Before starting, can you give a brief introduction about cybersecurity in industrial embedded edge-to-cloud systems?
Until recently, cybersecurity in industrial embedded systems was mostly about protecting the IT infrastructure and following very basic best practices. Only a few companies addressed cybersecurity concerns with a structured process and lifecycle management. Today, due to the acceleration in the enforcement of cybersecurity requirements, this is now a requirement just to play the game. The challenge is not trivial, given that embedded devices usually operate in unprotected environments, connect to cloud services, and require a secure lifecycle at every stage - from design and provisioning to updates and decommissioning.
Why has cybersecurity become such a central point for the industrial embedded sector?
Industrial devices are increasingly connected. Connectivity offers the possibility to extract data, manage devices remotely, and reduce operation and maintenance costs. At the same time, however, it represents an entry point for cyberattacks. Embedded devices could potentially become a single point of failure for a production line or a critical infrastructure. The recent enforcement measures, such as the 18031 extensions for RED and the upcoming CRA, require a structured approach.
Can you explain, in practical terms, what the Cyber Resilience Act (CRA) and the new Radio Equipment Directive (RED) mean for edge device manufacturers?
I will start with RED, as this is a requirement in Europe for those devices that have radio connectivity. With the extended delegated acts, the 18031, it requires connected devices to guarantee network protection, safeguard user data, and follow best practices to keep a system secure. The CRA requires manufacturers to integrate cybersecurity requirements throughout the product lifecycle - from secure development processes, vulnerability handling, and software updates to clear security documentation. This translates into a new approach to product design: security today is a product requirement like any other quality attribute.
What are the main requirements a company must meet to be compliant with these directives?
Companies like SECO are now required to update their software products not just in terms of deliverables, but also in terms of processes. The software development process must include code review, threat modeling, and vulnerability testing. It is also essential to implement a secure update mechanism to guarantee that the product remains secure after an update and that the update is legitimate in terms of origin. Long-term software support is another key requirement, together with compliance activities that provide evidence and documentation decks proving that both the development process and the software product satisfy all the necessary requirements. One key point is to consider cybersecurity management as part of the journey of the development team - and to automate as much as possible the detection, integration, and disclosure processes.
How does hardware and software design change for an industrial embedded product in order to comply with CRA and RED?
Integration of Secure Elements, like NXP Secure Element or TPM for secure key storage, as well as best practices like secure boot and hardware root of trust, are mandatory features to consider in the silicon selection when it’s time to design new hardware.
What are the main security threats we see today in edge-to-cloud environments?
Unauthorized access to the device or to the cloud infrastructure is today a critical aspect. Physical tampering with the device, especially in markets handling sensitive information or critical infrastructure, is another. It is also crucial to ensure resilience to Denial of Service attacks and to limit man-in-the-middle attacks by protecting all communication channels.
What is meant by hardware-based security and how can it be implemented in industrial devices?
Starting with the hardware, TPM or Secure Element are key, along with having a hardware Root of Trust for Secure Boot up to the application level. Functionalities like Measured Boot and disk encryption are today very common requirements for industrial applications.
How does secure key provisioning work and why is it a critical aspect for device protection?
This is a key phase that must be performed in a protected environment. It is critical because it guarantees the device identity for communication with the IoT platform.
What measures can be taken to ensure the integrity of the software supply chain?
It all starts with SBOM - this provides a full view of the components, their dependencies, and any known vulnerabilities. It is important to use signed and automated builds, securing the CI/CD pipeline for artifact signing.
What tools or practices do you recommend for implementing effective operational defenses (monitoring, patching, updates)?
To implement effective operational defenses - including monitoring, patching, and updates - it is important to adopt a centralized tool to manage lifecycle vulnerabilities and rely on a robust, standardized OTA update mechanism. Regular cybersecurity assessments and penetration tests should also be carried out, supported by a structured cybersecurity policy that includes the possibility to roll back the device to a known state in case of patching issues.
How can end-to-end security be ensured, from the edge device to the cloud, in industrial architecture?
Our Clea Framework guarantees mutual authentication between devices and the platform, as well as secure and encrypted communication channels. Proper identity and access management, along with regular vulnerability assessments, are also essential.
What are the best practices for securing devices that are in physically unprotected industrial environments?
For unprotected industrial environments, I recommend implementing tamper detection mechanisms that can revert the system to a known state in case of tamper detection, as well as a secure boot mechanism requiring authentication from the first stage of the boot process. It is also important to disable unused ports and interfaces and to encrypt the disk to protect against device theft. All of these aspects are managed through our Clea Framework, which offers an end-to-end solution from the edge OS - Clea OS - up to the IoT platform.
Can you tell us how SECO supports its customers in achieving compliance with the CRA guidelines and RED certification for their edge products?
RED with the 18031 extensions cannot be applied to software, but only at the system level. We have gone through a full assessment for 18031-1 through a notified body, ensuring that any customer working with our software stack can minimize time to market and risk, relying on our software and hardware solutions. We are also under certification for IEC 62443 4-1 ML3 and 4-2 SL2. This applies on a global scale and is a key reference regulation for the industrial and automation market. We believe that aligning our processes and products with 18031 for RED and 62443 in terms of processes and products provides a strong foundation for the upcoming CRA. Working with the Clea Framework, we ensure that our customers can meet current and future cybersecurity requirements.
What challenges have you encountered when implementing these measures?
Explaining to customers the new regulations, their impact, and what they mean in terms of process. Hopefully, they find great value in our cybersecurity offering and in our Clea Framework, which helps them manage this complexity.
Are there common mistakes you often see repeated in the sector when it comes to embedded security?
Yes, sure. Some companies say: “Ok, we will manage that later.” Avoiding the use of a platform to manage remote updates - still relying on USB sticks and physical presence - delays the update process and the risk assessment that should be performed to make the best-informed decision.
To conclude, how do you see security in industrial embedded systems evolving over the next 3–5 years?
Security will be a standard requirement. Building secure devices with security in mind will reduce costs compared to securing legacy devices later. Moreover, in terms of process, every company will be able to assess risk and make the right decisions. I also expect that AI will have an impact on this, both at the edge and as part of risk assessment.
What key message would you like to leave to those developing or integrating embedded edge-to-cloud systems today?
No matter the geography, market, or current regulations - we need to consider security as the foundation of all new designs, as well as the base of every end-to-end, edge-to-cloud solution. This will become a de facto requirement - simply to play. With the Clea Framework, we believe we offer a simple, multi-platform, end-to-end solution to comply with current and future cybersecurity requirements that could potentially impact our customers.
This interview reflects SECO’s continuous commitment to cybersecurity and edge-to-cloud innovation. Discover more about how SECO’s Clea Framework enables secure, scalable, and compliant solutions across industrial IoT ecosystems. Contact us to learn more about how SECO can support your next secure edge project.