How can vendors proactively act on the CRA?

Dr. André Egners, responsible for security strategy at Landis+Gyr and active in standardization committees, talks about the cybersecurity of smart meters in the light of the Cyber Resilience Act (CRA). He explains how he utilizes the IEC 62443 security levels in his decision making and what companies can do to get more cybersecurity when purchasing new components.

Duration:

23 min

Guest in this episode:

Dr. André Egners

Solution Product Manager Security Landis+Gyr

FAQ

Facts on the topic

How does the Cyber Resilience Act (CRA) impact Smart Metering?

The Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products with digital elements. For Smart Meters, which are considered critical components due to their accessibility in public spaces and their role in the energy grid, the CRA demands security-by-design. Manufacturers must ensure a Secure Development Lifecycle (SDL) and provide long-term vulnerability management. While harmonized standards are still being finalized, the CRA essentially shifts cybersecurity from a "nice-to-have" to a legal "must-have" for any vendor entering the EU market.

Why is IEC 62443 the "best bet" for achieving CRA compliance?

IEC 62443 is widely considered the leading international standard for industrial automation and control systems (IACS). It is highly effective for CRA compliance because:

Role-Specific: It addresses vendors, integrators, and operators separately.
Maturity: It provides a structured framework for Secure Development Lifecycles (Part 4-1) and technical component requirements (Part 4-2).
Future-Proofing: Aligning with IEC 62443 now allows companies to meet current security needs while being prepared for when the CRA’s harmonized standards officially become operational.

What are IEC 62443 Security Levels (SL), and which one is needed for Essential Entities?

Security Levels (SL 1 to SL 4) define the resistance of a component against different classes of threat actors.

For essential entities and critical infrastructure, the aim should be Security Level 4 (SL 4).
SL 4 is designed to withstand attacks from nation-state actors with high motivation and extensive resources. Even if SL 4 is not fully met, evaluating a component against this level helps organizations understand residual risks and implement necessary compensating security measures.

How can Procurement Departments use cybersecurity as a non-price criterion in tenders?

Cybersecurity has evolved into a critical non-price criterion in tenders. To ensure high resilience, purchasing departments should:

Request Verifiable Criteria: Instead of asking vague questions, require proof of specific capabilities according to IEC 62443 or certifications like CC EAL4 (Common Criteria) and the upcoming EUCC.
Compare Technical Capabilities: Using standardized security levels makes it significantly easier to compare the actual security "strength" of different products.
‍Account for Lifecycle: Ensure the vendor commits to vulnerability management and patching for the entire expected lifespan of the hardware.