In today's Coredump Session, we dive into the evolving landscape of IoT security regulations with Giovanni Alberto Falcione, CTO at Exine. From the impact of the EU's CRA to the complexities of OTA updates, Giovanni, François, and Thomas unpack what these new requirements mean for product engineers and how to navigate the increasingly stringent security landscape.

Speakers:

• François Baldassari: CEO & Founder, Memfault
• Thomas Sarlandie: Field CTO, Memfault
• Giovanni Alberto Falcione: CTO, Exein

Key Takeaways:

• The EU's Cyber Resilience Act (CRA) mandates stringent security measures for all connected devices marketed after December 2027, with a particular focus on runtime security monitoring.
• OTA updates are essential for mitigating vulnerabilities in the field but can also introduce challenges in regulatory compliance.
• Giovanni highlights that less than 1% of IoT device manufacturers actively monitor cybersecurity state awareness, a critical area of compliance under CRA.
• Implementing a Software Bill of Materials (SBOM) and tracking Common Vulnerabilities and Exposures (CVEs) are low-hanging fruit for product teams to start bolstering security.
• eBPF technology offers powerful, low-impact monitoring capabilities that can detect unauthorized activities at the syscall level without kernel-level intervention.
• Companies need to plan for at least five years of security updates under CRA, with potential for longer support based on device lifecycles.
• Even seemingly innocuous devices, like coffee makers, can pose significant cybersecurity risks as entry points for broader attacks.
• Giovanni emphasizes that while regulation can stifle innovation, it also raises the bar for security practices across the board.

Chapters:

00:00 Introduction and Guest Introduction02:30 The Unseen Costs of Cybersecurity Regulation04:40 OTA Updates: Security Savior or Hidden Risk07:21 CRA vs. Other Regulations: What Matters Most10:30 The Rise of Runtime Security Monitoring12:23 Why Manufacturers Are Freaking Out About CRA15:09 The Hidden Cost of Legacy Firmware17:30 Inside the Automotive Cybersecurity Playbook21:22 eBPF: The Next Frontier in IoT Security55:38 Coffee Machines, Coffee Attacks, and Unexpected Entry Points

⁠⁠Join the Interrupt Slack

Watch this episode on YouTube

⁠Suggest a Guest⁠

⁠⁠

Follow Memfault

• ⁠⁠LinkedIn⁠⁠
• ⁠⁠Bluesky⁠⁠
• ⁠⁠Twitter⁠⁠

Other ways to listen:

⁠⁠Apple Podcasts

.css-j9qmi7{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;font-weight:700;margin-bottom:1rem;margin-top:2.8rem;width:100%;-webkit-box-pack:start;-ms-flex-pack:start;-webkit-justify-content:start;justify-content:start;padding-left:5rem;}@media only screen and (max-width: 599px){.css-j9qmi7{padding-left:0;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}}.css-j9qmi7 svg{fill:#27292D;}.css-j9qmi7 .eagfbvw0{-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;color:#27292D;}