“In other words, there is no resilience in this particular material when it is at a temperature of 32 degrees. I believe that has some significance for our problem.” – Professor Richard Feynman commenting during the 1986 Challenger Commission hearings.
The Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (a.k.a. The Cyber Resilience Act (CRA)[1] has been in the development stages since it was first posted for comments in September of 2022. I will focus on what the act seeks to accomplish and an estimation of its chances of success by asking the questions: what does the CRA seek to protect, from what threats and how does it intend to protect identified assets from identified threats?
Understanding what is to be protected in this document is a challenge since a broad framework term “digital elements” is featured in the title and found throughout the document. However I could find no clear definition in this document that defines what a digital element is.. The term is not even found in the definition section of Article 3 pages 32-33. Instead we are giving several definitions that have the word “with” attached to them such as “product with digital elements”, “critical product with digital elements” and “highly critical product with digital elements”. So one is left with searching for the meaning between the lines.
In my opinion the term digital element is used by the authors as a synonym for software. This software exits in any product that “includes a direct or indirect logical or physical data connection to a device or network.”[2] There are some interesting exceptions. For example out of scope are products with digital elements “developed exclusively for national security or military purposes.”[3] It may be pushing it but since there is such a poor definition of what a digital element is then one can say (perhaps in a litigation) that digital elements found in critical infrastructures linked to national security such as power grids and fuel pipelines are out of scope. I am sure that is not what the authors meant but the ambiguous use of terms can backfire.
Hardware is also mentioned together with software in the context of digital elements especially in the beginning of the document but eventually the hardware relevant parts of the text give way to traditional IT concerns over software (mentioned 84 times), data (used 74 times) and the protection of “information” (used 107 times). The word hardware is used 27 times but unlike the discussion about software bill of materials (SBOMs) there is no mention of hardware bill of materials or even firmware[4].
The other focus for protection in this document is over the supply chain which is mentioned 20 times. However the context for the concern over digital elements in the supply chain seems again to be software as found in the CRA’s Explanatory Memorandum which describes “covering the entire digital supply chain. Non-embedded software, often exposed to vulnerabilities, would also be covered by such regulatory intervention.”[5] The cross-border dimension of cybersecurity is clearly recognized in the context of a cyber incident involving software where the authors use the example of the spread of the WannaCry ransomware to “200 000 computers across 150 countries in 2017”.[6] However, the document seems clueless about another aspect of the cross-border dimension characterized by cyber-attacks on control systems that monitor and control processes found in pipelines, power transmission and distribution grids, and transportation systems. In terms of cyber resilience this critical element of our economies, national security and well-being of society does not seem to be recognized in this document that claims to cover the EU internal market.
The next step after determining what the document means by digital elements I looked for what the authors considered to be threats to them. The authors view the main threat as coming from cybercrime. I first found evidence for this by reading the first sentence of the explanatory memorandum “Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021”[7]. This focus on cybercrime is reinforced by the inclusion of 2 examples of cyber-attacks associated with criminal activity: Wanna Cry ransomware attack and the strange, considering all the attacks that could have been chosen, inclusion of the Kaseya VSA supply chain attack that occurred inside Sweden[8]. The given examples do not include cyber-attacks by advanced, persistent threat (APT) actors associated with the malicious cyber activity of states. Attacks that have sought to deny, compromise or take away the view and control from the operators of critical infrastructure of a process governed by the laws of physics and chemistry.
The cases of STUXNET, cyber caused blackouts in Ukraine in 2015 and 2016[9] and the 2017 Triton/Trisis attacks on safety systems of a petrochemical plant revealed more complex issues involved with protecting the EU’s products that have digital elements. The NotPetya cyber-attack that affected control systems that closed the worldwide shipping operations of Maersk[10] and other industrial operations was eclipsed by the WannaCry ransomware attack a month before. Last year Viasat terminals were compromised resulting in loss of view and control of electricity producing windmills operated by German company Enercon. This was soon followed by reports of a cyber-attack tool designed to locate and compromise programmable logic controllers (PLC) which serve as the technical backbone for monitoring and controlling processes found in critical infrastructure[11]. Despite these well reported incidents that many consider to be “wake-up-calls”, the focus of the CRA unfortunately seems to be elsewhere. In a cross reference that lists NIS2 criteria for critical digital elements “used or relied upon by the essential entities”, it is digital infrastructure i.e. the Internet that features on the list[12]. Missing is an awareness of how and where the electricity comes from to power the “essential entities”.
As there are faults in the determination of what needs to be protected and from what threats it should not be surprising that the actionable “how” part of the regulation also has faults which should appear in the implementation and execution phase. This is too short of a piece to fully cover all the examples in the document so will be limited to just a couple of representative examples. Chapter 2 Obligations of Economic Operators Article 10 points out the obligations of the manufacturer but leaves out several other important players such as the system integrator, supplier, and even the asset owner that all share responsibility or blame if something goes wrong. Missing in all the listed obligations is any mention that an asset owner or customer should be informed of any back doors in their supplied products and provided with the option to disable them. This certainly is a supply side issue relevant to the use of a “digital element” of critical or highly critical importance.
A regulation that may apply to everything with “a direct or indirect logical or physical data connection to a device or network”[13] is going to need some super capable monitoring and enforcement capability. As the EU has a huge and growing bureaucracy it should be no surprise that one of the proposed measures is the establishment of a new “dedicated administrative cooperation group (ADCO)” for the uniform application of the regulation.[14] How all this work will be organized, monitored and adjusted for is a mystery to me.
Several commentators have expressed optimism over the appearance of the CRA as a much waited for and needed step in the right direction.[15] I agree that it is but unfortunately it is a step in a long journey that will be characterized by a lot of meandering and trial. The goal will be reached but by the hard way until the fundamental questions in security policy making are taken seriously and answered with due diligence. All this points to one conclusion: the EU’s institutions responsible for the cybersecurity of ITC are still mired in the home, office and consumer IoT environments. I do not say this to be clever but remember my own experiences as a member of several European institution work groups such as those organized by ENISA[16]. It is no longer enough to just consider the software and hardware that is found in the home or office. There are issues and challenges to be faced in protecting process control environments from not only cybercrime but from APT actors seeking to deny or compromise critical services vital to the population and economy such as power, fuel, water and transportation systems. For some reason the cybersecurity policy maker at the institutional level is unwilling or unable to step outside his or her office to go out and visit an industrial environment where the electricity to run their computers and the water for the coffee machine comes from. There are people out there who work there who can explain how things run. Perhaps with that knowledge we will eventually have more informed and useful documents than this version of the CRA
[1] https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
[2] Article 2-1 Scope section
[3] Article 2-5 Scope section
[4] Firmware is programming that’s written to a hardware device’s non-volatile memory. Non-volatile… https://www.techtarget.com/whatis/definition/firmware
[5] CRA Explanatory memorandum Page 7
[6] CRA Explanatory memorandum page 1
[7] Ibid CRA page 1
[8] Ibid CRA page 1
[9] Joe Slowik, Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on Industrial Environments, Dragos, Accessed September 18, 2023, https://www.dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf
https://www.dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf
[10] Andy Greenberg, The untold story of NotPetya, the most devastating cyber-attack in history, Wired, August 22, 2019 https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
[11] APT Cyber Tools Targeting ICS/SCADA Devices , CISA Advisory, May 25, 2022, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-103a
[12] DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU)No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2Directive), Annex 1 Sectors of High Criticality, L333/145, https://eurlex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32022L2555&qid=1695106804520
[13] That probably includes the USB microphone connected to the pc I am using to write this.
[14] CRA paragraph 56, page 27
[15] Sarah Fluchs, EU Cyber Resilience Act, Linkedin Sep 29, 2022, https://fluchsfriction.medium.com/eu-cyber-resilience-act-9e092fffbd73
[16] Guidelines for securing the Internet of Things, Secure supply chain for IoT ENISA, November 2020, page 2. https://www.enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things
