A cyber secure microprocessor does not make a fridge cyber secure. When it comes to building the foundations of a robust cybersecurity system for Europe, standards must reflect the actual level of cybersecurity risk posed by a product as a whole, taking into account the different levels of associated risks, in a comprehensive manner. This means ensuring the (cyber) security of the components, but also the way these are assembled and turned into the finished appliance.Around 10% of products are classed as ‘critical’ or ‘most critical’ in the EU's proposed Cyber Resilience Act, including the vast majority of home appliances. The list of digital elements in products defined as ‘critical’ is extremely wide, featuring nearly every connected application. This presents an “unnecessary burden” said Paolo Falcioni, APPLiA Director General, as ‘critical’ products would be subject to mandatory, external, third-party assessment, “adding an extra layer to placing products on the market, with no added value for consumers.”A clear distinction must be made between high and low-risk cybersecurity appliances. The exchange of data when using a washing machine will clearly be low-risk, if compared to the exchange of data when using a mobile banking app, for instance. If that same washing machine is used in a home environment, then it is considered subject to a low cybersecurity risk. However, if the machine is used in a power plant instead, then it becomes high-risk because of the sensitivity of the environment in which it is installed. In the unlikely event of this latter case, then all washing machines become high-risk, according to the proposal. Which clearly does not rightfully reflect the nature of the product. “Appliances come with different cybersecurity risks, which standards must reflect,” said Falcioni.
According to the proposal, manufacturers have 24 hours to notify the vulnerability of a product, even in the absence of a corrective measure. This means opening the door to possible cyber attacks, de-facto exposing a potential vulnerability without having a solution for it. “The opposite of what a cyber secure Europe should look like,” Falcioni continued.
The EU's Cyber Resilience Act was proposed in April 2021 with the aim to establish common standards for the cybersecurity products. At present, the Act is in the process of being discussed and negotiated by the European Parliament and the Council of the European Union.
This website uses cookies that are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. By accepting this OR scrolling this page OR continuing to browse, you agree to our privacy policy.
