With the Cyber Resilience Act, a significant step is being taken to strengthen cybersecurity in Europe. It will apply to all connected products, including components of the All Electric Society, which are increasingly exposed to cyberattacks.
According to the International Energy Agency (IEA), the number of cyberattacks on energy utilities worldwide more than doubled between 2020 and 2022. Recently, incidents have included the deactivation of wind farm remote monitoring, outages of electricity meters due to unavailable IT systems, and hacking of data such as customer names, addresses, bank details, and phone numbers. Globally, the average cost of a data breach in the energy sector reached a new record high of 4.72 million US dollars in 2022.
Security from the Start
“The need for cybersecurity affects the entire power grid, including distribution networks, transmission networks, and the connected renewable energy sources,” explains Frances Cleveland, Head of Cybersecurity within the IEC/TC 57 technical committee of the International Electrotechnical Commission (IEC). The committee publishes fundamental standards for the Smart Grid, such as the IEC 62351 series. In addition to cybersecurity requirements, it also includes guidelines for considering security requirements in systems and operations during the development phase, so that security measures are not only implemented once the systems are already in operation.
“The goal is to ensure that participants in the distributed energy resources (DER) sector manufacture and connect these DER systems in a way that incorporates cybersecurity measures and technologies from the outset, making the DER systems ‘secure by design’. If cybersecurity is only considered once the system is already on the market, it’s akin to putting a plaster on a life-threatening wound,” Cleveland further explains.
The Cyber Resilience Act is coming
This is precisely where the Cyber Resilience Act (CRA), approved by the European Parliament in spring 2024, comes into play: The regulation will apply to all products that are either directly or indirectly connected to another device or network. This includes connected security cameras, energy management systems, and wind turbine controls. The CRA requires manufacturers to ensure basic cybersecurity requirements, such as guaranteeing the confidentiality and integrity of data. It also stipulates that manufacturers must maintain the IT security of their products throughout their lifecycle. They must demonstrate how they address and resolve vulnerabilities in their products. Only with proof of compliance with the CRA can products be brought to the European market with a CE mark in the future.
Risk Differentiation
Important and critical products will be categorised into different lists based on their criticality and the degree of cybersecurity risk they pose. These lists will be proposed and updated by the European Commission. Products deemed to pose a higher cybersecurity risk will undergo stricter scrutiny by a designated body, while others may follow a simpler conformity assessment process, often managed internally by the manufacturers.
Following the introduction of the CRA – expected later in 2024 – manufacturers will have 36 months to prepare for the upcoming regulations. These will apply to products expected to be introduced to the market from 2027 onwards.
Lead MEP Nicola Danti (Renew, IT) stated: “The Cyber Resilience Act will strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike, making the EU a safer and more resilient continent.”
Obligations of Manufacturers under the Cyber Resilience Act
- Cybersecurity is considered during the planning, design, development, production, delivery, and maintenance phases
- All cybersecurity risks are documented
- Manufacturers must report actively exploited vulnerabilities and incidents
- After the sale, manufacturers must ensure that vulnerabilities are effectively addressed during the support period
- Clear and understandable instructions for the use of products with digital elements
- Security updates must be made available to users for the expected lifespan of the product.
Source: European Union
