Understanding the Implications of CRA Mapping for OT Security

In a recent report, the European Union Agency for Cybersecurity (ENISA) provided an essential mapping of international standards to the Cyber Resilience Act (CRA) requirements. This report is particularly relevant for key players in the OT security sector, including CISOs, IT & OT Security Managers, Compliance Managers, Network Engineers and other industrial security professionals in the energy and utilities industries. 

The report emphasizes the absence of harmonized standards that meet CRA requirements. Harmonized standards, developed by recognized bodies and accessible to the public, ensure consistency, safety, and interoperability across various sectors. The lack of such standards poses a significant challenge for organizations striving to comply with CRA mandates.

One comforting revelation from the report is that the gap between the CRA essential requirements and the widely recognized IEC 62443 standard is limited.  

The main gaps are regarding a secure default configuration, data minimization and GDPR, minimizing a device negative impact on the system, and design to reduce the impact of an incident.  .  

The report also recognizes that IEC 62443 lacks some requirements regarding vulnerability handling (disclosure, test, information sharing and software bill of material). 

But considering all IEC 62443 parts, it is the standard that provides the best coverage of CRA requirements. 

Another contender for most comprehensive standard is the ETSI EN 303 645 V2.1.1 (2020-06) standard, which addresses cybersecurity for consumer Internet of Things (IoT) devices. Despite its relevance, this standard is relatively unknown within the Utilities OT space. This finding underscores the importance of staying informed about emerging standards that could impact our cybersecurity strategies. 

These insights raise several questions: 

•  Were you surprised by the IEC 62443 gaps ? 

• Were you aware of the ETSI EN 303 645 V2.1.1 standard before reading this post? 

• Do you anticipate the publication of a harmonized standard by 2027 to cover the CRA requirements? 

• What implications would this have for our industry? 

Engaging in this dialogue is crucial for advancing our collective understanding and approach to OT security. At Rhebo, we are dedicated to navigating these challenges and providing solutions that align with evolving standards and regulations and the demands of our growing customer base. 

Join the conversation here and share your perspectives on these issues. Together, we shape the future of OT security and resilience.