However, a new Annex J in the 2022 edition contains guidelines for cybersecurity and how it can be improved for fire alarms and other signaling solutions.
According to Patrick Byrne, the manager of the FM Approvals cybersecurity certification program, "The NFPA is looking to harden fire alarm and control systems against cyber attacks and cyber vandalism. Manufacturers of these systems can stand out from others in the market by certifying their internet connected systems meet recognized cybersecurity standards. While many AHJs and others may not yet fully understand cybersecurity issues, they know it is a big risk and may require third-party certification to ensure the risk is addressed properly."
FM Approvals cybersecurity certification may also be bundled with other FM Approvals certification programs such as functional safety (SIL) in order to save time and reduce costs. To learn about the new EU Cyber Resilience Act and the certification obligations of manufacturers and developers of products with digital elements, please contact Patrick Byrne at patrick.byrne@fmapprovals.com or call +1 (781) 255-4846.
Disclaimer: While every effort has been made to ensure the information presented in this post is current at the time of publication, until a regulation is passed, there is a potential for changes to the proposed text and timeline.