Connected device resilience under the CRA: what IAM teams need

TL;DR: Connected devices now have to meet stronger security, updateability, and lifecycle expectations under the Cyber Resilience Act, while still supporting brownfield and resource-constrained environments, according to Keyfactor. The practical issue is not just compliance but whether device identity, certificate automation, and orchestration can scale without disrupting field operations.

NHIMG editorial — based on content published by Keyfactor: How to Build Cyber Resilience for Connected Devices Without Breaking What’s Already Working

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should teams govern certificate lifecycle for connected devices at scale?

A: Treat certificates as governed identities with lifecycle ownership, not as static technical artefacts.

Q: Why do connected devices create more governance pressure than traditional endpoints?

A: Connected devices are harder to patch, harder to observe, and often distributed across factories, field locations, and third-party environments.

Q: What breaks when certificate management is handled manually in IoT and OT environments?

A: Manual handling breaks scale, consistency, and recovery.

Practitioner guidance

• Map device identity to lifecycle stages Define how birth, join, active operation, renewal, revocation, and decommissioning will be handled for each device class, including constrained and offline systems.
• Automate certificate renewal and revocation Remove manual dependency from expiry handling, especially for short-lived certificates and environments where delayed action can interrupt field operations.
• Unify trust telemetry across OT and IT tools Correlate PKI state with SCADA, SIEM, and asset data so identity drift, expired credentials, and unmanaged devices are visible before they become outages.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• Specific CRA obligations for manufacturers, OEMs, and operators across connected device lifecycles
• Implementation detail on PKI buildouts for greenfield and brownfield IoT and OT environments
• Practical examples of zero-touch provisioning, late-stage certificate issuance, and remote orchestration
• The Symmera DIN integration points for automation, visibility, and standards alignment

👉 Read Keyfactor's analysis of cyber resilience for connected devices under the CRA →

Connected device resilience under the CRA: what IAM teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →