Keywords
CRA, Cyber Resilience Act, smart meter, essential entity, IEC 62443, CC EAL4, EUCC
Summary
Dr. André Egners, responsible for security strategy at Landis+Gyr and active in standardization committees, talks about the cybersecurity of smart meters in the light of the Cyber Resilience Act (CRA). He explains how he utilizes the IEC 62443 security levels in his decision making and what companies can do to get more cybersecurity when purchasing new components.
Takeaways
As critical components, smart meter are way too accessible for 3rd parties. In several countries they are in public space for everybody to open.
The Delegated Act of the Radio Equipment Directive already addresses some relevant cybersecurity requirements.
Smart component vendors should not wait until the Directives get truly operational and the harmonized standards are available.
The IEC 62443 standard is a solid tool to proactively strive for CRA compliance.
The separate addressing of vendors, operators and integrators makes IEC 62443 truly useful for companies.
The required security level of a product can be evaluated by comparing it to the necessary capabilities AND by analyzing the relevant threat actors targeting this product.
When facing nation-state threat actors, security level 4 should be the aim.
In essential entities new components should be evaluated with security level 4 in mind. If not to comply then at least to know and understand the residual risk to define additional security measures.
For essential entities, certifications for components and systems become inevitable.
Frameworks requiring mandatory re-certifications after product updates have become unmanageable for digitized products.
Sound Bites
In the end, we need a Secure Development Lifecycle for products. That’s what it’s all about: to develop products with security in mind from the very start, not to have to deal with a myriad of vulnerabilities later in the field.
IEC 62443 as a harmonized standard is the best bet. From my point of view it’s an intelligent choice to minimize risk.
If you to test capabilities according to IEC 62443, it becomes way easier for you to compare and select products during purchasing.
The higher the security level the better the security features of a product must be.
The cybersecurity requirements in tenders have grown as a non-price criteria.
Companies should add validatable security criteria to their tenders.
Chapters
00:00 Introduction
01:23 Short explanation of the Cyber Resilience Act (CRA)
03:21 The influence of the CRA and Radio Equipment Directive on the smart meter product development
06:28 The relevance of standards in the smart meter product development
08:12 IEC 62443 and the CRA
10:28 Why the IEC 62443 standard is the right choice
13:12 Security levels according to IEC 62443
17:15 The relevance of cybersecurity in tenders
18:40 CC EAL4 vs EUCC certification
21:11 Best practice recommendations for the Purchasing Departments
