Cyber Risk Assessment for an Edge Device

EU Cyber Resilience Act (CRA) Compliance Processes & Certification
1

Under Article 13(2) of the EU Cyber Resilience Act (CRA), manufacturers must conduct a cybersecurity risk assessment for each product with digital elements, but when it comes to edge devices, there are unique threats and design considerations that go beyond the usual checklist.

Why Edge Devices Need Special Attention

Edge devices operate in environments where:

  • Physical access is often uncontrolled (e.g. street cabinets, industrial sites)
  • Network reliability is limited or segmented
  • They’re expected to run autonomously, sometimes for years
  • They may not be monitored or patched regularly

These factors make them attractive targets—and hard to defend.

CRA Requirements to Cover

Your risk assessment must:

  • Analyse risks from intended purpose and reasonably foreseeable use (Article 13(3))
  • Document how the device mitigates risks to data integrity, confidentiality, and availability (Annex I, Part I, point 1)
  • Cover both software and hardware (Annex I, Part I)
  • Be updated as vulnerabilities or configurations change (Article 13(3) and (7))

Specific Risk Areas for Edge Devices

This is a list of recommendations, though there may be others to consider:

1. Physical tampering
Devices in public or semi-public spaces should consider:

  • Secure boot
  • Hardware tamper detection
  • Port locking and interface hardening

2. Remote compromise
If it talks to the cloud or peers:

  • Use TLS or other secure channels (Annex I, Part I, point 1(a))
  • Limit attack surface with firewalling and minimal open ports
  • Log and monitor traffic if possible

3. Update reliability
Loss of connectivity can delay patches:

  • Ensure robust, resumable OTA update system (Annex I, Part II, point 7)
  • Include rollback if an update fails

4. Local data exposure
Logs, configuration, or cached data may be sensitive:

  • Consider file-level or full disk encryption
  • Don’t store secrets in plaintext

5. Supply chain
Edge devices often include third-party firmware or modules:

  • Include these in your SBOM (Annex I, Part II, point 1)
  • Track vulnerabilities even if the component is upstream or “dumb”

Final Tip

CRA doesn’t dictate how to do the risk assessment, but for edge deployments, a structured threat model like STRIDE, DREAD, or even a basic attack tree can help.