11.30 – 11.55
The increasing connectivity of embedded systems in the world of Internet of Things (IoT) across industrial, medical, and consumer domains has significantly expanded their attack surface. With the adoption of the Cyber Resilience Act (CRA) in 2024, a harmonized cybersecurity framework for products with digital elements has been established across the EU. The regulation entered into force in 2024, with most substantive obligations becoming applicable from December 2027, while mandatory vulnerability reporting obligations apply earlier, from September 2026. The CRA requires that products be designed, developed, and maintained according to state-of-the-art cybersecurity practices. Annex I mandates effective vulnerability handling and timely security updates, stating that products must be delivered “without known exploitable vulnerabilities” and equipped with secure update mechanisms by default.
A major technical challenge lies in implementing secure and verifiable update mechanisms for resource-constrained embedded devices. The CRA requires that products “ensure that vulnerabilities can be addressed through security updates” and provide mechanisms for the “secure distribution of updates.” Consequently, device management infrastructures must enable authenticated, integrity-protected, and fail-safe remote updates while ensuring traceability and compliance with coordinated vulnerability disclosure and reporting obligations. Equally important is the deployment of a secure, hardware-optimized operating system forming a trusted computing base, including secure boot, minimal attack surface, tailored to the specific embedded system.
Speaker: Frank Geissler, Sales Director – Kontron AIS (on behalf of Telerex Nederland)