The EU Cyber Resilience Act
Reasons and Objectives
The EU has a pretty good reason to introduce the Cyber Resilience Act (CRA):
Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of EUR 5.5 trillion by 2021.
[EU-CRA, p. 1]
The authors of the EU CRA state two major problems causing these damages:
- Many “products with digital elements” have little or no protection against cyber attacks and little or no support for timely security updates.
- Neither consumers nor businesses have sufficient information to choose products with good cybersecurity over those with bad cybersecurity.
The following examples bear out the authors problem analysis.
From remote, two hackers took control of the accelerator, brakes and steering wheel of a Jeep and eventually “parked” the car on the shoulder off the road. Fortunately, the driver knew what was happening, as this was a demonstration of what is possible. As I know first-hand, the security of agricultural, construction and industrial machines is in worse state than the security of cars.
Although never confirmed officially, the USA and Israel destroyed roughly one fifth of the Iranian centrifuges for uranium enrichment with the Stuxnet worm. They targeted Windows 7 computers that were in the same network as Siemens PLCs. The worm accelerated the centrifuges until they tore apart. Similar attacks are possible on many SCADA systems and PLCs.