September 21, 2022

Is the EU Cyber Resilience Act Really Possible Without Zero Trust Automation?

Written by Rob Dobson

In May 2021 President Joe Biden issued out Executive Order 14028. The order focused on “Improving the Nation’s Cybersecurity” to support and protect the nation’s critical infrastructure and Federal Government networks. The EO called out a number of key focus areas including:

  • Enhanced security of the supply chain
  • A timeline for ZeroTrust – “Never trust, always verify”
  • Transparency between government and private sectors
  • Standard Procedures for incident response
  • Government wide EDR system

This directly relates to the trustworthiness and transparency in ALL digital infrastructure – IT, OT, IoT, IIoT. Anything that runs software is in scope – cloud services, on-prem application servers and connected things – all systems that provide critical functions. A big part of Enhancing the security of the supply chain is focused around Software Bill Of Materials (SBOM) and the sharing of these to those that need to know, clearly providing visibility and transparency of what software is running in the supply chain.

Fast forward 18 Months and the EU has set out a Cyber Resilience proposal which introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle. In a nutshell this Act sets out to:

  • Ensure that products with digital elements placed on the EU market have fewer vulnerabilities and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle;
  • Improve transparency on security of hardware and software products;
  • Business users and consumers benefit from better protection.

There are some very similar concepts between EO 14028 and the EU Cyber Resilience proposal, focussing on any “digital element”. This goes into some detail and calls out a number of elements in the Annexes across 1) the security requirements for digital elements and 2) Vulnerability handling requirements. In Annex 1, section 2 (Vulnerability handling) it calls out the following:

  • identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product;
  • in relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates;

This is clearly driving SBOM concepts to improve software visibility, vulnerability management and remediation through the supply chain. There are standardized tools out there to help generate and communicate SBOMs (Cyclone DX, SPDX etc) and other tools and databases to help share SBOMs and manage the vulnerabilities associated with them, including applying Vulnerability Exploitability eXchange (VEX) data.

The requirement to remediate vulnerabilities without delay is an interesting one. Clearly, there isn’t one size fits all for this and there are a few options here:

  • Remediation: Prevent a device from connecting to an application (Revoke its credential), fixing or patching a vulnerability so it can’t be exploited.
  • Mitigation: Lessening the likelihood and/or impact of a vulnerability being exploited. This can be a necessity when a fix isn’t available yet.
  • Acceptance: No action is required as the risk/likelihood to exploitation with the know vulnerability is low.

In any deployment (IoT, IIoT etc) to remediate thousands of devices is a daunting challenge without automation, for example imagine having a high risk CVE identified affecting 50,000 devices connected in your infrastructure – it’s great that you now have visibility of this but what do you do about it?

If remediation means temporarily suspend their access to critical infrastructure, then automation will help i.e. revoke each devices Machine identity & credentials so access is unauthorized. But then what about the process of securely patching them and proving they are secure? To do this, and ultimately bring the 50,000 devices back online with new Machine identities & credentials once the vulnerability has been addressed – security automation is vital.

Robert Dobson