The EU Cyber Resilience Act (CRA) has put manufacturers of B2B and B2C products with digital elements on notice: they have until December 2027 to comply, and from that date forward, only products with a “CE Mark” may be sold in the EU. The mark certifies a level of cybersecurity resilience within the product where risks have been assessed, secure development practices have been followed, and a security roadmap has been developed for the lifecycle of a product.
The act includes a number of essential requirements that aren’t going away and should be the North Star for manufacturers in their compliance efforts. The requirements are centered around incident prevention through secure-by-design and secure-by-default (out of the box) principles, incident readiness and resilience, and incident and vulnerability handling.
In this episode of the Nexus Podcast—No. 100!—Sarah Fluchs joins to discuss her work as a Type-A member in the EU commission's Cyber Resilience Act Expert Group, the ongoing progress—and challenges—around the CRA, and her passion for bringing cybersecurity principles to engineers and other non-security technologists.
Fluchs points out that the CRA veers away from other cybersecurity regulations governing critical infrastructure, where non-compliance may—or may not—result in a fine, for example.
“For the Cyber Resilience Act, that's really a difference because manufacturers feel, and that's why they are starting to get very nervous about it, that this could really be revenue-stream disrupting,” Fluchs said. “Because if you don't comply, you're simply not allowed to place your product on the market anymore in the European Union. And that's, I think, what makes it so big.”
As compliance efforts ramp up, Fluchs said some manufacturers, for example, are concerned about vague language within the regulation and how it may impede what they’re trying to accomplish.
“It's adding to the insecurity of manufacturers because they say, ‘Okay, there's so many uncertainties and things that are yet to be defined. How do we even start?’ In their minds, there's this big elephant of the CRA with many requirements for some things [that] they don't even know exactly what to do. So that obviously is a challenge,” Fluchs said.
She adds that companies perhaps may have to alter strategic product decisions in order to comply with the CRA.
“It's not like you just decide today that you want to be more secure and tomorrow your product is more secure. It takes time until you have changed processes and features and you need to make strategic product decisions about what you are going to sell after 2027,” Fluchs said. “That's why manufacturers know that they need to act now and they are nervous because there are these uncertainties and they feel they can't really act.”
With the secure-by-demand and -default requirements of the CRA, Fluchs’ work with bringing cybersecurity to engineers and other non-security teams takes on heightened importance. At this year’s S4 Conference, Fluchs presented a concept called Cyber Decisions Diagrams, below, which break down cybersecurity concepts into a simplified visual representation. Engineers, she said, must be able to bring their knowledge of industrial and other processes to risk assessments, for example. They can communicate the consequences of a faulty configuration, or failure of a process or system due to a software or firmware vulnerability.
“I think the reason why I've worked so much on this is because one group, one large group of non-cyber security experts is engineers. In OT cybersecurity, you always need to work with engineers because they have all the knowledge that you need in order to do good risk assessments,” Fluchs said. “And I don't think we've done a good enough job in getting their knowledge in there so far. And that's why we've worked on that so much. And the approach we've come up with is a pretty visual approach.”
00:01.68
Michael Mimoso
All right, welcome back to the Nexus podcast. Excited to bring you episode number 100. And I am so happy that Sarah Flux is my guest.
00:08.77
Sarah
Thank you.
00:10.97
Michael Mimoso
Sarah is one of the most well-regarded and influential security and technology professionals out there. And she's done a lot of excellent writing and presenting on a number of topics, including the Cyber Resilience Act, ah secure by design, whatever that means, and how to bring cybersecurity closer to engineering and asset operators, all topics that are definitely very pertinent to to you, the listener. As I mentioned, this is our 100th episode, and I just want to take a second to thank every single guest who has given their time ah to share their expertise with you here. We started the show a few years ago, and it's really become a fascinating snapshot of how OT and IoT cybersecurity has really matured and and matured rapidly during that time. So ah my sincere thanks again to every guest and to for to you all for listening. I can't tell you how much
01:05.61
Michael Mimoso
I appreciate all of you who listen and subscribe. i know I listen to a lot of podcasts and I know how competitive and challenging it is to get your attention. So trust me, it's very much appreciated.
01:17.04
Michael Mimoso
ah So with that said, let's start to today's episode and bring in Sarah. How are you, Sarah?
01:22.77
Sarah
Well, thanks. Great. Thank you for having me and congratulations on your 100th episode. That's really an achievement.
01:29.70
Michael Mimoso
Thank you. yeah Yeah, I get a lot of support for this from Clarity and the team here and obviously ah the guests like you. So I really appreciate that. It's it's fun. i I really enjoy doing it And I really you know enjoy bringing people who are a lot smarter than I am in security ah to the show and let them kind of share what but they know and their experiences. And it's it's been fun.
01:53.59
Sarah
Well, then let's dive in.
01:55.56
Michael Mimoso
Yes, let's dive in. um All right, so let's start with the Cyber Resilience Act. And I know you kind of ah intimately involved with it and you've done a lot of ah presenting on it. And just to kind of recap, it's obviously a regulation promises to improve product security, introduces a lot of requirements and mostly at manufacturers of products with digital elements um and kind of focuses in on um the design, the development, maintenance of these products.
02:22.13
Michael Mimoso
yeah Just curious, just from, you know, your experience um in in kind of getting this off the ground and seeing how it's grown, how do you characterize the importance of this regulation? i mean, what, what, in your opinion, was it a reaction to? Is it just kind of like a reaction to the hyperconductivity of all these products or something else? Just give me your kind of overall characterization of the reg.
02:47.67
Sarah
Well, it's interesting when it first came up, I think it was back in 2022. twenty two um And I kind of stumbled into the cyber resilience and was like, okay, the EU commission has released this draft regulation that I should probably look into that because I mean, i was at that time full time um occupied on security by design research more or less full time.
03:10.23
Michael Mimoso
Thank you.
03:10.82
Sarah
And um So that was exactly my thing. And I was like, okay, there suddenly is a government putting out a serious security by design regulation. So that's something worth diving in. And the deeper I...
03:28.81
Sarah
I got into that, I realized that there's going to be something pretty big. And I think that's with, of course, a bit of delay manufacturers now are also realizing. For a lot of the times, I have the feeling that the CRA compared to manufacturers regulations and also other security by design initiatives, for example, by CESAR, kind of flew under the radar.
03:52.48
Sarah
So everybody was talking, at least in Europe, about NIST-2 and critical infrastructure regulations and and all these things.
03:58.38
Michael Mimoso
Sure.
04:00.81
Sarah
um And nobody talked that much about the Cyber Resilience Act. And I know that the people at the EU commissioned that wrote the Cyber Resilience Act and negotiated the Cyber Resilience Act with the parliament and the council in the European Union.
04:15.81
Sarah
They were even surprised that it went through with so little discussion because just the attention wasn't wasn't really there. And now I think yeah people are starting to realize how big it is. And I think the big difference to the critical infrastructure regulation that we're used to is if there is an asset owner that is not compliant to critical infrastructure regulation, then, well, maybe they could sometimes get a fine.
04:42.70
Sarah
And I don't really think they havet there have too many fines. um And for the Cyber Resilience Act, that's really a difference because And manufacturers feel, and that's why they are starting to get very ah nervous about that, that this could really be revenue revenue revenue stream disrupting.
05:04.85
Sarah
um Because if you don't comply, you're simply not allowed to place your product on the market anymore in the European Union. And that's, I think, what makes it so big.
05:16.56
Michael Mimoso
Do you think that there their hope their or their their objective here was to kind of have the CRA do for product security, say what GDPR did for privacy? Is that a fair kind of um comparison of the of the outcomes that are hoped for?
05:33.21
Sarah
I hope not, actually, because gd GDPR was here at the European Union, at least. it was It was really, there was a big hype before it was there. And everybody said, oh we need to do something about GDPR. And there was going to be huge fines. And in the end, it wasn't that big, at least for most.
05:51.13
Sarah
And also, so that's that's it's a bit more like critical infrastructure regulation because it's more business of, you You could get a fine if you don't comply. That's still different than you need to do something before you even place your product on the market.
06:04.62
Michael Mimoso
Mm-hmm.
06:04.81
Sarah
So I'd say it's it's it's decidedly different than GDPR. um in a way that it's really more strict um and more impactful for manufacturers potentially. And also, I'm not aware of any other part of the world where there is a regulation like this on product security. I mean, there are a few on smaller scopes on on IoT and on...
06:32.44
Sarah
um vehicles and and things like that. And there are a few voluntary labels or things like that, but not for such a huge scope. So for all products with digital elements, a label or a marketing requirements that you have to meet cybersecurity requirements, and otherwise you really can't put that product on them on the market for really virtually every every digital product. so the combination of really this this strictness in combination with the huge scope, I think that's what makes it pretty unique.
07:13.55
Michael Mimoso
And we should probably clear up that this applies to B2B products and not just consumer, consumer facing products. is That's correct, right?
07:22.21
Sarah
Yeah, that's correct. And I think that's also the problem that B2B products often have because Of course, there are many more consumer products compared to B2B products. And um i too, sometimes have the feeling when I read the CRA legal text that it was written more with consumer products in mind.
07:41.97
Michael Mimoso
Mm-hmm.
07:42.20
Sarah
So some things were sometimes it doesn't make much sense. I wouldn't even say that, but it's harder to do for B2B products.
07:53.73
Sarah
Because take, for example, there is a requirement on a factory reset. So you have to have a factory reset for your products. And then, of course, for B2C products, um that's a no-brainer.
08:07.00
Sarah
I mean, most most digital products that you have probably have this small button where you can factory reset the product.
08:11.77
Michael Mimoso
Right.
08:12.64
Sarah
So that's completely normal. So it wouldn't be a big thing to put that into a regulation. And then for B2B products, no product has that. And if you would imagine, sometimes it's even adding risk compared to the security benefits that it could have to add a a a factory reset.
08:33.68
Sarah
If you have a PLC and there's a factory reset button, well, that's a pretty but pretty big risk to add to a component, actually.
08:39.54
Michael Mimoso
right
08:39.72
Sarah
So it doesn't really improve the security. so And that's just one example where I say i so i think that's the reason why um B2B products and and ah the industry sometimes struggles with the CRA.
08:53.79
Michael Mimoso
So maybe ah it'd be good to kind of level set and explain where things are today. I know that there was an expert group meeting scheduled recently. Can you update us on what came out of it and and where things stand today with the regular?
09:09.35
Sarah
Yeah, well, the expert group is consulting, just consulting the European Commission on implementation guidances and things like that that around the CRA.
09:20.37
Sarah
um And I mean, the most most questions I think I get about c recently are questions about when are requirements finally going to get more specific because they're pretty work in in in in the Cyber Resilience Act. And when do we get guidance on so many questions? What is due diligence exactly? And what kind of products are remote processing solutions. What kind of remote processing solutions count to the product and which ones don't?
09:54.15
Sarah
And what is a substantial change? Because if legacy products undergo a substantial change, then they also fall under the CRA and otherwise they don't. So these are all really follow-up questions on the requirements regarding wording and definition definitions and requirements and interpretation of requirements where people are trying to get more specific guidance. And that's also always a big topic in the CRA expert group meetings because the
10:24.98
Sarah
The EU Commission explains what kind of guidance they're planning to do. And they also get the feedback from the experts to see what but should they prioritize and where else may guidance be necessary.
10:35.94
Sarah
And of course, there's also an update on on harmonized standards. um But the EU Commission really can do only so much about that because harmonized standards are now in the hands of the European Standardization Organization. So they can report and they can set deadlines and due dates, but they can't really influence how fast it's going.
10:55.96
Michael Mimoso
So are the the vagaries in the standard, what is what are they doing to compliance efforts right now? Is that slowing things down for companies? And do you expect ah more specifics to be, more specific language to be added to the regulation?
11:14.14
Sarah
Well, it's adding to the insecurity of um of manufacturers because they say, okay, there's so many uncertainties and things that are yet to be defined. How do we even start? And there's, in their minds, there's this big elephant of the CRA with this many requirements for some things they don't even know exactly what to do. So that obviously is is a challenge. And at the same time, um especially B2B products, but for consumer products, it's not much different.
11:43.25
Sarah
I mean, product life cycles and the time it takes to build new features into a product are long. So it's not like you just decide today that you want to be more secure and tomorrow your product is more secure, but it takes time until you have changed processes and features and you need to make strategic product decisions about what are you going to sell after 2027, so after the due date um of the CRA and what can't you sell anymore and where do you do an upgrade so that you're compliant and which products you you maybe take off market.
12:17.64
Sarah
um And that's why manufacturers know that they need to act now and they are nervous because there are these uncertainties and they feel they can't really act.
12:30.16
Sarah
And the answer that I always give them when they have these uncertainties is well, focus on what you do know. And we do know that there are the essential requirements.
12:40.56
Sarah
That's the Annex 1 requirements in the CRA. These are there. They are not going to change and you can take them for granted. And we know that these are and there's a very important sentence above these essential requirements saying you need to do that based on risk.
12:57.47
Sarah
So you really and you are allowed allowed to do your own risk assessment that helps you with interpreting how you interpret these equal requirements for your product.
13:09.60
Sarah
And they are really they are allowed to do that. They don't have to wait for a standard doing that for them. And they're also encouraged to do that ah from the side of the EU Commission. So that definitely is the the encouragement to get started and to have the courage to to to do the risk assessment and interpret the requirements because they are there.
13:28.66
Michael Mimoso
Right.
13:32.26
Sarah
They won't change. um Definitely not.
13:36.49
Michael Mimoso
I mean, the essential requirements, everything in in the regulation seems pretty expansive. And I would imagine that some of these manufacturers are facing some significant costs.
13:42.38
Sarah
Thank you.
13:47.58
Michael Mimoso
How hard do you expect them to to push back against this? I mean, they they really have no choice in the end, but what are you hearing from from their end?
13:57.41
Sarah
Well, they can't really push back because it's there.
13:59.72
Michael Mimoso
Right.
14:00.58
Sarah
So the elephant is in the room. um What they can do is, um but but they also are doing is to see that the interpretation of the requirements. So what that means for a certain product category,
14:16.38
Sarah
that this goes into the right direction. And many have started to be involved in creating these harmonized standards because they do this requirement interpretation and see that something useful comes out of that.
14:31.00
Sarah
um So, and and then there's also debates about um what kind of, I mean, there are the product categories in the Annexes 3 and 4, the important critical products in the CRA.
14:45.09
Sarah
And for these, they don't have any stricter requirements, but they have higher requirements regarding conformity assessments. um So let's also, of course, it matters which kind of products fall into these categories or not. And this is also something that's currently debated. and But the good news is that manufacturers really can um contribute to the discussion there. So for these descriptions, for these important critical product descriptions, for example, the EU has put out a draft description and that was open for comment. And I think a second version will come out in June and be open for comment. So um there are ways to, and my experience is that the EU commission has always been very open
15:30.77
Sarah
to getting input from the industry on details that they may have overlooked or things that are hard to do in practice or all things like that.
15:37.61
Michael Mimoso
Mm-hmm.
15:40.96
Sarah
and And it's, after all, it's good news that some things are still vague because that still means that they're open to be defined. And I think any regulation with such a broad scope that wouldn't have a lot of room for interpretation would do a pretty bad job because you can't really preemptively answer all the questions and all the special cases that are ah there out there. Yeah.
16:04.67
Sarah
ye
16:06.41
Michael Mimoso
Do you see a ah ah changing attitude toward um regulation overall from the security community? like I mean, I can remember not too long ago that you know a lot of companies were pushed back against regulation. They wanted to self-regulate, but has that time kind of passed? Are they welcoming some kind of prescriptive guidance from from government when it comes to cybersecurity?
16:30.71
Sarah
Well... I think that really depends on whom you ask. um In case of the CRA, asset owners, operators are definitely welcoming the CRA because they have regulated all the time.
16:38.78
Michael Mimoso
you
16:46.06
Sarah
And now finally, they have this blind spot with all the components that they have to buy from manufacturers and but they have to trust that there's security in there. so And now for the first time, manufacturers are regulated as well. so So they definitely welcome that.
17:01.94
Sarah
manufacturers obviously tend not to welcome it because of course i mean it's it's additional regulation it costs money um and it's it's it's some kind of documentation that you need to do on top but working with manufacturers and with the product cyber security teams they in turn often say well finally i have a reason to direct some attention and money to all the things that we've been trying to convince people of doing in our companies anyway.
17:31.59
Sarah
So it really depends a lot on who you ask. And also, I think it depends a lot on who you ask, like, regionally, because, I mean, it's it's no um it's no secret that people in the EU are generally more open to regulating things than in the US, for example.
17:52.74
Sarah
um And it's probably also no coincidence that the CRA is a EU regulation and not a US regulation.
17:59.89
Michael Mimoso
Right. Um, let's talk about the essential requirements ah for a little bit. um I find it encouraging that there's a lot of security by design discussion there, a real focus on resilience and kind of maintenance of the the product over its lifecycle in terms of vulnerabilities and and so forth.
18:19.86
Michael Mimoso
um Just love to get your thoughts on kind of the way the the regulation is structured and those are the kind of like the, what what everyone should be aiming for.
18:28.19
Sarah
Thank you.
18:29.69
Michael Mimoso
do you think that they they hit the target um with those essential requirements or should it be a little broader?
18:37.72
Sarah
I think um the best answer to that is that they're really – I mean, i I've discussed the CRA with really many people over the last years.
18:48.50
Sarah
And I've heard, of course, all i think all kinds of criticism that you can have around it. But all this criticism – and that's the same the same experience for people in the EU who have negotiated and written the CRA – They have also said all the criticism that they received about the CRA was rarely about the essential requirements. there was really i don't remember a single debate being about any essential requirement being wrong or being or missing or being worded the wrong way or things like that.
19:25.51
Sarah
um Debates were in other fields. I come to that in a minute. But that is for me a pretty good sign that these requirements really are industry condenses. So I don't think, of course, you can always debate about but about detailed requirements. But in general, I think these are the requirements that we need.
19:44.57
Sarah
They are not that many. It's just two pages of essential requirements. um But they hit the right spots. so um And I think that they really do reflect a broad industry consensus that's long been there.
19:58.02
Sarah
And that's now in the regulation. I mean, even the S-bomb made it in there.
20:08.43
Michael Mimoso
Yeah, I mean... I don't know. I just, you hear so much about security by design and by default and so forth, especially from CISA that you just hope it's more than words, that it's actually, it's and enforceable and it's it's able to be put in practice um over the long term.
20:27.42
Sarah
Well, I think the good thing is that they don't just write, have any, i don't know, any any kind of software development, security development life cycle, but they really have
20:41.72
Sarah
requirements more on the side of product characteristics that need to be in place.
20:45.90
Michael Mimoso
Mm-hmm.
20:45.94
Sarah
So in comparison to many other standards or regulations that say, OK, here's a life cycle that you need to follow for your product, you need to do all these things.
20:46.06
Michael Mimoso
Mm-hmm.
20:55.20
Sarah
And in the end, um your product becomes more secure. The CRA is more about, okay, this is the outcome. This is what needs to be in your product and you care you you care about how to how to do that, how to make sure it is in your product, but make sure this is the outcome.
21:10.63
Sarah
So at the first point is make sure that there are no exploitable vulnerabilities in the product. We don't care how you do that, but ensure and ensure that this is the outcome. And I think for regulation, that needs to be some kind of um testable, um that's the right approach to say, okay, the product has to be these other the features and the the characteristics that the product is going to have.
21:33.82
Sarah
Because otherwise it's going to be yet another standard where you have you have some processes in place that don't don't guarantee you that there's good security in the end because you can always do it good or or bad.
21:42.21
Michael Mimoso
right
21:45.66
Sarah
And then it makes sense to achieve the CRA outcome. If you want to to achieve that, then it makes sense to take, any of the well-known security development lifecycle approaches.
21:56.26
Sarah
I think that's that's pretty clear, but companies and manufacturers are free to choose how they want to do that. And I think that's the right the right approach.
22:04.76
Michael Mimoso
Right. So as we come up on 2027 and then the ultimate compliance date, just how do you think, what what are some of the milestones we should be looking for in the meantime? And ultimately, how do you measure success for this?
22:21.92
Sarah
How do we measure success for like as a manufacturer working towards CRA or for the CRA regulation or?
22:26.07
Michael Mimoso
Yeah, correct. Correct.
22:29.05
Sarah
okay Well, if your manufacturer approaching CRA, I think there is an intermediate milestone you need to be aware of.
22:35.40
Michael Mimoso
Thank you.
22:37.11
Sarah
That's the 11th of September, 2026. That's when the reporting obligations start. So you need to be able to report actively exploited vulnerabilities and severe incidents for your products.
22:50.99
Sarah
So that's really, i always like to write, it's actively exploited vulnerabilities. So it's not a CVE coming up in a scan. You don't need to report that. But you need to report if there was an incident, so someone exploited vulnerability in one of your products.
23:06.39
Sarah
So and you need to be able to report that there's going to be a ah platform set up by ENISA, I think, by the EU, where you have to report these um
23:19.31
Michael Mimoso
Mm-hmm.
23:20.76
Sarah
these incidents. So that's the first thing. and and And that you need to do for all products, not just for new products or products that fall on the CRA, but simply all your products. So that's the first milestone. And the second milestone, then, is of course, 11th of December, 2027, is where the CRA applies in full, so all products that you're sell after this date need to meet all the CRA requirements, um regardless of if you have sold them before.
23:49.08
Sarah
So if you sell them on 10th of December, they don't have to meet the requirements. If you sell them after 11th, they have to.
23:55.46
Michael Mimoso
Right.
23:56.00
Sarah
um And I think the I always see four areas that people or manufacturers need to focus on based on how we work with manufacturers towards CRA currently.
24:11.25
Sarah
So that's first is product design. So really take these Annex 1 part 1 product characteristics. and work towards, but or maybe first build a product roadmap and say, okay, what kind of products do we have? What kind of products fall under the CRA?
24:30.28
Sarah
And where do we stand regarding our products? And then pretty soon make the decision which products you want to bring towards compliance and which ones you don't.
24:41.96
Sarah
Because that's like your your roadmap for the next for the next two years until 2027.
24:46.23
Michael Mimoso
Mm-hmm.
24:47.82
Sarah
um And if you say, okay, you want to bring towards compliance and they have some weak spots in this Annex 1 characteristics and essential requirements, um then the first really important thing to do is to do the risk assessment and say, okay,
25:06.68
Sarah
um here's the product, it doesn't meet this requirement, I think, or it has, i don't know how how it should meet this requirement. Do the risk assessment, see what the actual risks to your customers are using that product, and then based on that, decide how to, ah if and how you need to meet that requirement.
25:22.19
Michael Mimoso
Thank
25:25.90
Sarah
And then move towards that, and of course, see that your development process is changed in a way that your products can meet them in future. in the future Then there's the whole block of, so that was product design.
25:37.80
Sarah
um Then there's the whole block of vulnerability management. So that's also the reporting obligations, but also for your products, you need to have some mechanisms in place to be aware of vulnerabilities and you have to um
25:55.18
Sarah
have certain, at least you have to know how to, how you distribute security updates to your clients. You also have to do that for free and how to write good security advisories because you have to publish those.
26:06.86
Michael Mimoso
Mm-hmm.
26:08.11
Sarah
Then there's the portion of procurement that I think is often overlooked, but also very relevant. um And that's because most products, I mean, we all know that the the whole supply chain issues, you probably have products in your products that are also um need to be CRA compliant.
26:28.09
Sarah
And you really need to find a way to identify your your suppliers and to make sure that your suppliers meet the CRA in a way that's usable for you. So, For example, if they have if they publish security advisories, it helps if you can use them for your own security advisories. Or if they meet security features, such as requirements, a certain way and you want to integrate them into your product, then maybe you have certain requirements how to do that so that it makes sense for your whole product and things like that. So half a have an idea on what...
27:04.08
Sarah
what existing suppliers are how important for your product and how to make sure that you because you in the end are responsible for the entire product not just for the for the parts that you build yourself but also for the parts that you procure from third parties um well and then there's the fourth the fourth pillar is documentation um and that sounds simple um and mostly it is because for a large part is simply documenting everything that
27:17.99
Michael Mimoso
Mm-hmm.
27:31.07
Sarah
um You can show to market surveillance or to notified bodies in order to make sure that you're compliant and to prove that you're compliant. But then there's also, um and I think that's also often overlooked, the information instructions to the user.
27:44.89
Sarah
um So that really is a kind of cybersecurity handbook that you hand out to every buyer of your product um that contains everything regarding security that matters to your to your customers.
27:57.59
Michael Mimoso
Mm-hmm.
27:57.88
Sarah
And I think that really, for consumer products, it doesn't matter that much. Probably no one is going to read that apart from a few security nerds. But for B2B products, that really can be a game changer because that can really make your B2B customers very happy. And it's really actual, it's actually useful for them and and save them money if you do that in a way that helps them to do their own security risk assessment faster.
28:28.00
Sarah
For example, critical infrastructure regulated customers. And so if you sell a control system or PLC to a ah water utility, then they need to do their own security risk assessments. And if you deliver to them the information in a way that they can really efficiently use in their own risk assessments, then really saves them time and money.
28:51.27
Michael Mimoso
Yeah, it's a huge baseline.
28:51.39
Sarah
That's why this information, yeah, it is. It is. And that's why these, and it's something completely new. I mean, if you buy a digital product right now, you don't get a cybersecurity handbook.
28:57.89
Michael Mimoso
Yeah.
29:01.50
Sarah
You need to get all this information by hand, by requesting, by asking the manufacturer. I've spent so many hours on the phone with manufacturers on behalf of asset owners asking about,
29:12.58
Sarah
basic security features or which protocol do you use for for what or how does the architecture look like in this case and this is all information if you really provide that in the cyber security handbook in a easy to digest way that's a game change i believe yeah so these are four pillars basically so product design, reliability management, procurement, documentation and that's the things that you need to work towards as a manufacturer.
29:27.71
Michael Mimoso
Right. It's huge. Mm-hmm.
29:37.59
Michael Mimoso
Sounds like, uh, it sounds like the industry has a lot of work to do in the next couple of years.
29:42.54
Sarah
That's right. But to be fair, many of these things, I mean, it's not like they've been living under a rock. So vulnerability management, most manufacturers do that in some way or the other.
29:49.34
Michael Mimoso
Right.
29:52.93
Sarah
so most that I've talked to are not very nervous about vulnerability management, for example.
29:53.62
Michael Mimoso
Mm-hmm.
29:59.96
Michael Mimoso
right so before we wrap up, Sarah, I definitely want to talk a ah little bit about some of the the thought leadership you've been doing around ah bringing security to to engineers and asset operators and not necessarily security people. And um you've done a lot of work on like,
30:16.71
Michael Mimoso
I know at your S4 presentation this year on the cyber decisions diagrams, there's a really kind of interesting way to talk security to non-security people, if if that's a ah fair characterization.
30:31.22
Michael Mimoso
I'd love to hear more about kind of how you came up with it and you know how successful you've been in kind of using it or sharing it with others.
30:40.13
Sarah
Yeah, absolutely. It's probably also a good timing because I think the video has been released this week, or last week or something.
30:46.79
Michael Mimoso
I think so. Correct. Yeah.
30:47.82
Sarah
yeah So you can actually watch that. um we I mean, to be honest, it's something I've been working on ever since I've been in the industry. So how to um you yeah summarize that pretty well, um how to communicate cybersecurity to non-security experts.
31:07.19
Sarah
um
31:10.05
Sarah
It's also about how to get the expertise from non-security experts for security. So the input and the output. So how to get the get the knowledge from non-security experts that's really relevant for your cybersecurity engineers, for example, and also how to communicate it to people that need to work um welcome with the cybersecurity results.
31:31.48
Sarah
um And I think the reason why I've worked so much on this is because um one group, one large group of non-cyber security experts is engineers.
31:43.50
Sarah
In OT cybersecurity, you always need to work with engineers because they have all the knowledge that you need in order to do good risk assessments.
31:50.38
Michael Mimoso
Mm-hmm.
31:50.72
Sarah
And I don't think we've we've done a good enough job in getting their knowledge in there so far. um And that's why we've worked on that so much. And the approach we've come up is pretty visual approach.
32:07.57
Sarah
So you actually create basic diagrams on the things that you, on the basic functions that your product or your system has. um And then we have some ways to um lay out top of these functions risks that you may have and attack scenarios and also requirements. So things that you change about your architecture, about your product, about your system,
32:34.16
Sarah
because of cybersecurity. And if you have all this information on top of your functions, then you have three things that you can really easily communicate to everyone um if you have a diagram like that. So you can really easily communicate how does my system work and why and and what is what are bottlenecks, for example.
32:54.40
Sarah
um Even for non-technical people.
32:57.94
Michael Mimoso
Mm-hmm.
32:57.98
Sarah
And you know how could i how could I easiest ah attack it?
32:58.08
Michael Mimoso
Mm-hmm.
33:03.31
Sarah
And you know what are the things that I need to change about it in order to improve its security? And you need you see all that more or less um on on the first look, and you can make can make it easy to communicate.
33:18.23
Sarah
And we've been working with that, frankly. um i use it every day. So we have a software tool that does it that's big. that that that's pretty efficient in doing that.
33:30.31
Sarah
We do our entire risk assessment based on that. So in getting the information from engineers, um into the risk assessments, making them accessible and digestible for cybersecurity teams, and also in communicating the results of all these risk assessments and decisions that you make based on risk.
33:50.37
Sarah
For example, for the Cyber Resilience Act, that's really that's really important, but also for our critical infrastructures to communicate these results both to your own management and also to authorities and auditors and things like that.
34:04.86
Michael Mimoso
Mm-hmm.
34:05.02
Sarah
And these are really all these use cases for from getting deeply technical people's knowledge into risk assessment, getting their opinions on the results, um and also also communicating the results to people that are not involved with the technology in depth.
34:22.96
Sarah
um It has proved really useful.
34:25.03
Michael Mimoso
Yeah. I mean, what I like about it is not only that it's, you know, there's the visual representation, as you mentioned, but you're eliminating um a lot of complexity, a lot of the the jargon that comes with cybersecurity. And I think in the end, a lot of that just ends up confusing people and and steering people away from, you know, what they need to know. And this really brings it to engineers and and asset operators on on their terms, which is really important, I think.
34:52.98
Sarah
Yeah, we always say it needs to be their picture in the end. So it needs to be where they feel at home and say, well, this is what we actually do.
34:57.28
Michael Mimoso
Yeah.
35:00.47
Sarah
And at first, because we're all used to doing it too complicated, at first we always have those discussions on, well, but there's still this detail that needs to be in there as well. And and we say, well, stop, because based on this picture,
35:14.12
Sarah
um that you're creating here. On this diagram, you don't have to be able to build the system. You don't have to be able to run the system. You only have to be able to see where the cybersecurity or the overall resilience of this of the system, what matters for that and what measures you need to take for that. That's all.
35:32.48
Sarah
um And then you can really leave out a lot of details and have like a high level diagram that even people use that actually need to run systems and build systems in the end, like as a first overview. And then they have more more detailed diagrams on details. But they all, but what really struck me is that even engineers that are deeply in the in technology miss something like that, that really gives them an overview over what they have, like their the whole systems and their security problems and their resilience ah requirements on one page.
36:09.74
Michael Mimoso
Yeah, I would imagine the engineers who see this are really appreciative of kind of the the approach. I'm just curious, have you heard much feedback from actual engineers on ah you know how useful it may be to them?
36:22.15
Sarah
they They are the reason why we're why we're doing that. And they are off they often say, well, finally, cybersecurity always feels so like a like a, not really an exact science for us, right?
36:24.89
Michael Mimoso
Yeah.
36:35.57
Sarah
So, I mean, engineers are used to having methods and and calculations for everything.
36:35.76
Michael Mimoso
Mm-hmm.
36:42.61
Sarah
And cybersecurity is often a bunch of best practices that you somehow need to need to do and risk assessment always feels a bit like not not really scientific enough and also too far away from the ah from the reality, from the systems that they see every day.
37:05.02
Sarah
So and they often say, well, this is finally something that speaks our language and something that we understand and that we feel good as being the foundation for an informed decision.
37:16.78
Michael Mimoso
Right. All right, great. Sarah, i think that's ah a good place to leave it. um I really want to thank you for coming on the podcast. I think this was a really great discussion and I know people are going to enjoy listening to it.
37:30.02
Michael Mimoso
And I'm happy you were my 100th guest. So thank you so much. I appreciate it.
37:34.97
Sarah
Me too. Thank you. And soon soon again, I guess.
37:38.97
Michael Mimoso
Absolutely. we We definitely need to do this again. All right. Have a great day. Thank you so much.
37:44.36
Sarah
Same for you. And congratulations on the 100th episode. Now done.
37:47.92
Michael Mimoso
they Thank you. All right. Bye-bye.
37:50.82
Sarah
Bye-bye.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.