The OPC Foundation is hosting a series of webinars regarding security. The current focus is the European Cyber Resilience Act (EU CRA), which has been published in the official journal of the EU and becomes effective in November 2027.
All materials such as the slides and the recordings are publicly available. Download the PDF here https://opcfoundation.org/developer-tools/marketing-communication-presentations/opc-and-opc-ua-presentations/. The link to the recording is on the cover page of the PDF.
Overview of the presentations:
- “SBOM & Vulnerability Management – CVE” by Jens Cordt, BSI
- “CRA and EN UEC 62443” by Dr. Kai Wollenweber, Siemens
- “Cyber resilience act (CRA) – considering fundamentals and challenges from a practical experience” by Torsten Förder, Beckhoff Automation
- “Cyber Resilience Act (CRA) – Solving some Fundamental Legal Aspects” Dr. Gerrit Hötzel, Voelker Gruppe
Details of the presentations can be found below:
“SBOM & Vulnerability Management – CVE” by Jens Cordt, BSI as delivered on Dec 3rd, 2024.
Jens, Cordt, BSI reported about two topics:
Vulnerability Management – CVE
Vulnerability Management is one of the main pillars of the CRA. Based on the information of the SBOM for the individual products, the CRA expects that companies use this information to provide CVEs for the individual components and for the resulting product. This session describes the exact requirements brought to digital products and how these can be addressed in general.
For effective Vulnerability Management – SBOM in the CRA
In the US the EO 14028 requires vendors of software for the US government to list all components they have used in creating their software in a software bill of materials (SBOM). This is supposed to increase transparency and security in the software by providing clear information on components and dependencies of software applications. With the CRA, the legal obligation to maintain an SBOM comes to the EU, too, and not just for software, but for all products with digital elements. What does the CRA demand, why, and for what?
“CRA and EN UEC 62443” by Dr. Kai Wollenweber, Siemens as delivered on Oct 29th, 2024.
The presentation provides an overview and status of the CRA related standardization activities. It focusses on the interplay with the relevant standards of the EN IEC 62443 cybersecurity framework and the challenges on the way to get harmonized and listed standards to provide presumption of conformity.
“Cyber resilience act (CRA) – considering fundamentals and challenges from a practical experience” by Torsten Förder, Beckhoff Automation as delivered on Oct 8th, 2024.
From an automation provider’s perspective, some fundamentals of the upcoming EU legislation, the Cyber Resilience Act, are explained. Some challenges are addressed, and a call is made to apply practical solutions that live the true spirit of cyber security, but avoid an overemphasis on formalism that can have the opposite effect.
During this webinar on Sept 24th, 2024 “Cyber Resilience Act (CRA) – Solving some Fundamental Legal Aspects” Dr. Gerrit Hötzel from Voelker Group, spoke about two topics and was available for a long Q&A session:
Commercial Use of Open-Source Software under the Cyber Resilience Act
Any company using open-source software in the course of commercial activities, will have to demonstrate conformity of the open-source software with the CRA. This is not a simple task, given that open-source software is third-party software. Also, this represents a significant shift from the current straightforward use of open-source software and will fundamentally alter how open-source software can be employed while minimizing legal risks. More on this, and further aspects regarding open-source software under the CRA, are given in the talk, e.g. security attestations of open-source software and so-called open-source software stewards.
Ten Examples of Cases for CRA Contract Design and Supply Chain Management
One key element of the Cyber Resilience Act (CRA) is its emphasis on the supply chain. Many obligations imposed on commercial enterprises can only be fulfilled if suppliers are contractually required to participate in the conformity assessment, particularly concerning software included in their products. However, the contractual arrangements with suppliers are not the only critical factor; the agreements with customers are equally important. In addition to requirements for providing security updates and information to customers, the CRA introduces a major change: a support period of up to five years. Does this mean that all warranty and liability clauses in terms and conditions and sales contracts need to be revised to accommodate this new requirement?