How to get ready for the arrival of the Cyber Resilience Act?

1. IoT data security requirements

In the interconnected world of IoT, the collection and processing of personal and sensitive data has become commonplace. However, the Cyber Resilience Act highlights the need to protect this data from unauthorized access.

The consequences of a data breach can be devastating, leading not only to financial damage, but also to a loss of customer trust. To meet these requirements, it is essential to apply robust security measures and ensure appropriate data management.

2. Cybersecurity standards for IoT devices

The CRA emphasizes the importance of designing secure IoT devices right from their very creation (referred to as “secure-by-design”). The recommended cybersecurity standards are intended to ensure that devices are protected against potential vulnerabilities and flaws.

Integrating security at an early stage in the development process is fundamental to avoiding costly security gaps and ensuring compliance with the requirements of the Cyber Resilience Act. This proactive approach reduces the risks and lays a strong foundation for IoT projects.

3. Vulnerability and incident management

Continuous vulnerability monitoring and responding rapidly to security incidents are central elements of this regulation. Businesses must be able to quickly identify and correct security flaws to minimize potential damage.

Effective incident response requires well-defined processes and collaboration between technical teams and stakeholders.

Expert in electronics design and specialised in IoT solutions, LACROIX supports its customers each step on the way to develop their IoT projects.

In order to be compliant with the Cyber Resilience Act, IoT players are required to meet several criteria. And LACROIX is the perfect partner to ensure that all 5 of these key points are fulfilled:

Secure by design

• Technical framework: architecture, cryptography, secure enclave, etc.
• Processes: product lifecycle, crisis management, R&D best practices, etc.

Risk & threat analysis model, with cyclical examination

Vulnerability Disclosure Policy (VDP)

• CVE tracker in place, with teams organized around it
• Communication channel to inform your customers
• Mitigation/resolution actions triggered promptly

Large-scale updates at any time

• Your product’s firmware
• Secrets-rotation ready

Free security patches

• All throughout the product’s life cycle (minimum of 5 years)

To find out more about the CRA and its impacts on IoT projects, LACROIX held a PizzaIoT conference in the heart of Paris on Tuesday 23rd 2023.

What is the concept behind PizzaIoT? An afterwork event, where we talk about IoT, while tucking into some pizza!

• What is at stake with this regulation and how does it impact IoT products?
• What should companies do to get ready?
• What are the recommendations for players such as LACROIX, Provenrun and Kereval to support the deployment of this standard, from design through to maintenance and including validation?
• Standards evolution, electronic design, technological building blocks, design validation, security vulnerability and certificate management, firmware updates, IoT platforms and beyond: where do we stand today in terms of these aspects?

These were the main topics addressed at the conference hosted by three key speakers from the world of IoT: LACROIX, ProvenRun (software publisher for Internet of Things security) and Kereval (software test engineering laboratory).

Some thirty participants gathered to take part in the conference, which continued with a networking session dedicated to IoT, all over a pizza in the splendid setting of Bpifrance.