This month I’ve earned the Information Security Risk Manager. ISO/IEC 27005 certification of rigcert.education. Having multiple years of experience in managing security risks in OT environments according to IEC 62443-3-2, the ISO 27005 provides an extended perspective on risk management. Effective information security risk management is crucial for maintaining secure systems. Failing to properly assess…
The Cyber Resilience Act (CRA) is a critical piece of legislation designed to enhance product cybersecurity across the EU. If you’re finding it challenging to navigate, you’re not alone – many organizations are seeking clarity on its implications. Last week, the EU Commission hosted an insightful webinar on the CRA, attracting over 2,500 participants from…
The EU Commission services have just released a comprehensive FAQ to help to demystify the implementation of the Cyber Resilience Act. If the official text left you scratching your head, this 66-page document might be your go-to resource for first practical answers to your questions. Worth a bookmark. Read it here:EU Commission – CRA Implementation
Currently a lot of standardization projects regarding the CRA are on-going. These standardization projects aim to develop harmonized European standards for the fundamental cybersecurity requirements of the CRA and the requirements regarding vulnerability management (horizontal standards) as well as different product categories (vertical standards). You can find an overview over the currently active standardization projects…
This month I’ve earned the ISO/IEC 42001:2023. Artificial intelligence management system practitioner certification of rigcert.education. As AI systems become widely integrated into the business world, securely managing them is increasingly critical. How can organizations ensure the reliability of AI outputs, protect company data from loss, and maintain system availability? These topics—and many others—are addressed by…
Patric Birr and I published an article in SIGNAL+DRAHT, the leading international medium for control and safety technology plus communication and information technology in the railway sector. In the article we propose automating Security Risk Assessments by using digital twins. These allow attack trees to be derived automatically enabling a systematic analysis of potential attack…
The German BSI (Federal Office for Information Security) and TÜV-Verband conducted a survey among German companies to assess the status of cybersecurity in the private sector. Some worrying results from my point of view are: 🌐 Link to the study: BSI – Presse – TÜV-Studie zur Cybersicherheit der deutschen Wirtschaft: Bedrohungslage steigt, Unternehmen wiegen sich…
😬 MITRE CVE list might go offline today! This would be catastrophic for global vulnerability management. What I’ve described as a scenario theoretically possible in How Trump 2.0 could affect the IT industry in Europe might become reality more quickly than I’ve thought and not on the NIST-NVD level, but on the MITRE level including…
The shifting political landscape in the United States may significantly impact the global IT industry, especially in Europe. This blog post explores three aspects of how Trump 2.0 could impact the IT sector in Europe, offering insights into the near future and potential developments ahead. Data Transfer to the US The foundation for the legal…
Critical infrastructure faces a growing number of security threats.. Critical infrastructure typically relies on Industrial Automation and Control Systems (IACS) and other non-IT components, often referred to as “Operational Technology.” To effectively assess cybersecurity risks within operational technology (OT) systems, adhering to the internationally recognized IEC 62443 standard is best practice. IEC 62443-3-2, part of…