Developing a Vulnerability Management Service for an Automation System Based on the Cyber Resilience Act
Kortemaa, Jarkko (2025)
2025
Automaatiotekniikan DI-ohjelma - Master's Programme in Automation Engineering
Tekniikan ja luonnontieteiden tiedekunta - Faculty of Engineering and Natural Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2025-06-02
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202505306398
https://urn.fi/URN:NBN:fi:tuni-202505306398
Tiivistelmä
Cyber resilience act (CRA) is an EU wide legislation that entered into force on 10.12.2024. The main obligations introduced by the CRA will apply after a transition period of 36 months (from 11.12.2027). The CRA sets mandatory cybersecurity requirements for products with digital elements placed on the EU market, ensuring they remain secure throughout their lifecycle. It requires manufacturers to implement secure development practices, manage vulnerabilities effectively, and report significant security incidents within strict timeframes.
Vulnerability management services are structured processes and supporting tools used to identify, assess, prioritize, and remediate security vulnerabilities in software and hardware systems. These services play a critical role in reducing an organization’s exposure to cyber threats by ensuring that known weaknesses are addressed promptly and systematically. Effective vulnerability management involves continuous monitoring, asset inventory, risk assessments, and the deployment of patches or mitigations, often coordinated through automated tools and integrated workflows. In industrial environments such as manufacturing plants, these services must account for operational constraints, legacy systems, and regulatory requirements, making the design and implementation of a tailored vulnerability management service both technically complex and strategically important.
This thesis investigates the specific requirements of the CRA that influence vulnerability management services and examines the necessary adjustments a case company must undertake to achieve compliance. The research begins with an analysis of the current state of the case company's cybersecurity and vulnerability management practices. It then proceeds to the development of a risk based patching service tailored for an industrial automation system, with the primary objective of aligning with CRA mandates. The development is based on identifying the gaps between CRA’s obligations and the case company’s current capabilities. The resulting service concept outlines how vulnerabilities should be prioritized and addressed based on asset criticality and risk level, ensuring the most impactful issues are remediated first. In addition, the study identifies the necessary tools and processes to support this approach, offering a practical model for implementing a CRA-compliant vulnerability management service.
Developing a risk-based patching service involves prioritizing the remediation of vulnerabilities based on the severity of the risk they pose to systems, taking into account factors such as exploitability, asset criticality, and potential impact. While the CRA regulates the security of products placed on the EU market requiring manufacturers to manage vulnerabilities and deliver timely updates, it does not directly govern services. As a result, companies are responsible for designing and maintaining effective patching services that help aligning with CRA obligations. A risk-based approach enables organizations to focus resources on addressing the most critical vulnerabilities first, ensuring compliance with the CRA while maintaining operational efficiency, particularly in complex environments like industrial automation systems.
Vulnerability management services are structured processes and supporting tools used to identify, assess, prioritize, and remediate security vulnerabilities in software and hardware systems. These services play a critical role in reducing an organization’s exposure to cyber threats by ensuring that known weaknesses are addressed promptly and systematically. Effective vulnerability management involves continuous monitoring, asset inventory, risk assessments, and the deployment of patches or mitigations, often coordinated through automated tools and integrated workflows. In industrial environments such as manufacturing plants, these services must account for operational constraints, legacy systems, and regulatory requirements, making the design and implementation of a tailored vulnerability management service both technically complex and strategically important.
This thesis investigates the specific requirements of the CRA that influence vulnerability management services and examines the necessary adjustments a case company must undertake to achieve compliance. The research begins with an analysis of the current state of the case company's cybersecurity and vulnerability management practices. It then proceeds to the development of a risk based patching service tailored for an industrial automation system, with the primary objective of aligning with CRA mandates. The development is based on identifying the gaps between CRA’s obligations and the case company’s current capabilities. The resulting service concept outlines how vulnerabilities should be prioritized and addressed based on asset criticality and risk level, ensuring the most impactful issues are remediated first. In addition, the study identifies the necessary tools and processes to support this approach, offering a practical model for implementing a CRA-compliant vulnerability management service.
Developing a risk-based patching service involves prioritizing the remediation of vulnerabilities based on the severity of the risk they pose to systems, taking into account factors such as exploitability, asset criticality, and potential impact. While the CRA regulates the security of products placed on the EU market requiring manufacturers to manage vulnerabilities and deliver timely updates, it does not directly govern services. As a result, companies are responsible for designing and maintaining effective patching services that help aligning with CRA obligations. A risk-based approach enables organizations to focus resources on addressing the most critical vulnerabilities first, ensuring compliance with the CRA while maintaining operational efficiency, particularly in complex environments like industrial automation systems.