If you’re responsible for securing connected devices in the field – whether industrial sensors, controllers, or gateways – you’ve probably felt this tension:
How do you strengthen security and meet new regulations like the Cyber Resilience Act (CRA) without halting operations, rewriting firmware, or managing a mess of cryptographic tools?
Most organizations are already stretched keeping legacy systems online, let alone upgrading them for compliance, trust, and resilience.
This blog breaks down what the CRA really demands of device manufacturers, OEMs, and operators – and how to respond with scalable PKI, certificate automation, and zero-touch device orchestration.
You’ll learn how to:
- Identify gaps in identity management, encryption, and secure updating
- Build cyber resilience across greenfield and brownfield systems
- Automate trust at scale with the Keyfactor + Symmera solution
- And do it all without adding friction to existing operations
Let’s get into it.
What the Cyber Resilience Act Means for Connected Devices
The CRA introduces mandatory security requirements for products with digital elements, including everything from consumer IoT devices to industrial control systems. Manufacturers and operators must now ensure:
- Security-by-design is implemented in product architecture
- Secure software updates and vulnerability handling are available
- Device identity and trust can be established and maintained
- Lifecycle security and updateability for products, even post-deployment
In practice, this means rethinking how devices are onboarded, updated, authenticated, and audited, particularly in fragmented or resource-constrained environments.
Common Challenges: Spotting the Gaps
Many organizations face similar hurdles when trying to meet these expectations:
Networking and Authentication
- The convergence of diverse IT and OT enterprise networks with differing levels of restrictions and connectivity (e.g., Wireless, Ethernet)
- Authenticating devices over secure transport protocols (e.g., SSL)
- Implementing authentication workflows and certificate types varies by protocol and the device lifecycle stage, from onboarding to decommissioning
Public Key Infrastructure (PKI) Buildouts
- Integrating with a public PKI or deploying, configuring, and managing a private PKI
- Managing disparate cross-domain PKIs across OEM factories and end-user production environments
- Supporting both server-side and client-side key generation and certificate signing requests (CSRs)
Solution Design and Implementation
- Preventing service disruptions due to the expiration of short-lived certificates or the revocation of in-use active certificates due to indicators of compromise or security policies requirements.
- Elastic scale-up or scale-out in IoT/OT environments where millions of multi-vendor and disparate device types are interconnected requires an extensible services platform.
- Ubiquity across resource-constrained brownfield and greenfield devices, with low available code memory and data storage space
- Implementing complex certificates and key management stacks on IoT/OT class devices may require extensive reengineering, and diversity in underlying transport protocol libraries introduces technical challenges
- Using late provisioning of birth and join certificates at the factory to reduce pre-order stockpile and the probability of expired certificates in shipments or just-in-time pre-provisioning by end-user operators requiring zero-touch methods for scalability and automation to reduce human error.
Product Design
- Device identification with immutable and verifiable identifiers
- Protection of cryptographic artifacts on autonomous field devices for non-repudiation and clone detection.
- Cyber risks from weak or unprotected local keys and trust stores.
- Exploitation of unprotected certificates and private keys by unauthorized applications.
Device and Certificate Lifecycle Management
- Device discovery and secure onboarding at scale
- Automated lifecycle management of cryptographic artifacts on IoT/OT devices
- Secure content distribution to heterogenous devices with signature manifest for verified trust
- Device data harvesting for operational intelligence and risk management
Addressing these challenges is critical. First, to meet the stringent requirements of the Cyber Resilience Act, and second, to build a scalable, reliable foundation for device security that keeps pace with growing IoT and OT ecosystems.
Building a Cyber-Resilient Architecture: Where to Start
To build cyber resilience that scales, organizations need to establish three pillars:
- Trusted Device Identity with PKI. PKI provides the foundation for device identity and encrypted communication.
- Use digital certificates for secure onboarding and trust establishment
- Issue birth, join, and platform certificates during different stages of the device lifecycle
- Support code signing to secure firmware and software provenance
- Certificate Lifecycle Management (CLM). Without visibility and automation, certificates are a ticking time bomb.
- Implement CLM for both public and private PKI deployment
- Automate expiration alerts, renewals, revocations, and audit trails
- Quantum-safe key distribution and certificate lifecycle management
- Reduce outages, minimize human error, and gain cryptographic inventory control
- Secure, Scalable Device Orchestration. Device orchestration must work in real-world conditions, from cloud to factory floor.
- Use zero-touch provisioning and late-stage certificate issuance to avoid shipping with expired credentials
- Gain real-time visibility into field operations through device and application level metadata essential for observability and remote control
- Managing software supply chain with content risk inspection and gated workflows
- Support brownfield and greenfield systems with mixed vendor and resource types
- Integrate with SCADA, SIEM, and AI/ML based analytics systems to operationalize digital trust
The Symmera + Keyfactor Solution: Practical Trust at Scale
Symmera’s Distributed Intelligent Network (DIN) platform offers a SaaS-based orchestration and PKI enablement solution that works across public, private, and air-gapped networks – no agents required.
Key features include:
- Zero-coding using an endpoint agent or command line utilities
- Low-coding for integration using just 3–5 APIs on any platform and in any programming language
- Automation from manufacturing to provisioning, secure updates, and visibility
- Support for any device type, including legacy and constrained devices
- Standards compliance with CRA, IEC 62443, NIST 800-53, IEEE 802.1AR, and more
- Interoperability with any OS, chipset, or cryptography stack
- RESTful integration with SCADA, SIEM, and asset management systems
By integrating Symmera DIN with Keyfactor’s PKI and crypto-agility platform, organizations gain:
- A unified trust layer across IT and OT environments
- Quantum-resistant cryptography for long-life devices
- End-to-end PKI-as-a-Service and code signing without added complexity
- Content distribution with supply chain tamper resistance
- Trusted data harvesting with data driven insights to improve operational efficiencies
Keyfactor + Symmera: Top 5 Real-World Benefits
This combined solution helps:
- Reduce time-to-market for secure product deployments
- Accelerate product design and development to meet compliance mandates
- Automate trust establishment and policy enforcement
- Simplify regulatory audits with built-in cryptographic visibility
- Reduce operational costs with minimal in-house development or re-engineering, zero-touch onboarding, and remote device lifecycle management
Conclusion: Cyber Resilience Is Within Reach
Meeting CRA regulations and securing connected devices doesn’t have to mean reinventing your infrastructure. By using PKI, certificate automation, and device orchestration platforms purpose-built for IoT and OT environments, you can reduce risk and accelerate digital transformation.
The time to act is now – before vulnerabilities or compliance gaps become business disruptions.
Explore More
- Visit the Symmera + Keyfactor Partnership Page
- Download the CRA readiness eBook, 5 Things You Should Know About the CRA
- Explore Symmera’s DIN SaaS platform overview
