Description
The European Union’s Cyber Resilience Act ( CRA) aims to enhance the cybersecurity
and resilience of products with digital elements throughout their lifecycle. As a result,
manufacturers and their affected products must undergo a compliance verification
procedure. Manual compliance verification processes are resource-intensive and error-
prone, highlighting the necessity for automation to enhance efficiency and accuracy.
While other regulations have been subject to such endeavors, the CRA, due to its
novelty, has not been analyzed in this regard. This thesis explores the potential for
automating compliance verification for the CRA by translating legislative requirements
into measurable technical criteria and integrating these into an automated framework.
The research involves clustering CRA requirements into categories such as cyberse-
curity and resilience fundamentals, ongoing security and incident monitoring, user
control, and documentation. Each cluster is mapped to specific technical approaches
and tools. Based on this, a proof of concept is developed to show the feasibility of
the previous outcome. This proof of concept integrates the Greenbone Vulnerability
Manager and the certification framework Clouditor and demonstrates automatic com-
pliance verification for a sample requirement — ensuring products are free from known
exploitable vulnerabilities.
Results indicate that significant portions of the CRA’s requirements can be automat-
ically verified, particularly those related to vulnerability prevention and monitoring
capabilities. User control requirements exhibit limited automation potential, necessitat-
ing excessive expert oversight. While documentation analysis is a potentially effective
method, the results may lack reliability due to the use of Natural Language Process-
ing approaches. Therefore, it is necessary to perform a minor manual supervision
process. The findings underscore the viability of a hybrid approach that combines auto-
mated tools with manual supervision, offering a promising path forward for regulatory
compliance verification of the CRA.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching