Beyond the Bench: Securing the Connected Future: Meeting CRA Compliance Through Integrated Device Security
Learn key strategies for CRA compliance from Peridio & Keyfactor experts. Discover practical approaches to device security, certificate management, and secure firmware updates.
In a recent webinar, Peridio partnered with Keyfactor to explore the critical topic of connected device security and compliance with the European Union's Cybersecurity Resilience Act (CRA). If you missed this informative session, here's a comprehensive recap of the valuable insights shared by our expert panel.
Meet the Experts
Our panel brought together leaders with deep expertise in device security, embedded systems, and compliance - those with hands-on experience implementing security best practices in connected devices and those building the platforms that help manage secure device lifecycles:
- Bill Brock - CEO @ Peridio
- Justin Schneck - CPO @ Peridio
- Ellen Boehm - SVP IoT Strategy @ Keyfactor
Understanding the CRA: A Foundation for Device Security 🔒
The CRA, which became law at the end of last year, aims to elevate cybersecurity standards for products sold into Europe. This legislation impacts manufacturers, distributors, and operators of connected devices, with potential financial penalties reaching up to 15 million euros for non-compliance.
Ellen explained that while the CRA is now law, the specific harmonized standards that will define compliance are still being developed by certifying bodies like CEN, CENELEC, and ETSI, with final guidelines expected by September 2026. This presents both a challenge and an opportunity for companies to begin implementing security best practices now rather than waiting for final standards.
Starting Your CRA Compliance Journey
The panel recommended beginning with a comprehensive assessment of cybersecurity risks throughout your product lifecycle, from design to decommissioning. Key areas to focus on include:
- Security by Design: Building security controls into products from inception
- Manufacturing Security: Implementing secure provisioning and identity management
- Operational Security: Ensuring secure updates and ongoing monitoring
- Documentation: Maintaining proper records of components, vulnerabilities, and updates
As Justin noted, "Security enablement is not just a software or hardware problem—it's a process problem." Companies need to establish robust processes that support security throughout the entire product lifecycle.
Essential Security Building Blocks
The experts outlined several foundational security elements for connected devices:
1. Secure Firmware Updates
The first step in device security is ensuring firmware is signed with code-signing certificates owned by your company. This prevents unauthorized code from being deployed to your devices through over-the-air updates.
"Make sure your developers are signing your code with a code signing certificate that is owned by your company... that's the first initial thing everyone should be doing," emphasized Ellen.
2. Secure Boot Process
Building on firmware signing, secure boot validates each boot stage before executing the next level of code. This is particularly crucial for critical infrastructure and industrial applications.
Justin explained secure boot with a compelling analogy: "When devices wake up, they don't know who to trust... They have to have something embedded like a certificate or one-time programmable fuses that enable them to know what phases they can trust next."
3. Unique Device Identities
Implementing unique digital identities (certificates) for each device is essential for secure authentication. Ellen described this as "a birth certificate that lives forever with the device," tied back to the original manufacturer.
The panel recommended establishing both initial identity certificates (like iDevID in 802.1AR) and operational certificates that can be rotated periodically to maintain security throughout a device's lifecycle.
Emerging Trends in Certificate Management
An interesting insight shared during the discussion was the trend toward shorter certificate validity periods. Ellen noted that Apple recently proposed reducing public certificate lifespans to just 47 days (to be implemented by 2029)—a significant change from the current practice of using certificates valid for many years.
While IoT certificates aren't yet subject to such short validity periods, this indicates a broader industry movement toward more frequent certificate rotation as a security best practice.
Decommissioning: The Often Overlooked Security Aspect
The panel highlighted device decommissioning as a frequently neglected security consideration. Whether transferring ownership or completely retiring a device, having proper processes to revoke certificates and access is crucial.
"Having a decommissioning process is super important," Ellen emphasized, noting that certificate revocation provides a digital means to control who is authorized to use or connect to devices throughout their lifecycle.
The Scale of the Challenge
With nearly 20 billion connected devices globally and projections of 40 billion by 2030, the security implications are enormous. Many of these devices will remain in service for 7-20 years, making proper security practices all the more critical.
As Bill Brock pointed out, these devices are often produced by companies with varying resources and security expertise, creating significant disparities in security practices across the industry.
Moving Forward: Building a Security-First Mindset
The panel concluded with thoughts on how to foster greater adoption of security best practices. Rather than treating security as an afterthought or compliance burden, organizations should integrate it into their development processes from day one.
Justin advocated for making security the default path rather than an add-on: "Our everyday getting-started tools shouldn't compromise security for agility... make it so that it's easier to reach for and use from day zero."
By prioritizing security now, organizations can not only meet upcoming regulatory requirements but also build more resilient products that protect both their customers and their reputation in an increasingly connected world.
👉 Watch the full webinar on YouTube here.