Platform on civil engineering, underground infrastructure, energy, construction equipment & construction machinery
Cybercrime has long since ceased to be a distant reality. In a world where virtually everything is connected to the Internet, including construction equipment, there is a growing need to take digital security seriously. In this, everyone has their role, from manufacturer to user. We all need to be sharp. The European Union is therefore working on new legislation that will come into effect in phases: the Cyber Resilience Act (CRA). The first parts have already been published and have been in force since Dec. 10, 2024.
Russia captured a trainload of tractors at the beginning of the war in Ukraine. “The factory in the USA remotely deactivated the tractors in question, preventing the Russians from using these machines,” knows Bas van Gruijthuijsen, general manager at Aboma. “Great right. Or is it? Because, what if a malicious person manages to gain access to the machine? The CRA should ensure that products connected to the Internet are better protected. Because anyone using an unprotected device is at risk sooner or later. Hackers are constantly looking for vulnerabilities - sometimes with evil intentions (money, power, or sabotage), sometimes with good (ethical hackers warning companies).”
The CRA prescribes not only what must be secured, but also who is responsible for what, says Van Gruijthuijsen. “Manufacturers must ensure secure products and timely security updates. But users, maintenance companies and owners also have a role in this. Suppose a machine asks for an update, who performs it? The tenant? The mechanic? The manufacturer? Such agreements must be clear within the entire chain.” Thus, the CRA was created to ensure that business becomes resilient against cybercrime. The moment a system or vehicle is connected to the Internet, it must be secured. “And that involves both hardware and software, but also components that are indirectly connected are covered by the CRA. And does the machine use AI while performing its work then it is designated as a high-risk product and even additional certification by a NoBo (notified body, ed.) is required.”
Just as we think about fall hazards or fire safety, Van Gruijthuijsen says we must also pay attention to digital safety. “Cybersecurity is a new dimension of security, one that is becoming increasingly important.” The message is clear: start thinking now about how to make your organization, machines and processes digitally resilient. After all, the CRA is already in effect. Since Dec. 10, 2024 already. “From Sept. 11, 2026, there is a reporting requirement for actively exploited vulnerabilities and incidents, and from Sept. 11, 2027, all products with digital elements must comply with the CRA.”
