What is a security risk assessment? Definition and methods to comply with the CRA

The Cyber Resilience Act now requires manufacturers to regularly conduct security risk assessments of their products to mitigate cybersecurity risks. Discover what this entails and how to conduct one effectively for your embedded system.

What is a security risk assessment?

A security risk assessment is an analysis conducted on a system to: 

  • identify,
  • evaluate,
  • and mitigate cybersecurity risks.

This assessment examines all potential attack paths, considering the intended purpose and foreseeable usage of the device.

By performing this assessment at various stages throughout the product’s lifecycle, organizations can adapt to evolving cybersecurity threats and the discovery of new vulnerabilities, thus ensuring their embedded software remains secure both before and after deployment in the field.

How does it work?

Security risk analysis involves several key steps:

  1. Identify what needs protection: Start by identifying and classifying the assets of your system, such as applications, development tools, and servers. Create a risk profile for each asset, rating the impact risk from negligible to severe. 

  2. Find potential threats: Map out potential attack paths to identify weaknesses in the system. Consider risks like malicious code injections, dependency vulnerabilities, or exposed secrets.

  3. Evaluate the risks: Assess the likelihood and potential damage of each issue based on the usage context of your device in the field.

  4. Develop a security plan: Address vulnerabilities, enforce secure coding practices, and monitor for ongoing risks. Read our articles on DevSecOps practices and long-term security maintenance to dive deeper.

There are various methods and frameworks available today to guide this risk analysis activity, such as the EBIOS Risk Manager (ANSSI) and the NIST Risk Management Framework.

Attack trees: a useful tool

Sample attack tree - Security risk assessment - Cyber Resilience Act

Example of an attack tree, useful tool to map potential attack paths of your product

As mentioned earlier, risk analysis is based on the intended purpose and foreseeable usage of the product. Attack trees are a handy way to map these usages, as they help outline the attack paths based on how the product is used and align each with a corresponding security goal.

Regularly updating the attack trees not only helps with risk mitigation but also lets you see how the development team is implementing secure practices and handling vulnerabilities in the system. This ongoing process helps to continuously improve the system security maintenance.

Additionally, this mapping provides a clear rationale for paths and risks that are considered irrelevant to the product due to its configuration and usage in the field. This clarity ensures that all potential threats are considered and addressed appropriately.

Risk assessment: a requirement of the Cyber Resilience Act

The Cyber Resilience Act (CRA) requires device makers to do comprehensive security assessments of their products. Equipment manufacturers must indeed integrate cybersecurity considerations into the design, development, and manufacturing processes, conducting thorough evaluations at each phase to mitigate potential vulnerabilities.

This risk assessment should appear in the product technical documentation.

“While manufacturers should comply with all essential requirements related to vulnerability handling and ensure that all their products are delivered without any known exploitable vulnerabilities, they should determine which other essential requirements related to the product properties are relevant for the concerned type of product. For this purpose, manufacturers should undertake an assessment of the cybersecurity risks associated with a product with digital elements to identify relevant risks and relevant essential requirements and in order to appropriately apply suitable harmonized standards or common specifications.” (article 55).
logo European Commission cyber resilience act EU
European Parliament & Commission
Cyber Resilience Act

Where should you start?

Regardless of your product category, you have the option to conduct the security risk assessment independently (self-assessment).

However, numerous consulting firms specialize in providing assistance for such analyses, both at the outset and throughout the product’s lifecycle. One such partner is Witekio.

Witekio benefits from being developers first and foremost. This has the following implications:

  • Witekio can initiate a cybersecurity risk analysis at the project’s inception and then refine and maintain it throughout the development process. This ensures ongoing relevance compared to firms that provide one-off interventions.
  • Witekio has access to a diverse pool of experts across various technical domains, whom their cybersecurity experts can consult for support.

Ultimately, Witekio offers more pragmatic and effective security solutions, which are integrated throughout the development process.

Discover more about our partner Witekio.

Consult our synthesis on the Cyber Resilience Act

Read online
Download in pdf

Related content

Discover more from The Embedded Kit

Subscribe now to keep reading and get access to the full archive.

Continue reading