EU countries and EU lawmakers on Thursday agreed to rules to protect laptops, fridges, mobile apps and smart devices connected to the internet from cyber threats following a spate of such attacks and ransom demands in recent years around the world:
The European Commission, the European Union’s executive arm, proposed the new law last year in a bid to tackle the increasing risk from cyber threats to any smart devices, including a growing number of household goods as products become more connected.
The commission hopes the rules could save companies affected by such cyber incidents between 180 to 290 billion euros ($196-305 billion) every year.
The law will affect any product that is connected either directly or indirectly to another device or to a network.
The new rules introduce EU-wide cybersecurity requirements for the design, development and production of hardware and software products.
Manufacturers will also be forced to assess the cybersecurity risks of their products, and the rules demand greater transparency on the security of hardware and software products for consumers and business users.
Alongside CISA’s push for “secure by design” and the White House mandate for security nutrition labels on consumer devices by December 2024, this is a significant moment in the security of network-embedded devices. Pia McSharry, Security Strategist at Beyond Identity, shared the following commentary:
Device health is of the utmost importance to an organization’s overall cybersecurity posture. Putting the onus back on the manufacturer to produce devices that are “secure by design” eases the responsibility on the end user. Between this move by the EU and CISA/White House push for consumer security labels on devices by December 2024, IoT manufacturers will have to change their current practices to meet these new requirements and change up software and production practices.
The importance of upholding specific security hardening guidelines which are monitored and maintained by manufacturers is extremely important for organizations to minimize their attack surface. The management of the security posture of any connected device should be a shared responsibility between the manufacturer and the consumer. The manufacturer should always communicate the security standards used to harden the device, and the consumer should be aware of any potential security gaps to assure they are mitigating the risks effectively. This is a step forward to making security a priority for all.
Given that everything from lightbulbs to cars is on the Internet, this is a great move by the EU. Hopefully this forms the basis for devices that are assumed to be secure rather than something that you have to question its security.
UPDATE: George McGregor, VP, Approov Mobile Security Had This To Say:
“Despite a lot of pushback, particularly on the 24 hour breach reporting requirements, the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024. Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.
“Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding.
“This is another sign that pressure is being put on all companies and organizations around the world to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four business day reporting rule.
“This trend will continue and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection and response.
David Ratner, CEO, HYAS Infosec follows with this:
“The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility. However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward with confidence in the face of a constant onslaught of new and innovative cyber attacks.”
Like this:
Like Loading...
Related
This entry was posted on December 1, 2023 at 12:10 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
EU Adopts New Rules To Protect Devices Connected To The Internet
EU countries and EU lawmakers on Thursday agreed to rules to protect laptops, fridges, mobile apps and smart devices connected to the internet from cyber threats following a spate of such attacks and ransom demands in recent years around the world:
The European Commission, the European Union’s executive arm, proposed the new law last year in a bid to tackle the increasing risk from cyber threats to any smart devices, including a growing number of household goods as products become more connected.
The commission hopes the rules could save companies affected by such cyber incidents between 180 to 290 billion euros ($196-305 billion) every year.
The law will affect any product that is connected either directly or indirectly to another device or to a network.
The new rules introduce EU-wide cybersecurity requirements for the design, development and production of hardware and software products.
Manufacturers will also be forced to assess the cybersecurity risks of their products, and the rules demand greater transparency on the security of hardware and software products for consumers and business users.
Alongside CISA’s push for “secure by design” and the White House mandate for security nutrition labels on consumer devices by December 2024, this is a significant moment in the security of network-embedded devices. Pia McSharry, Security Strategist at Beyond Identity, shared the following commentary:
Device health is of the utmost importance to an organization’s overall cybersecurity posture. Putting the onus back on the manufacturer to produce devices that are “secure by design” eases the responsibility on the end user. Between this move by the EU and CISA/White House push for consumer security labels on devices by December 2024, IoT manufacturers will have to change their current practices to meet these new requirements and change up software and production practices.
The importance of upholding specific security hardening guidelines which are monitored and maintained by manufacturers is extremely important for organizations to minimize their attack surface. The management of the security posture of any connected device should be a shared responsibility between the manufacturer and the consumer. The manufacturer should always communicate the security standards used to harden the device, and the consumer should be aware of any potential security gaps to assure they are mitigating the risks effectively. This is a step forward to making security a priority for all.
Given that everything from lightbulbs to cars is on the Internet, this is a great move by the EU. Hopefully this forms the basis for devices that are assumed to be secure rather than something that you have to question its security.
UPDATE: George McGregor, VP, Approov Mobile Security Had This To Say:
“Despite a lot of pushback, particularly on the 24 hour breach reporting requirements, the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024. Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.
“Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding.
“This is another sign that pressure is being put on all companies and organizations around the world to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four business day reporting rule.
“This trend will continue and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection and response.
David Ratner, CEO, HYAS Infosec follows with this:
“The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility. However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward with confidence in the face of a constant onslaught of new and innovative cyber attacks.”
Share this:
Like this:
Related
This entry was posted on December 1, 2023 at 12:10 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.