CRA-compliance for ICS products with IEC 62443

Today, an increasing number of products are incorporating digital components to meet the rising demands for connectivity and functionality. However, many products still suffer from inadequate cybersecurity, leaving users unsure about which products are truly cyber secure.

The EU’s Cyber Resilience Act (CRA) is designed to safeguard consumers and companies that buy or utilise products or software featuring digital components. The law mandates that manufacturers, integrators and operators of digital products implement comprehensive cybersecurity measures throughout the entire life cycle. 

The CRA applies to products, software and hardware with digital elements, prompting the industry as a whole to focus on connected manufacturing within the Industrial Internet of Things (IIOT). Manufacturers of industrial control systems (ICS) must ensure a secure product and development life cycle, meet cybersecurity requirements and continually monitor vulnerabilities.

In March 2024, the European Parliament adopted the Cyber Resilience Act (CRA) at its first reading. It is expected to come into force in 2024 after being approved by the European Council. Manufacturers will then have a 36-month period to implement the requirements. 

IEC 62443, an international series of standards for the cybersecurity of industrial automation systems, provides comprehensive guidelines and requirements that already encompass many aspects of cybersecurity also addressed in the CRA. 

This means that by implementing IEC 62443, you simultaneously meet the requirements of both the industry standards and those mandated by the CRA!

achelos offers professional, effective guidance to ensure your ICS products are compliant with the CRA, in alignment with industrial security standards under IEC 62443. Throughout your product development journey, our security engineers make sure integrated cybersecurity is embedded from the beginning.

Introduction to the EU Cyber Resilience Act (CRA) – Workshop

  • Cybersecurity risks for manufacturers
  • Understanding the law on cyber resilience
  • Resulting cybersecurity requirements for companies and their processes
  • Resulting cybersecurity requirements for products with digital elements

Assessment and analysis of CRA gap

  • Analysis of selected products in the customer portfolio
  • Getting to know the product to be analysed and identifying the relevant requirements of the Cyber Resilience Act
  • Analysis of the current status with regard to the CRA
  • Identifying gaps compared to the CRA
  • Drafting an action plan

Threat Analysis and Risk Assessment (TARA) – Workshops

  • Analysis of selected products in the customer portfolio
  • Workshop on product consolidation and identification of product assets
  • Threat Analysis and Risk Assessment (TARA) by experienced security consultants 
  • Workshop on risk minimisation
  • Detailed TARA report

Further services in the Secure Development Cycle (SDL):

  • Security design and security architecture
  • Secure development of embedded systems
  • Hardening of secure embedded systems
  • Consultancy on security engineering tools
  • Testing of security functions
  • Vulnerability and penetration testing
  • Support with type testing

Security Engineering by achelos

  • Certified expertise
    • Own security development processes, certified according to ISO27001 and Common Criteria (BSI-DSZ).
  • Extensive IT security expertise
    • Acquired across diverse markets and customer projects with varying security needs.
  • Flexibility & availability
    • Seamless integration of resources and measures into the various phases of the development cycle.
  • Security by Design
    • Step-by-step introduction to integrating security aspects into your development workflow.

Any questions? Your contact person for queries in this field is:

Dr. Michael Jahnich

Director Business Development

michael.jahnich@achelos.de +49 5251 14212-378

Downloads and Information