Sarah Fluchs revisits the progress and adoption of the Top 20 Secure PLC Coding Practices list.
Cyber Resilience
Risk Management
Vulnerability Management

Nexus Podcast Episode 100: Sarah Fluchs on the Cyber Resilience Act

Michael Mimoso
/
Jun 18, 2025

Subscribe and listen to the Nexus podcast on your favorite platform.

The EU Cyber Resilience Act (CRA) has put manufacturers of B2B and B2C products with digital elements on notice: they have until December 2027 to comply, and from that date forward, only products with a “CE Mark” may be sold in the EU. The mark certifies a level of cybersecurity resilience within the product where risks have been assessed, secure development practices have been followed, and a security roadmap has been developed for the lifecycle of a product. 

The act includes a number of essential requirements that aren’t going away and should be the North Star for manufacturers in their compliance efforts. The requirements are centered around incident prevention through secure-by-design and secure-by-default (out of the box) principles, incident readiness and resilience, and incident and vulnerability handling. 

In this episode of the Nexus Podcast—No. 100!—Sarah Fluchs joins to discuss her work as a Type-A member in the EU commission's Cyber Resilience Act Expert Group, the ongoing progress—and challenges—around the CRA, and her passion for bringing cybersecurity principles to engineers and other non-security technologists. 

CRA Non-Compliance Threatens Revenue Streams

Fluchs points out that the CRA veers away from other cybersecurity regulations governing critical infrastructure, where non-compliance may—or may not—result in a fine, for example. 

“For the Cyber Resilience Act, that's really a difference because manufacturers feel, and that's why they are starting to get very nervous about it, that this could really be revenue-stream disrupting,” Fluchs said. “Because if you don't comply, you're simply not allowed to place your product on the market anymore in the European Union. And that's, I think, what makes it so big.”

As compliance efforts ramp up, Fluchs said some manufacturers, for example, are concerned about vague language within the regulation and how it may impede what they’re trying to accomplish. 

“It's adding to the insecurity of manufacturers because they say, ‘Okay, there's so many uncertainties and things that are yet to be defined. How do we even start?’ In their minds, there's this big elephant of the CRA with many requirements for some things [that] they don't even know exactly what to do. So that obviously is a challenge,” Fluchs said.

She adds that companies perhaps may have to alter strategic product decisions in order to comply with the CRA. 

“It's not like you just decide today that you want to be more secure and tomorrow your product is more secure. It takes time until you have changed processes and features and you need to make strategic product decisions about what you are going to sell after 2027,” Fluchs said. “That's why manufacturers know that they need to act now and they are nervous because there are these uncertainties and they feel they can't really act.”

Bringing Cybersecurity to Engineers

With the secure-by-demand and -default requirements of the CRA, Fluchs’ work with bringing cybersecurity to engineers and other non-security teams takes on heightened importance. At this year’s S4 Conference, Fluchs presented a concept called Cyber Decisions Diagrams, below, which break down cybersecurity concepts into a simplified visual representation. Engineers, she said, must be able to bring their knowledge of industrial and other processes to risk assessments, for example. They can communicate the consequences of a faulty configuration, or failure of a process or system due to a software or firmware vulnerability. 

“I think the reason why I've worked so much on this is because one group, one large group of non-cyber security experts is engineers. In OT cybersecurity, you always need to work with engineers because they have all the knowledge that you need in order to do good risk assessments,” Fluchs said. “And I don't think we've done a good enough job in getting their knowledge in there so far. And that's why we've worked on that so much. And the approach we've come up with is a pretty visual approach.”

Episode Transcript with Sarah Fluchs

00:01.68

Michael Mimoso

All right, welcome back to the Nexus podcast. Excited to bring you episode number 100. And I am so happy that Sarah Flux is my guest.

00:08.77

Sarah

Thank you.

00:10.97

Michael Mimoso

Sarah is one of the most well-regarded and influential security and technology professionals out there. And she's done a lot of excellent writing and presenting on a number of topics, including the Cyber Resilience Act, ah secure by design, whatever that means, and how to bring cybersecurity closer to engineering and asset operators, all topics that are definitely very pertinent to to you, the listener. As I mentioned, this is our 100th episode, and I just want to take a second to thank every single guest who has given their time ah to share their expertise with you here. We started the show a few years ago, and it's really become a fascinating snapshot of how OT and IoT cybersecurity has really matured and and matured rapidly during that time. So ah my sincere thanks again to every guest and to for to you all for listening. I can't tell you how much

01:05.61

Michael Mimoso

I appreciate all of you who listen and subscribe. i know I listen to a lot of podcasts and I know how competitive and challenging it is to get your attention. So trust me, it's very much appreciated.

01:17.04

Michael Mimoso

ah So with that said, let's start to today's episode and bring in Sarah. How are you, Sarah?

01:22.77

Sarah

Well, thanks. Great. Thank you for having me and congratulations on your 100th episode. That's really an achievement.

01:29.70

Michael Mimoso

Thank you. yeah Yeah, I get a lot of support for this from Clarity and the team here and obviously ah the guests like you. So I really appreciate that. It's it's fun. i I really enjoy doing it And I really you know enjoy bringing people who are a lot smarter than I am in security ah to the show and let them kind of share what but they know and their experiences. And it's it's been fun.

01:53.59

Sarah

Well, then let's dive in.

01:55.56

Michael Mimoso

Yes, let's dive in. um All right, so let's start with the Cyber Resilience Act. And I know you kind of ah intimately involved with it and you've done a lot of ah presenting on it. And just to kind of recap, it's obviously a regulation promises to improve product security, introduces a lot of requirements and mostly at manufacturers of products with digital elements um and kind of focuses in on um the design, the development, maintenance of these products.

02:22.13

Michael Mimoso

yeah Just curious, just from, you know, your experience um in in kind of getting this off the ground and seeing how it's grown, how do you characterize the importance of this regulation? i mean, what, what, in your opinion, was it a reaction to? Is it just kind of like a reaction to the hyperconductivity of all these products or something else? Just give me your kind of overall characterization of the reg.

02:47.67

Sarah

Well, it's interesting when it first came up, I think it was back in 2022. twenty two um And I kind of stumbled into the cyber resilience and was like, okay, the EU commission has released this draft regulation that I should probably look into that because I mean, i was at that time full time um occupied on security by design research more or less full time.

03:10.23

Michael Mimoso

Thank you.

03:10.82

Sarah

And um So that was exactly my thing. And I was like, okay, there suddenly is a government putting out a serious security by design regulation. So that's something worth diving in. And the deeper I...

03:28.81

Sarah

I got into that, I realized that there's going to be something pretty big. And I think that's with, of course, a bit of delay manufacturers now are also realizing. For a lot of the times, I have the feeling that the CRA compared to manufacturers regulations and also other security by design initiatives, for example, by CESAR, kind of flew under the radar.

03:52.48

Sarah

So everybody was talking, at least in Europe, about NIST-2 and critical infrastructure regulations and and all these things.

03:58.38

Michael Mimoso

Sure.

04:00.81

Sarah

um And nobody talked that much about the Cyber Resilience Act. And I know that the people at the EU commissioned that wrote the Cyber Resilience Act and negotiated the Cyber Resilience Act with the parliament and the council in the European Union.

04:15.81

Sarah

They were even surprised that it went through with so little discussion because just the attention wasn't wasn't really there. And now I think yeah people are starting to realize how big it is. And I think the big difference to the critical infrastructure regulation that we're used to is if there is an asset owner that is not compliant to critical infrastructure regulation, then, well, maybe they could sometimes get a fine.

04:42.70

Sarah

And I don't really think they havet there have too many fines. um And for the Cyber Resilience Act, that's really a difference because And manufacturers feel, and that's why they are starting to get very ah nervous about that, that this could really be revenue revenue revenue stream disrupting.

05:04.85

Sarah

um Because if you don't comply, you're simply not allowed to place your product on the market anymore in the European Union. And that's, I think, what makes it so big.

05:16.56

Michael Mimoso

Do you think that there their hope their or their their objective here was to kind of have the CRA do for product security, say what GDPR did for privacy? Is that a fair kind of um comparison of the of the outcomes that are hoped for?

05:33.21

Sarah

I hope not, actually, because gd GDPR was here at the European Union, at least. it was It was really, there was a big hype before it was there. And everybody said, oh we need to do something about GDPR. And there was going to be huge fines. And in the end, it wasn't that big, at least for most.

05:51.13

Sarah

And also, so that's that's it's a bit more like critical infrastructure regulation because it's more business of, you You could get a fine if you don't comply. That's still different than you need to do something before you even place your product on the market.

06:04.62

Michael Mimoso

Mm-hmm.

06:04.81

Sarah

So I'd say it's it's it's decidedly different than GDPR. um in a way that it's really more strict um and more impactful for manufacturers potentially. And also, I'm not aware of any other part of the world where there is a regulation like this on product security. I mean, there are a few on smaller scopes on on IoT and on...

06:32.44

Sarah

um vehicles and and things like that. And there are a few voluntary labels or things like that, but not for such a huge scope. So for all products with digital elements, a label or a marketing requirements that you have to meet cybersecurity requirements, and otherwise you really can't put that product on them on the market for really virtually every every digital product. so the combination of really this this strictness in combination with the huge scope, I think that's what makes it pretty unique.

07:13.55

Michael Mimoso

And we should probably clear up that this applies to B2B products and not just consumer, consumer facing products. is That's correct, right?

07:22.21

Sarah

Yeah, that's correct. And I think that's also the problem that B2B products often have because Of course, there are many more consumer products compared to B2B products. And um i too, sometimes have the feeling when I read the CRA legal text that it was written more with consumer products in mind.

07:41.97

Michael Mimoso

Mm-hmm.

07:42.20

Sarah

So some things were sometimes it doesn't make much sense. I wouldn't even say that, but it's harder to do for B2B products.

07:53.73

Sarah

Because take, for example, there is a requirement on a factory reset. So you have to have a factory reset for your products. And then, of course, for B2C products, um that's a no-brainer.

08:07.00

Sarah

I mean, most most digital products that you have probably have this small button where you can factory reset the product.

08:11.77

Michael Mimoso

Right.

08:12.64

Sarah

So that's completely normal. So it wouldn't be a big thing to put that into a regulation. And then for B2B products, no product has that. And if you would imagine, sometimes it's even adding risk compared to the security benefits that it could have to add a a a factory reset.

08:33.68

Sarah

If you have a PLC and there's a factory reset button, well, that's a pretty but pretty big risk to add to a component, actually.

08:39.54

Michael Mimoso

right

08:39.72

Sarah

So it doesn't really improve the security. so And that's just one example where I say i so i think that's the reason why um B2B products and and ah the industry sometimes struggles with the CRA.

08:53.79

Michael Mimoso

So maybe ah it'd be good to kind of level set and explain where things are today. I know that there was an expert group meeting scheduled recently. Can you update us on what came out of it and and where things stand today with the regular?

09:09.35

Sarah

Yeah, well, the expert group is consulting, just consulting the European Commission on implementation guidances and things like that that around the CRA.

09:20.37

Sarah

um And I mean, the most most questions I think I get about c recently are questions about when are requirements finally going to get more specific because they're pretty work in in in in the Cyber Resilience Act. And when do we get guidance on so many questions? What is due diligence exactly? And what kind of products are remote processing solutions. What kind of remote processing solutions count to the product and which ones don't?

09:54.15

Sarah

And what is a substantial change? Because if legacy products undergo a substantial change, then they also fall under the CRA and otherwise they don't. So these are all really follow-up questions on the requirements regarding wording and definition definitions and requirements and interpretation of requirements where people are trying to get more specific guidance. And that's also always a big topic in the CRA expert group meetings because the

10:24.98

Sarah

The EU Commission explains what kind of guidance they're planning to do. And they also get the feedback from the experts to see what but should they prioritize and where else may guidance be necessary.

10:35.94

Sarah

And of course, there's also an update on on harmonized standards. um But the EU Commission really can do only so much about that because harmonized standards are now in the hands of the European Standardization Organization. So they can report and they can set deadlines and due dates, but they can't really influence how fast it's going.

10:55.96

Michael Mimoso

So are the the vagaries in the standard, what is what are they doing to compliance efforts right now? Is that slowing things down for companies? And do you expect ah more specifics to be, more specific language to be added to the regulation?

11:14.14

Sarah

Well, it's adding to the insecurity of um of manufacturers because they say, okay, there's so many uncertainties and things that are yet to be defined. How do we even start? And there's, in their minds, there's this big elephant of the CRA with this many requirements for some things they don't even know exactly what to do. So that obviously is is a challenge. And at the same time, um especially B2B products, but for consumer products, it's not much different.

11:43.25

Sarah

I mean, product life cycles and the time it takes to build new features into a product are long. So it's not like you just decide today that you want to be more secure and tomorrow your product is more secure, but it takes time until you have changed processes and features and you need to make strategic product decisions about what are you going to sell after 2027, so after the due date um of the CRA and what can't you sell anymore and where do you do an upgrade so that you're compliant and which products you you maybe take off market.

12:17.64

Sarah

um And that's why manufacturers know that they need to act now and they are nervous because there are these uncertainties and they feel they can't really act.

12:30.16

Sarah

And the answer that I always give them when they have these uncertainties is well, focus on what you do know. And we do know that there are the essential requirements.

12:40.56

Sarah

That's the Annex 1 requirements in the CRA. These are there. They are not going to change and you can take them for granted. And we know that these are and there's a very important sentence above these essential requirements saying you need to do that based on risk.

12:57.47

Sarah

So you really and you are allowed allowed to do your own risk assessment that helps you with interpreting how you interpret these equal requirements for your product.

13:09.60

Sarah

And they are really they are allowed to do that. They don't have to wait for a standard doing that for them. And they're also encouraged to do that ah from the side of the EU Commission. So that definitely is the the encouragement to get started and to have the courage to to to do the risk assessment and interpret the requirements because they are there.

13:28.66

Michael Mimoso

Right.

13:32.26

Sarah

They won't change. um Definitely not.

13:36.49

Michael Mimoso

I mean, the essential requirements, everything in in the regulation seems pretty expansive. And I would imagine that some of these manufacturers are facing some significant costs.

13:42.38

Sarah

Thank you.

13:47.58

Michael Mimoso

How hard do you expect them to to push back against this? I mean, they they really have no choice in the end, but what are you hearing from from their end?

13:57.41

Sarah

Well, they can't really push back because it's there.

13:59.72

Michael Mimoso

Right.

14:00.58

Sarah

So the elephant is in the room. um What they can do is, um but but they also are doing is to see that the interpretation of the requirements. So what that means for a certain product category,

14:16.38

Sarah

that this goes into the right direction. And many have started to be involved in creating these harmonized standards because they do this requirement interpretation and see that something useful comes out of that.

14:31.00

Sarah

um So, and and then there's also debates about um what kind of, I mean, there are the product categories in the Annexes 3 and 4, the important critical products in the CRA.

14:45.09

Sarah

And for these, they don't have any stricter requirements, but they have higher requirements regarding conformity assessments. um So let's also, of course, it matters which kind of products fall into these categories or not. And this is also something that's currently debated. and But the good news is that manufacturers really can um contribute to the discussion there. So for these descriptions, for these important critical product descriptions, for example, the EU has put out a draft description and that was open for comment. And I think a second version will come out in June and be open for comment. So um there are ways to, and my experience is that the EU commission has always been very open

15:30.77

Sarah

to getting input from the industry on details that they may have overlooked or things that are hard to do in practice or all things like that.

15:37.61

Michael Mimoso

Mm-hmm.

15:40.96

Sarah

and And it's, after all, it's good news that some things are still vague because that still means that they're open to be defined. And I think any regulation with such a broad scope that wouldn't have a lot of room for interpretation would do a pretty bad job because you can't really preemptively answer all the questions and all the special cases that are ah there out there. Yeah.

16:04.67

Sarah

ye

16:06.41

Michael Mimoso

Do you see a ah ah changing attitude toward um regulation overall from the security community? like I mean, I can remember not too long ago that you know a lot of companies were pushed back against regulation. They wanted to self-regulate, but has that time kind of passed? Are they welcoming some kind of prescriptive guidance from from government when it comes to cybersecurity?

16:30.71

Sarah

Well... I think that really depends on whom you ask. um In case of the CRA, asset owners, operators are definitely welcoming the CRA because they have regulated all the time.

16:38.78

Michael Mimoso

you

16:46.06

Sarah

And now finally, they have this blind spot with all the components that they have to buy from manufacturers and but they have to trust that there's security in there. so And now for the first time, manufacturers are regulated as well. so So they definitely welcome that.

17:01.94

Sarah

manufacturers obviously tend not to welcome it because of course i mean it's it's additional regulation it costs money um and it's it's it's some kind of documentation that you need to do on top but working with manufacturers and with the product cyber security teams they in turn often say well finally i have a reason to direct some attention and money to all the things that we've been trying to convince people of doing in our companies anyway.

17:31.59

Sarah

So it really depends a lot on who you ask. And also, I think it depends a lot on who you ask, like, regionally, because, I mean, it's it's no um it's no secret that people in the EU are generally more open to regulating things than in the US, for example.

17:52.74

Sarah

um And it's probably also no coincidence that the CRA is a EU regulation and not a US regulation.

17:59.89

Michael Mimoso

Right. Um, let's talk about the essential requirements ah for a little bit. um I find it encouraging that there's a lot of security by design discussion there, a real focus on resilience and kind of maintenance of the the product over its lifecycle in terms of vulnerabilities and and so forth.

18:19.86

Michael Mimoso

um Just love to get your thoughts on kind of the way the the regulation is structured and those are the kind of like the, what what everyone should be aiming for.

18:28.19

Sarah

Thank you.

18:29.69

Michael Mimoso

do you think that they they hit the target um with those essential requirements or should it be a little broader?

18:37.72

Sarah

I think um the best answer to that is that they're really – I mean, i I've discussed the CRA with really many people over the last years.

18:48.50

Sarah

And I've heard, of course, all i think all kinds of criticism that you can have around it. But all this criticism – and that's the same the same experience for people in the EU who have negotiated and written the CRA – They have also said all the criticism that they received about the CRA was rarely about the essential requirements. there was really i don't remember a single debate being about any essential requirement being wrong or being or missing or being worded the wrong way or things like that.

19:25.51

Sarah

um Debates were in other fields. I come to that in a minute. But that is for me a pretty good sign that these requirements really are industry condenses. So I don't think, of course, you can always debate about but about detailed requirements. But in general, I think these are the requirements that we need.

19:44.57

Sarah

They are not that many. It's just two pages of essential requirements. um But they hit the right spots. so um And I think that they really do reflect a broad industry consensus that's long been there.

19:58.02

Sarah

And that's now in the regulation. I mean, even the S-bomb made it in there.

20:08.43

Michael Mimoso

Yeah, I mean... I don't know. I just, you hear so much about security by design and by default and so forth, especially from CISA that you just hope it's more than words, that it's actually, it's and enforceable and it's it's able to be put in practice um over the long term.

20:27.42

Sarah

Well, I think the good thing is that they don't just write, have any, i don't know, any any kind of software development, security development life cycle, but they really have

20:41.72

Sarah

requirements more on the side of product characteristics that need to be in place.

20:45.90

Michael Mimoso

Mm-hmm.

20:45.94

Sarah

So in comparison to many other standards or regulations that say, OK, here's a life cycle that you need to follow for your product, you need to do all these things.

20:46.06

Michael Mimoso

Mm-hmm.

20:55.20

Sarah

And in the end, um your product becomes more secure. The CRA is more about, okay, this is the outcome. This is what needs to be in your product and you care you you care about how to how to do that, how to make sure it is in your product, but make sure this is the outcome.

21:10.63

Sarah

So at the first point is make sure that there are no exploitable vulnerabilities in the product. We don't care how you do that, but ensure and ensure that this is the outcome. And I think for regulation, that needs to be some kind of um testable, um that's the right approach to say, okay, the product has to be these other the features and the the characteristics that the product is going to have.

21:33.82

Sarah

Because otherwise it's going to be yet another standard where you have you have some processes in place that don't don't guarantee you that there's good security in the end because you can always do it good or or bad.

21:42.21

Michael Mimoso

right

21:45.66

Sarah

And then it makes sense to achieve the CRA outcome. If you want to to achieve that, then it makes sense to take, any of the well-known security development lifecycle approaches.

21:56.26

Sarah

I think that's that's pretty clear, but companies and manufacturers are free to choose how they want to do that. And I think that's the right the right approach.

22:04.76

Michael Mimoso

Right. So as we come up on 2027 and then the ultimate compliance date, just how do you think, what what are some of the milestones we should be looking for in the meantime? And ultimately, how do you measure success for this?

22:21.92

Sarah

How do we measure success for like as a manufacturer working towards CRA or for the CRA regulation or?

22:26.07

Michael Mimoso

Yeah, correct. Correct.

22:29.05

Sarah

okay Well, if your manufacturer approaching CRA, I think there is an intermediate milestone you need to be aware of.

22:35.40

Michael Mimoso

Thank you.

22:37.11

Sarah

That's the 11th of September, 2026. That's when the reporting obligations start. So you need to be able to report actively exploited vulnerabilities and severe incidents for your products.

22:50.99

Sarah

So that's really, i always like to write, it's actively exploited vulnerabilities. So it's not a CVE coming up in a scan. You don't need to report that. But you need to report if there was an incident, so someone exploited vulnerability in one of your products.

23:06.39

Sarah

So and you need to be able to report that there's going to be a ah platform set up by ENISA, I think, by the EU, where you have to report these um

23:19.31

Michael Mimoso

Mm-hmm.

23:20.76

Sarah

these incidents. So that's the first thing. and and And that you need to do for all products, not just for new products or products that fall on the CRA, but simply all your products. So that's the first milestone. And the second milestone, then, is of course, 11th of December, 2027, is where the CRA applies in full, so all products that you're sell after this date need to meet all the CRA requirements, um regardless of if you have sold them before.

23:49.08

Sarah

So if you sell them on 10th of December, they don't have to meet the requirements. If you sell them after 11th, they have to.

23:55.46

Michael Mimoso

Right.

23:56.00

Sarah

um And I think the I always see four areas that people or manufacturers need to focus on based on how we work with manufacturers towards CRA currently.

24:11.25

Sarah

So that's first is product design. So really take these Annex 1 part 1 product characteristics. and work towards, but or maybe first build a product roadmap and say, okay, what kind of products do we have? What kind of products fall under the CRA?

24:30.28

Sarah

And where do we stand regarding our products? And then pretty soon make the decision which products you want to bring towards compliance and which ones you don't.

24:41.96

Sarah

Because that's like your your roadmap for the next for the next two years until 2027.

24:46.23

Michael Mimoso

Mm-hmm.

24:47.82

Sarah

um And if you say, okay, you want to bring towards compliance and they have some weak spots in this Annex 1 characteristics and essential requirements, um then the first really important thing to do is to do the risk assessment and say, okay,

25:06.68

Sarah

um here's the product, it doesn't meet this requirement, I think, or it has, i don't know how how it should meet this requirement. Do the risk assessment, see what the actual risks to your customers are using that product, and then based on that, decide how to, ah if and how you need to meet that requirement.

25:22.19

Michael Mimoso

Thank

25:25.90

Sarah

And then move towards that, and of course, see that your development process is changed in a way that your products can meet them in future. in the future Then there's the whole block of, so that was product design.

25:37.80

Sarah

um Then there's the whole block of vulnerability management. So that's also the reporting obligations, but also for your products, you need to have some mechanisms in place to be aware of vulnerabilities and you have to um

25:55.18

Sarah

have certain, at least you have to know how to, how you distribute security updates to your clients. You also have to do that for free and how to write good security advisories because you have to publish those.

26:06.86

Michael Mimoso

Mm-hmm.

26:08.11

Sarah

Then there's the portion of procurement that I think is often overlooked, but also very relevant. um And that's because most products, I mean, we all know that the the whole supply chain issues, you probably have products in your products that are also um need to be CRA compliant.

26:28.09

Sarah

And you really need to find a way to identify your your suppliers and to make sure that your suppliers meet the CRA in a way that's usable for you. So, For example, if they have if they publish security advisories, it helps if you can use them for your own security advisories. Or if they meet security features, such as requirements, a certain way and you want to integrate them into your product, then maybe you have certain requirements how to do that so that it makes sense for your whole product and things like that. So half a have an idea on what...

27:04.08

Sarah

what existing suppliers are how important for your product and how to make sure that you because you in the end are responsible for the entire product not just for the for the parts that you build yourself but also for the parts that you procure from third parties um well and then there's the fourth the fourth pillar is documentation um and that sounds simple um and mostly it is because for a large part is simply documenting everything that

27:17.99

Michael Mimoso

Mm-hmm.

27:31.07

Sarah

um You can show to market surveillance or to notified bodies in order to make sure that you're compliant and to prove that you're compliant. But then there's also, um and I think that's also often overlooked, the information instructions to the user.

27:44.89

Sarah

um So that really is a kind of cybersecurity handbook that you hand out to every buyer of your product um that contains everything regarding security that matters to your to your customers.

27:57.59

Michael Mimoso

Mm-hmm.

27:57.88

Sarah

And I think that really, for consumer products, it doesn't matter that much. Probably no one is going to read that apart from a few security nerds. But for B2B products, that really can be a game changer because that can really make your B2B customers very happy. And it's really actual, it's actually useful for them and and save them money if you do that in a way that helps them to do their own security risk assessment faster.

28:28.00

Sarah

For example, critical infrastructure regulated customers. And so if you sell a control system or PLC to a ah water utility, then they need to do their own security risk assessments. And if you deliver to them the information in a way that they can really efficiently use in their own risk assessments, then really saves them time and money.

28:51.27

Michael Mimoso

Yeah, it's a huge baseline.

28:51.39

Sarah

That's why this information, yeah, it is. It is. And that's why these, and it's something completely new. I mean, if you buy a digital product right now, you don't get a cybersecurity handbook.

28:57.89

Michael Mimoso

Yeah.

29:01.50

Sarah

You need to get all this information by hand, by requesting, by asking the manufacturer. I've spent so many hours on the phone with manufacturers on behalf of asset owners asking about,

29:12.58

Sarah

basic security features or which protocol do you use for for what or how does the architecture look like in this case and this is all information if you really provide that in the cyber security handbook in a easy to digest way that's a game change i believe yeah so these are four pillars basically so product design, reliability management, procurement, documentation and that's the things that you need to work towards as a manufacturer.

29:27.71

Michael Mimoso

Right. It's huge. Mm-hmm.

29:37.59

Michael Mimoso

Sounds like, uh, it sounds like the industry has a lot of work to do in the next couple of years.

29:42.54

Sarah

That's right. But to be fair, many of these things, I mean, it's not like they've been living under a rock. So vulnerability management, most manufacturers do that in some way or the other.

29:49.34

Michael Mimoso

Right.

29:52.93

Sarah

so most that I've talked to are not very nervous about vulnerability management, for example.

29:53.62

Michael Mimoso

Mm-hmm.

29:59.96

Michael Mimoso

right so before we wrap up, Sarah, I definitely want to talk a ah little bit about some of the the thought leadership you've been doing around ah bringing security to to engineers and asset operators and not necessarily security people. And um you've done a lot of work on like,

30:16.71

Michael Mimoso

I know at your S4 presentation this year on the cyber decisions diagrams, there's a really kind of interesting way to talk security to non-security people, if if that's a ah fair characterization.

30:31.22

Michael Mimoso

I'd love to hear more about kind of how you came up with it and you know how successful you've been in kind of using it or sharing it with others.

30:40.13

Sarah

Yeah, absolutely. It's probably also a good timing because I think the video has been released this week, or last week or something.

30:46.79

Michael Mimoso

I think so. Correct. Yeah.

30:47.82

Sarah

yeah So you can actually watch that. um we I mean, to be honest, it's something I've been working on ever since I've been in the industry. So how to um you yeah summarize that pretty well, um how to communicate cybersecurity to non-security experts.

31:07.19

Sarah

um

31:10.05

Sarah

It's also about how to get the expertise from non-security experts for security. So the input and the output. So how to get the get the knowledge from non-security experts that's really relevant for your cybersecurity engineers, for example, and also how to communicate it to people that need to work um welcome with the cybersecurity results.

31:31.48

Sarah

um And I think the reason why I've worked so much on this is because um one group, one large group of non-cyber security experts is engineers.

31:43.50

Sarah

In OT cybersecurity, you always need to work with engineers because they have all the knowledge that you need in order to do good risk assessments.

31:50.38

Michael Mimoso

Mm-hmm.

31:50.72

Sarah

And I don't think we've we've done a good enough job in getting their knowledge in there so far. um And that's why we've worked on that so much. And the approach we've come up is pretty visual approach.

32:07.57

Sarah

So you actually create basic diagrams on the things that you, on the basic functions that your product or your system has. um And then we have some ways to um lay out top of these functions risks that you may have and attack scenarios and also requirements. So things that you change about your architecture, about your product, about your system,

32:34.16

Sarah

because of cybersecurity. And if you have all this information on top of your functions, then you have three things that you can really easily communicate to everyone um if you have a diagram like that. So you can really easily communicate how does my system work and why and and what is what are bottlenecks, for example.

32:54.40

Sarah

um Even for non-technical people.

32:57.94

Michael Mimoso

Mm-hmm.

32:57.98

Sarah

And you know how could i how could I easiest ah attack it?

32:58.08

Michael Mimoso

Mm-hmm.

33:03.31

Sarah

And you know what are the things that I need to change about it in order to improve its security? And you need you see all that more or less um on on the first look, and you can make can make it easy to communicate.

33:18.23

Sarah

And we've been working with that, frankly. um i use it every day. So we have a software tool that does it that's big. that that that's pretty efficient in doing that.

33:30.31

Sarah

We do our entire risk assessment based on that. So in getting the information from engineers, um into the risk assessments, making them accessible and digestible for cybersecurity teams, and also in communicating the results of all these risk assessments and decisions that you make based on risk.

33:50.37

Sarah

For example, for the Cyber Resilience Act, that's really that's really important, but also for our critical infrastructures to communicate these results both to your own management and also to authorities and auditors and things like that.

34:04.86

Michael Mimoso

Mm-hmm.

34:05.02

Sarah

And these are really all these use cases for from getting deeply technical people's knowledge into risk assessment, getting their opinions on the results, um and also also communicating the results to people that are not involved with the technology in depth.

34:22.96

Sarah

um It has proved really useful.

34:25.03

Michael Mimoso

Yeah. I mean, what I like about it is not only that it's, you know, there's the visual representation, as you mentioned, but you're eliminating um a lot of complexity, a lot of the the jargon that comes with cybersecurity. And I think in the end, a lot of that just ends up confusing people and and steering people away from, you know, what they need to know. And this really brings it to engineers and and asset operators on on their terms, which is really important, I think.

34:52.98

Sarah

Yeah, we always say it needs to be their picture in the end. So it needs to be where they feel at home and say, well, this is what we actually do.

34:57.28

Michael Mimoso

Yeah.

35:00.47

Sarah

And at first, because we're all used to doing it too complicated, at first we always have those discussions on, well, but there's still this detail that needs to be in there as well. And and we say, well, stop, because based on this picture,

35:14.12

Sarah

um that you're creating here. On this diagram, you don't have to be able to build the system. You don't have to be able to run the system. You only have to be able to see where the cybersecurity or the overall resilience of this of the system, what matters for that and what measures you need to take for that. That's all.

35:32.48

Sarah

um And then you can really leave out a lot of details and have like a high level diagram that even people use that actually need to run systems and build systems in the end, like as a first overview. And then they have more more detailed diagrams on details. But they all, but what really struck me is that even engineers that are deeply in the in technology miss something like that, that really gives them an overview over what they have, like their the whole systems and their security problems and their resilience ah requirements on one page.

36:09.74

Michael Mimoso

Yeah, I would imagine the engineers who see this are really appreciative of kind of the the approach. I'm just curious, have you heard much feedback from actual engineers on ah you know how useful it may be to them?

36:22.15

Sarah

they They are the reason why we're why we're doing that. And they are off they often say, well, finally, cybersecurity always feels so like a like a, not really an exact science for us, right?

36:24.89

Michael Mimoso

Yeah.

36:35.57

Sarah

So, I mean, engineers are used to having methods and and calculations for everything.

36:35.76

Michael Mimoso

Mm-hmm.

36:42.61

Sarah

And cybersecurity is often a bunch of best practices that you somehow need to need to do and risk assessment always feels a bit like not not really scientific enough and also too far away from the ah from the reality, from the systems that they see every day.

37:05.02

Sarah

So and they often say, well, this is finally something that speaks our language and something that we understand and that we feel good as being the foundation for an informed decision.

37:16.78

Michael Mimoso

Right. All right, great. Sarah, i think that's ah a good place to leave it. um I really want to thank you for coming on the podcast. I think this was a really great discussion and I know people are going to enjoy listening to it.

37:30.02

Michael Mimoso

And I'm happy you were my 100th guest. So thank you so much. I appreciate it.

37:34.97

Sarah

Me too. Thank you. And soon soon again, I guess.

37:38.97

Michael Mimoso

Absolutely. we We definitely need to do this again. All right. Have a great day. Thank you so much.

37:44.36

Sarah

Same for you. And congratulations on the 100th episode. Now done.

37:47.92

Michael Mimoso

they Thank you. All right. Bye-bye.

37:50.82

Sarah

Bye-bye.

Cyber Resilience
Risk Management
Vulnerability Management
Michael Mimoso
Editorial Director

Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.

Stay in the know Get the Nexus Connect Newsletter
You might also like… Read more
Latest on Nexus Podcast