Manufacturers of connected devices, machines, and systems that use open-source software face an exceptionally high risk
DUESSELDORF – Manufacturers of connected devices, machines, and systems must be particularly vigilant when using open-source software in their products under the new EU Cyber Resilience Act (CRA). Although open-source programmes themselves are not directly bound by the CRA’s stringent rules, manufacturers of products that incorporate them are fully accountable. Jan Wendenburg, CEO of the Duesseldorf-based cyber security company ONEKEY and his team of cyber security experts, warned against this “open source trap”. The EU’s Cyber Resilience Act (CRA) mandates that manufacturers and distributors (importers and resellers) of connected devices must provide software updates even after delivery to ensure long-term protection against cyberattacks. Companies found in serious violation of the CRA could face fines of up to €15 million or 2.5% of their global annual revenue, whichever is higher. “If open-source software with exploitable vulnerabilities is used in new connected devices, liability does not automatically fall on the software provider but rather on the entity bringing the product with integrated software to market,” emphasizes Jan Wendenburg.
Is Open Source Synonymous with Potentially Insecure Software?
Background: The EU’s Cyber Resilience Act takes into account the specific needs of the open-source community. This approach aims to exempt non-commercial projects, universities, civil society organizations, and public administrations from the strict cybersecurity regulations. “While this is commendable as it supports research, development, and volunteer efforts, the reduced requirements could potentially lead to insecure software,” analyses cybersecurity expert Jan Wendenburg.
Jan Wendenburg is also ambivalent about the special role of the so-called “stewards” of open source projects in the Cyber Resilience Act. For these organisations, which develop open source software in a business environment, the CRA regulation provides for weakened security rules. For example, they are completely exempt from fines. Nevertheless, they must provide a cybersecurity strategy for their programmes, are not allowed to ignore identified vulnerabilities in the software and must cooperate with the CRA authorities.
Cyber Resilience Act Flawed from the Start
“Despite all the sympathy for the open source community, the numerous exceptions and mitigations for players in this sector have meant that the protective wall of defence against cyber criminals that the EU is currently building with the Cyber Resilience Act was full of holes from the outset,” analyses Jan Wendenburg. He points to the discrepancy between the lower requirements for the development of open source programmes on the one hand and the full compliance with obligations as soon as the software is used commercially as part of a “product with digital elements” on the other. “Manufacturers of OT and IoT devices are therefore well advised to rethink their open source activities,” recommends the ONEKEY CEO. This refers to machine control systems (Operation Technology, OT), which are widely used in Industry 4.0, and devices for the Internet of Things (IoT), for example in smart homes.
Increasing Use of Open Source in OT and IoT
Open source technology is increasingly being used in the development and deployment of OT and IoT platforms. More than 100 open source projects for OT/IoT are documented in EU initiatives alone, covering a wide range of software components such as gateways, middleware for edge computing and cloud platforms. The EU is actively promoting open source projects for the OT/IoT sector.
Jan Wendenburg analyses: “While open source offers many benefits, it also presents significant challenges in OT and IoT integration. The CRA regulation introduces additional security requirements that need to be met. What’s new is the aspect of liability—any mistake could cost product manufacturers dearly.”
Software Bill of Materials and Vulnerability Assessment Are Crucial
The ONEKEY CEO advises manufacturers of networked devices, machines and systems to carry out an automatic SBOM and vulnerability analysis before products are launched on the market. The abbreviation stands for “Software Bill of Materials”, which is a list of all software components that are identified. The cyber resilience is then checked for vulnerabilities and documented. The first step is a comparison with the CVE (Common Vulnerabilities and Exposures) database, which is maintained by the Massachusetts Institute of Technology Research and Engineering (MITRE) on behalf of the US government. Between 500 and 2,000 new entries of known vulnerabilities are added each month. Experts estimate that around 25 to 30 per cent of these relate to open source software. The next step is to check for unknown, so-called zero-day vulnerabilities. “However, according to the CRA, it is not enough to perform this check only when a new OT/IoT product is introduced to the market; it must be checked again and again throughout the entire product lifecycle,” clarifies Jan Wendenburg. He adds: “In the case of IoT devices for smart homes, for example, a life cycle of five years is usually assumed, but for machine control systems for Industry 4.0, the life cycle can be ten, 20 or more years.”
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated Software Bill Of Materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH,
Kaiserswerther Str. 45, 40477 Duesseldorf, Germany,
Sara Fortmann, e-mail: sara.fortmann@onekey.com,
website: https://onekey.com