The Future of Connected Device Security Post CISA Guidance
In part 3 of our series on CISA guidance, explore future IoT security trends from regulatory convergence to supply chain transparency & security by design.
Larry Pesce
VP of Services
As we look ahead, several trends are emerging in the wake of CISA's guidance and other regulatory initiatives:
Regulatory Convergence
The alignment between CISA's guidance and other regulatory frameworks (CRA, DOT connected vehicle requirements, FDA guidance) suggests a growing consensus around basic security practices. We're likely to see increased harmonization of these requirements, making compliance more straightforward for manufacturers.
Emphasis on Supply Chain Security
The focus on SBOMs and vulnerability management indicates a shift toward greater supply chain transparency. This trend will likely accelerate, with manufacturers required to provide more detailed information about their software components and security practices.
Security by Design
The industry is moving decisively toward security as a fundamental design consideration rather than an afterthought. This shift, driven by both regulatory requirements and market demands, will likely lead to:
- Increased adoption of memory-safe languages
- Better integration of security features in development toolchains
- More sophisticated vulnerability management programs
- Enhanced logging and monitoring capabilities
Standardization of Security Features
We're likely to see greater standardization of security features across connected devices, making it easier for organizations to implement consistent security policies. This may include:
- Standardized MFA implementations for device management
- Common logging formats and capabilities
- Unified vulnerability disclosure processes
Predictions for the Next Five Years
- Memory-safe languages will become the default choice for new development in critical systems
- Automated vulnerability management, supported by machine-readable SBOMs, will become standard practice
- Cloud-based security management platforms will emerge as the primary means of securing distributed IoT devices
- Regulatory requirements will drive increased investment in security features and capabilities
- Security transparency will become a key differentiator in the market
The industry is at a turning point, with CISA's guidance representing just one piece of a broader movement toward more secure connected systems. Success will require commitment from manufacturers, clear regulatory frameworks, and continued innovation in security technologies and practices.
Larry Pesce
VP of Services
Larry Pesce is VP of Services at Finite State, where he leads product security research and vulnerability assessments across IoT, OT, and healthcare devices. With over 20 years of experience, he’s also a longtime SANS instructor and co-host of Paul’s Security Weekly, known for advancing vulnerability management practices industry-wide.