After having been adopted by the European Parliament and also on October 10 by the European Council,, the EU Cyber Resilience Act will come into force in the next few weeks. Now, manufacturers of products with digital (i.e. software) content that are connected to a network or another device, will have 36 months to comply to ensure security “throughout the supply chain and throughout their lifecycle”. It important not to delay implementation of the many changes required for this.

According to a fact sheet published by the EU, the act establishes an obligation for manufacturers to ensure that:

  • “Cybersecurity is taken into account in planning, design, development, production, delivery and maintenance phase;
  • All cybersecurity risks are documented;
  • Manufacturers will have to report actively exploited vulnerabilities and incidents;
  • Once sold, manufacturers must ensure that for the duration of the support period, vulnerabilities are handled effectively;
  • Clear and understandable instructions for the use of products with digital elements;
  • Security updates to be made available to users for the time the product is expected to be in use”

In today’s world, the software supporting cyber-physical systems makes use of increasingly complex software supply chains comprising components from many different sources. Software supply chain attacks can have devastating impacts on these systems. As an example, Cisco lists an attack on TSMC affecting 10,000 devices in their most advanced facilities among the top 10 supply attacks in recent years.

Hence, to fulfil their obligations under the act, manufacturers first need to establish governance over their software supply chain.

  • First of all, they need to achieve visibility into their software dependencies and their vulnerabilities
  • They need to establish policies for handling vulnerabilities to decide which need to be fixed with priority
  • Finally, in order to cope with the volume of dependencies and vulnerabilities, and they need to react with speed, trusted automation of core lifecycle processes is required.

A widely accepted best practice for this is generating Software Bills of Material (SBOMs) and managing their lifecycle. OWASP Dependency-Track is one of the most popular tools in this area and complements the SCA tools many companies are using already. It is developed and maintained by an open-source community and used by more than 10,000 organizations. Especially smaller organizations should consider not spending their scarce resources on setting up and managing their own instance of Dependency-Track, but rather to leverage managed services for instant access and to focus on processes and best practices for the SBOM lifecycle. CryptoSoft is one such provider of a managed service for Dependency-Track, as well as of value-added components like integrations into CI/CD pipelines and SBOM generation tools for many programming languages. CryptoSoft offers a free trial period.

Using a managed service like Cryptosoft can give manufacturers a headstart into delivering cybersecure products to their clients and to becoming compliant with the Cyber Resilience Act.