CS Nov-Dec 2022

More documents

Recommendations

Info

legislation EU CYBER RESILIENCE ACT UNVEILED GETTING THE BALANCE RIGHT MIKE NELSON, VP OF IOT SECURITY AT DIGICERT, EXPLAINS WHAT THE EU CYBER RESILIENCE ACT MEANS, IN THE FIRST MOVE TO LEGISLATE CYBERSECURITY FOR THE INTERNET OF THINGS The EU Cyber Resilience Act is the first EU-wide legislation to emerge that imposes cybersecurity rules on manufacturers. It will cover both hardware and software, and applies to both manufacturers and developers, making them responsible for the security of connected devices. The European Commission states that the regulation will tackle two issues: "the low level of cybersecurity of many of these products and more importantly the fact that many manufacturers do not provide updates to address vulnerabilities". WHAT WILL THE EU CYBER RESILIENCE ACT REQUIRE? The devil will be in the details as the requirements are developed and released. We anticipate that they will use non-prescriptive approaches similar to what we see in other regulations, like 'encrypt sensitive data', 'devices must have the ability to be updated', 'ensure integrity of software and firmware' etc. However, to justify a penalty, they need to have some measurable approaches. There will likely be a requirement for regular updates, as that is one of the pain points that the European Commission raised. Sending automatic updates to a large scale of devices will be difficult without a solution that helps manufacturers maintain viability and automate tasks. Additionally, the EU Commission has stated that there will need to be more information available for consumers to make informed purchasing decisions and to set up their devices securely. HOW WILL THE EU CYBER RESILIENCE ACT AFFECT IOT MANUFACTURERS? IoT device manufacturers could face massive fines and penalties for noncompliance with the drafted EU Cyber Resilience Act. This is one of the first legislations to require a financial penalty for non-compliance. The EU is clear that, with this proposed legislation, the financial burden of devices will rest with manufacturers and developers. Furthermore, products that do not meet "essential" cybersecurity requirements will not be allowed to go to market. Thus, 30 computing security Nov/Dec 2022 @CSMagAndAwards www.computingsecurity.co.uk
legislation manufacturers need to start incorporating security in the design of their products now, so that devices going to market in the next few years will be up to the required security standards. Market surveillance authorities in each EU member state will be responsible to fine non-compliant companies, up to a limit set within the act, and prohibit non-compliant devices from going to market. However, having one set standard for cybersecurity across the EU will also make it more streamlined and clearer for manufacturers on how to maintain compliance. HOW WILL THE EU CYBER RESILIENCE ACT AFFECT CONSUMERS? The EU Cyber Resilience Act will give consumers a better purchasing power and trust in their devices by requiring manufacturers to provide information on device security before purchasing. The rules will require more knowledge on how to choose products that are secure and how to set up devices in a secure way. Similar to how consumers look at nutrition labels on food products to better understand what they are made of, providing security information on devices upfront will allow consumers to make more informed purchase decisions. As manufacturers will be required to be more transparent on the cybersecurity in their devices, consumers will have increased trust in the connected devices that do go to market. Furthermore, the EU Commission anticipates it could even increase demand for "products with digital elements", if consumers trust the product security more. IOT SHOULD BE SECURE BY DESIGN Regulators shouldn't have to come in with heavy fines and consequences to drive security - but sadly all too often security is an afterthought in device development. In a perfect world, companies would realise the importance of protecting their assets, customers, reputation and employees, and do security the right way, because it's the right thing to do. Until we get there, we will have to continue tolerating regulators coming in with a stick. Additionally, the ability for national surveillance authorities to be able to prohibit or restrict the sale of nonconforming products will also be a stick that will drive better security. WHEN WILL THE CYBER RESILIENCE ACT BE ENFORCED? At this point, the EU Cyber Resilience Act is with the European Parliament and Council to examine and adopt. Once enacted, Member States will have up to two years to adopt the requirements. Thus, manufacturers should be prepared to comply with the act any time in the next few years. However, the trend of increasing regulation on connected devices will continue. The EU Cyber Resilience Act is just the first step; we anticipate that this regulation will become a guideline for other regulators to develop similar standards. In the future, there will be more regulation on the IoT and its design, not less. Thus, it's important for manufacturers to implement cybersecurity by design now, so they are prepared for the future of IoT regulation. In addition to more IoT regulation, we are seeing industries come together to solve for device security. For instance, the Matter protocol recently launched for smart home device interoperability, security and reliability may serve as an industrydriven roadmap for better IoT device security. Though the full details of the proposed EU legislation are yet to come out, it is likely that manufacturers complying with Matter security, using device attestation certificates and product attestation intermediates, would meet the requirements of the EU lawmakers. Furthermore, they will have the opportunity to signal security to consumers, given that Matter-compliant devices will carry the Matter seal of approval. Mike Nelson, VP of IoT Security at DigiCert www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2022 computing security 31
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment WHY DATA ETHICS MATTER Data
Page 5 and 6: We focus on your cybersecurity thre
Page 8: news Bogdan Botezatu, Bitdefender.
Page 11 and 12: 2023 predictions Meanwhile, EU Digi
Page 13 and 14: 2023 predictions zero-day exploit.
Page 15 and 16: ook review YOU AND YOUR DATA ARE TH
Page 17 and 18: 2022 CS Awards THE 2022 WINNERS: Em
Page 20 and 21: deepfakes THE DYSTOPIAN WORLD OF DE
Page 22 and 23: data management YOU AND YOUR DATA A
Page 24 and 25: ansomware RANSOMWARE ON THE RAMPAGE
Page 26 and 27: ansomware Dan Turner, Forcepoint: c
Page 28 and 29: ansomware Steve Forbes, Nominet: pa
Page 32 and 33: packet data BUILDING A CAPTIVE AUDI
Page 34 and 35: data threats WHY RANSOMWARE IS 'MOV
Page 36 and 37: eaches MAJOR BREACH, HARSH LESSONS
Page 38 and 39: GDPR REGULATORS MEAN BUSINESS! THE
Page 40 and 41: GDPR Dan Middleton, Veeam: Business
Page 42: Strengthen your data resilience wit

CS Nov-Dec 2022

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?