Interview with Ferenc Molnár CEO of CCLab about the importance of RED Directive

Through the eyes of an expert on cybersecurity challenges of radio equipment

‍

‍Ferenc Molnár is the founder and CEO of CCLab Kft. Beyond his role at the company, Ferenc actively contributes to the cybersecurity community on an international level. He frequently participates in industry conferences as a keynote speaker and panelist, sharing his insights on the evolving cyber landscape and advocating for stronger security measures. His dedication to raising awareness about cybersecurity issues has earned him widespread respect and admiration.

As a leader, Ferenc is committed to driving innovation in cybersecurity. He fosters a culture of collaboration and continuous learning within CCLab Kft., inspiring a team of talented professionals to push boundaries and develop groundbreaking solutions. His strategic guidance has positioned CCLab Ltd. as a trusted partner for organizations seeking state-of-the-art cybersecurity solutions.

The rapid digitization of business operations and the reliance on technology have created a vast attack surface for cyber threats. With the widespread use of interconnected systems, cloud computing, and the Internet of Things (IoT), organizations are more vulnerable to cyberattacks, data breaches, and other malicious activities. 

Could you highlight the importance of wireless device cybersecurity in today's digital landscape?

Wireless devices have become integral to our daily lives, from smartphones and tablets to smart home devices and Internet of Things (IoT) devices. These devices connect to the internet and often store and transfer sensitive information or even have access to critical systems, therefore their security is paramount to protecting individuals, organizations, and national infrastructure from cyber threats. With the growing adoption of wireless technologies, the attack surface for cybercriminals has expanded, making it crucial to implement robust security measures. Cybercriminals are becoming more sophisticated, employing advanced techniques like ransomware, phishing, and social engineering to exploit vulnerabilities.  Consumer IoT devices cybersecurity involves safeguarding these devices from unauthorized access, data breaches, malware attacks, and other potential vulnerabilities. Failure to do so can lead to compromised personal information, financial loss, and even compromise critical infrastructure.

Radio equipment cybersecurity is now being regulated by the EU. Could you provide some insights into the latest delegated act requirements in relation to RED directive?

The Radio Equipment Directive (RED) was introduced in 2014 to establish a regulatory framework for placing any kind of radio equipment on the EU market. Radio equipment can be a variety of goods, from a simple small handheld radio to a complex system used in satellite telecommunication stations for instance. The RED Delegated Act (RED DA) will affect all companies producing radio equipment to be sold on the EU market and states that manufacturers are responsible for cybersecurity throughout the entire lifecycle of the device. While the harmonized standards are not yet published, preparation for compliance can begin now. The delegated act came into force on February 1, 2022, and provided a longer transition period for device manufacturers to get prepared by 1st August 2024. Although the EC may prolong this deadline until August 1, 2025, it is never too early for manufacturers to learn about the cybersecurity requirements for their products. The RED directive aims to establish a certain level of cybersecurity assurance for wireless devices by setting essential requirements (eg.  encryption, secure software updates) that manufacturers must comply with before their products can be sold in the EU market.  By enforcing such regulations, the Radio Equipment Directive promotes a more secure ecosystem of wireless devices, reducing the risk of cyber threats and also ensuring that manufacturers are accountable for the security of their products, ultimately benefiting consumers and businesses alike.

Which industries should prioritize the implementation of the Radio Equipment Directive (RED), and what are the most effective ways for them to prepare for its enforcement?

First of all, I would say telecommunications, since this industry includes mobile phones, smartphones, tablets, wireless modems, and other communication devices, so devices that are used by practically everyone. Another significant area is the healthcare industry. Nowadays, several medical devices use wireless connectivity (e.g. Wi-Fi, Bluetooth, radio frequency), such as remote monitoring systems, wireless medical sensors, and also wearable IoMT (internet of medical things) devices for tracking and transmitting patient data to a remote server to establish a diagnosis or monitor the patient’s health conditions.  Many other industries will be affected by the new cybersecurity requirements of the RED.  Based on our 10+ years of experience in information security, we have seen companies struggling to understand the new regulations and what it means for the whole organization. The success and effectiveness of a data security testing project always depend on the preparedness of the parties involved. We understand these companies' needs and are ready to lend a helping hand to those who want to be among the first to prepare for the challenges ahead of them. Trying to get a certificate without a dedicated and well-prepared team may take 2 or 3 times longer than expected. We would like to encourage all of these companies to invest into this topic right in time and start with an assessment of where they are at the moment and improvements must be made for compliance. With a professional support team, like CCLab the following steps could be followed before it comes to the actual testing and evaluation project:

- Readiness assessment to provide reliable information on where the company and your products are in terms of fulfilling the relevant requirements.

- Training to make the team aware, so that they can objectively assess where they are and understand what they have to defend against. 

- Secure coding, security by design, DevSecOps training. Secure coding training is usually a lot of fun, and developers and IT professionals really enjoy it. 

- Education on some basic (baseline) standards and e.g. to test in a hackathon whether the team and the product would meet the requirements for compliance. We are also happy to help organize the above training and hackathons for your team. 

- Involvement of a consultant at an early stage, who understands the exact regulatory side and can assess the maturity of the organization, and can make suggestions as to where the processes, team, and tools need to be strengthened in order to produce a secure product.

With the right partner and some of the above steps, you can ensure the whole process ensures success for the whole team and even becomes fun to you developers, rather than becoming a long and exhausting nightmare for your team and your management. As an example from the past, a first cybersecurity evaluation project can be done within 2-3 months instead of 20, after the necessary steps are taken before.

What services does CCLab provide to a manufacturer who wants its product to meet the latest cybersecurity requirements of the RED directive?

CCLab is ready to help meet existing cybersecurity standards that are likely to form the basis of future harmonized standards of the RED Delegated Act, such as the ETSI EN 303 645 consumer IoT cybersecurity standard and the ISA/IEC 62443-4-2 standard for the industrial components. Same compliance with these relevant standards can also help demonstrate compliance with the relevant RED requirements.  As consumer IoT devices and certain types of ICS equipment or medical devices may also be subject to RED, adherence to appropriate cybersecurity standards and practices is essential to compliance. At CCLab, we provide consulting and testing services for both consumer IoT and medical devices and industrial IoT components and after a successful evaluation, we issue a declaration of conformity or certificate.

As we look to the future, how do you envision the regulatory landscape evolving in terms of connected device cybersecurity?

As the number of connected devices continues to grow exponentially, so does the potential attack surface for cybercriminals. The regulatory landscape for connected device cybersecurity is likely to become more comprehensive and stringent in the future.  Luckily more and more government and regulatory bodies are recognizing this and taking steps to address the associated risks so we can expect further development and implementation of regulations specific to connected device cybersecurity. These regulations might require manufacturers to adhere to specific security standards, conduct regular vulnerability assessments, and provide secure software updates throughout the lifecycle of their products. In the EU the European Commission (EC) has developed and implemented regulations to ensure the security and privacy of connected devices. Besides that, the Cyber Resilience Act (CRA), i.e. the EU cybersecurity regulation, proposed by the EC on September 15, 2022, in order to improve cybersecurity and cyber resistance, is an important and forward-looking step forward. This regulation applies to products with digital elements within the EU, mainly hardware and software, but it also includes products that have a direct or indirect data connection to the network.  But there are also examples of legal regulation in other countries.  In the USA  the FTC  and the NIST,  in the UK the DCMS and the  ICO, in Australia, the ACSC, and the OAIC provide guidance and resources for securing connected devices and enforcing data protection regulations. Additionally, as the concept of IoT expands to include critical infrastructure and industries such as healthcare, energy, and transportation, regulations may emerge to ensure the security of these sectors. IEC 62443, the standard for the protection of Industrial Control Systems is a very important global standard for IIoT, practical sectoral additions are still needed here, and it would also be an important international step forward if the IEC adopted ETSI 303 645 the cybersecurity standard for IoT devices.  Overall, the future of connected device cybersecurity regulation is likely to focus on proactive measures to mitigate risks, foster collaboration between industry and regulators, and establish frameworks that adapt to the rapidly evolving threat landscape.

What would you highlight and consider important about cybersecurity awareness?

It can never be emphasized enough that cybersecurity is crucial for protecting sensitive business information, intellectual property, and personal and customer data. Breaches can lead to significant financial losses, reputational damage, and legal liabilities, but fortunately, more and more industry players, and manufacturers are recognizing this problem and taking it seriously. I would like to emphasize the importance of collaboration between cybersecurity professionals, manufacturers, regulators, and consumers. By working together, we can ensure a more secure digital environment for everyone.  The burden of cyber awareness must be taken off the end-users. Ideally, there would only be regulations on the market and products and services that do not pose a threat and cannot be misused. Certainly, individuals also need to learn about cybersecurity best practices and only make purchasing decisions after getting the necessary information about the wireless devices first. After all the emphasis should be on organizations and governments making cybersecurity a priority investments in research and development and products should only be released on the market after the necessary steps are taken. Education on cybersecurity is equally important to create a future where connected devices are secure, reliable, and trustworthy. 

----------------------------------------------------------------------------------------‍

Do you need support to get prepared before the upcoming deadline?

As consumer IoT devices and certain types of ICS equipment may fall under the scope of the RED, adherence to relevant cybersecurity standards and practices is essential for compliance. CCLab is ready to help you comply with the existing cybersecurity standards that are likely to be the basis for the future harmonized standards of the RED Delegated Act, such as 

> IoT cybersecurity standard ETSI EN 303 645

>  ISA/IEC 62443-4-2 standard for Industrial Control System Cybersecurity

We provide consultation services, training, and organizing hackathons for manufacturers who would like to get prepared right in time. We are already providing actual testing services for both Consumer IoT devices and Industrial IoT components that comply with the RED directive. Our testing services will be enhanced in a short term to accelerate and maximize the efficiency of these projects for those companies that has a wide range of products that need to be tested against baseline cybersecurity requirements for instance. After the successful evaluation, a statement of conformity or certification will be provided as evidence. Together with our partners within QIMA Group, we are offering a one-stop-shop solution to responsible manufacturers.

GET A FREE CONSULTATION HERE