CRA requires that actively exploited vulnerabilities and critical incidents be reported to the Single Reporting Platform managed by ENISA. How are security events on Balena managed devices such as Raspberry PIs handled so that I am CRA compliant end to end?
Hi @seing.cheah
To address your question regarding end-to-end CRA compliance, handling these security events operates on a shared responsibility model. As the provider of balenaOS, balenaCloud, and our related tools, we are responsible for monitoring and reporting incidents within our own stack to the ENISA platform. However, because you own your custom software, we will not report incidents or exploited vulnerabilities that happen within your application layer. You will be responsible for handling the reporting for your own applications.
To help you meet your obligations, we are building the necessary tooling so you can maintain compliance with minimal effort. Right now, we are working on solutions for fleet vulnerability monitoring, which will likely involve notifications regarding vulnerabilities in your specific releases. For detecting active incidents on the devices themselves, last month at Embedded World, we have demonstrated a partner solution with Exein. Exein provides the on-device anomaly detection, and Balena acts as the deployment system to reliably and quickly push OTA fixes to your entire fleet to mitigate any exploited vulnerabilities. This is currently a closed beta, we’d be happy to show you a demo and discuss your need.
Best Regards
Harald
Hi Harald,
I would love to learn more about fleet vulnerability monitoring and Exein. Please reach out directly to me.
Seing