New JRC-ENISA report enhances cybersecurity standards alignment through CRA requirements mapping

The European Commission’s Joint Research Centre (JRC) and the European Union Agency for Cybersecurity (ENISA) released a Cyber Resilience Act Requirements Standards Mapping report this week. The JRC-ENISA report aims to align existing cybersecurity and vulnerability standardization outputs with the qualifications required for products with digital elements under the Cyber Resilience Act.

The study is also in line with the expectations of the proposal of regulation, in which it is stated that synergies on standardization aspects should be considered between the Commission and ENISA. It identifies key cybersecurity standards for each CRA requirement, assesses their coverage of the intended scope, and identifies potential gaps for improvement.

Rising number of cyberattacks affecting digital products, coupled with widespread vulnerabilities and insufficient timely security updates, creates heavy financial burdens on society. In response, the European Commission drafted the Cyber Resilience Act, a new proposal for regulation to define the legislative framework of essential cybersecurity requirements that manufacturers must meet when placing any product with digital elements on the internal market. Furthermore, to facilitate the adoption of the CRA provisions, these cybersecurity requirements need to be translated into the form of harmonized standards, with which manufacturers can comply.

The CRA proposal applies to products with digital components that are marketed and can be connected to devices or networks, covering both hardware and software components, including Software as a Service (SaaS) solutions that meet the criteria for remote data processing. The CRA proposal outlines two key sets of requirements: product cybersecurity requirements and vulnerability handling process requirements. These requirements are expected to undergo a standardization process by the European Standardisation Organizations (ESOs) to formalize them as specifications within harmonized standards.

The JRC-ENISA report also details the available standardization outputs on the cybersecurity of products hardware and software products, including hardware and software components of complex products carried out mainly by ESOs and international Standards Development Organizations (SDOs). 

Specifically, the study aims to present a mapping of the existing cybersecurity standards against the essential requirements of the CRA proposal, along with a gap analysis between the mapped standards and the requirements. Given the development of harmonized standards, this analysis offers a possible overview of the current coverage of the requirements by existing specifications, highlighting possible lacks that may be compensated by further standardization work.

The CRA cybersecurity essential requirements are outlined in a list format, with each requirement presented in generic text. To facilitate the identification and assessment of standards that may address the CRA requirements, an analysis has been conducted to emphasize key concepts. For each essential requirement, a selection of sample sub-requirements and keywords has been identified. These elements serve as a guide for identifying standards relevant to the CRA but do not aim to provide an exhaustive list of sub-requirements, as the breakdown of a requirement may vary based on product specifics and applications.

It is important to mention that if a standard was found in both international and European forms, the report has referred to the European standard. In addition to mapping requirements to standards, considering that security requirements may be applicable at various stages of a product’s life cycle, the study has been enhanced with information indicating the potential relevance of a requirement to specific product life cycle stages. This information can assist manufacturers in navigating requirements and standards based on the product’s current stage.

The JRC-ENISA report found that the key components of this requirement are addressed in major cybersecurity standards. Across these three chosen standards, the identified gaps can be summarized as: 

• The hardware design aspect receives less coverage compared to software design. 
• A risk analysis process tailored to system design is outlined only in the context of industrial automation and control systems (IACS), whereas the broader ISO 27005 standard does not focus specifically on system or product design.

The document identified that the existing standards cover at least partially all CRA requirements. This provides a strong basis to build on taking into consideration the identified gaps. “Nevertheless, we did not find a single standard that can, alone, satisfy all requirements listed in the two lists present in Annex I of the CRA;—In general, ‘horizontal’ standards -i.e., not targeting a specific use case or a market sector -emerged as the most relevant to cover the purposes of the different requirements.” 

It added that the only exception to this is represented by some standards of the EN IEC 62443 family (related to industrial control systems) and the Internet of Things (IoT), although in the JRC-ENISA opinion standards targeting the IoT domain can be seen mostly as horizontal standards since nowadays most digital devices can be associated to the IoT scenario.

Although some of the selected standards are not directly related to product design/development (e.g., EN ISO/IEC 27002 related to recommended controls for initiating, implementing, or maintaining information security management systems), they might nevertheless be relevant for the CRA, as their implementation by an organization will be reflected also in the products produced by that organization. 

When it comes to product-related security requirements of the first list of CRA Annex I, “the standard ETSI EN 303 645 has been indicated to us as one of the most relevant, and for this reason, we have made a specific attempt to map it on all the requirements, which result somehow all covered by the standard even if with some gaps. To be also noted that the standard is specifically devoted to IoT systems, so, even if many digital products nowadays present different features analogous to those of the IoT environment, an automatic applicability of this standard to all categories of products cannot be taken for granted,” it added. 

“Another relevant standard in terms of coverage of the requirements is EN ISO/IEC 27002 (information security controls), covering 6 out of 13 requirements. Also the EN IEC 62443 family offers quite good coverage, but it is specifically devoted to industrial control systems,” the JRC-ENISA report detailed. 

For the vulnerability handling requirements, the second list of the annex, EN ISO/IEC 30111 (vulnerability handling process) is the most relevant one, covering 5 out of 8 requirements, with also EN ISO/IEC 29147 (vulnerability disclosure) covering 4 of the same requirements. All these standards are “horizontal” in terms of their application. 

In some cases, such as requirement 3(b), (ensure protection from unauthorized access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems), the selected standards are quite generic whereas there exist several other standards covering specific use cases in more detail. The selection of more generic standards allows more flexibility and wider coverage of current and future use cases. On the other hand, specific and sectoral standards might be able to satisfy more closely the peculiar constraints and requirements of specific niches.

When it comes to minimizing negative impacts on the availability of services provided by other devices or networks, it is addressed by standards related to the IoT domain, it raises questions about the broader applicability of these standards. In the context of the highly interconnected nature of devices in the IoT domain, these standards have clear relevance. 

However, for other domains, the specific applicability of IoT-focused cybersecurity standards may need further evaluation. While interconnectedness is also a characteristic of several domains nowadays, the specific requirements, regulations, and risks might vary, necessitating a tailored approach or additional measures to ensure that cybersecurity needs are adequately addressed.

The first two standards (ISO/IEC 18045:2022 and ITU-T X.1214) contain a step-by-step methodology for vulnerability assessment; collectively they cover the pre-and post-delivery phases of the product life cycle. They cover known and unknown (zero-day) vulnerabilities with several different, complementary techniques. The IEC 62443-4-1 standard prescribes several security tests on the product, although referring only to IACS, and the ETSI EN 303 645 standard poses a requirement for IoT manufacturers not referring explicitly to the initial delivery and without further implementation detail.

Except for the IEC 62443-4-1 standard, which addresses IACS, a key gap identified is that the existing standards primarily focus on vulnerability detection rather than the subsequent patching of identified vulnerabilities. This limitation results in an incomplete coverage of the overall requirement. 

For instance, ISO/IEC 18045, utilized in the Common Evaluation Methodology (CEM) alongside the Common Criteria ISO/IEC 15408 series, outlines a vulnerability assessment methodology during the validation phase with a single technique. ITU-T X.1214 encompasses multiple techniques during validation and maintenance phases but lacks a specific methodology, concentrating on ICT network elements. ETSI EN 303 645 solely emphasizes the importance of delivering products free from vulnerabilities.

The JRC-ENISA document identified various aspects related to a random password and key generation in general that are covered by ISO/IEC 18031:2011 for what concerns specific conceptual models. Those related to product configuration/ credentials management (ISO/IEC 27002:2022 and ETSI EN 303 645) are addressed at a high level, with references to NIST publications. Detailed implementation aspects relying for example on the specific use of non-erasable memories for configuration management seem not to be covered.

The report covers the basic concepts and principles behind data confidentiality, both at rest and in transit. They also cover symmetric and asymmetric encryption algorithms, as well as homomorphic and identity-based ciphers. It also describes specific mechanisms for integrity based on digital signatures and MACs. It also addresses privacy requirements, especially in the ISO/IEC 27701 standard, which proposes a mapping between various standards and legislation, including the GDPR. 

“General availability aspects are covered by ISO/IEC 22237-1:2021 for what concerns the design of data center facilities and infrastructures, that could be applicable to some digital products and services but do not cover all the landscape,” according to the JRC-ENISA report. “Broader scope is provided by ISO/IEC 27002:2022 and ETSI EN 303 645 even if at a high level and, for the latter, focusing on IoT consumer devices. ITU-T X.805 (10/2003) covers the requirement for end-to-end network security. EN IEC 62443-4-2 covers the requirement for IACS. A possible gap could be the more detailed guidance on implementation of availability principles for generic user products,” it added.

The report also highlighted that the product’s hardware design should be designed, developed, and produced to limit attack surfaces, including external interfaces. “The requirement is well covered from a theoretical point of view in the analyzed documents, that well describe what are the security design principles that would allow to minimize the attack surface of a product with digital elements. Nevertheless, we found a lack of concrete requirements and practical controls that, implemented, would indeed ensure an attack surface minimization. Standard EN IEC 62443-4-2:2019 is a partial exception to this as it included concrete requirements although limited to industrial automation and control systems,” it added.

Last month, ENISA published an executive summary of the second iteration of this year’s ‘Foresight Cybersecurity Threats for 2030’ presenting an overview of key findings in the top 10 ranking. The study reassesses the previously identified top ten threats and respective trends whilst exploring the developments over a year.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.