The Future of Connected Device Security Post CISA Guidance
In part 3 of our series on CISA guidance, explore future IoT security trends from regulatory convergence to supply chain transparency & security by design.
Larry Pesce
VP of Services
As we look ahead, several trends are emerging in the wake of CISA's guidance and other regulatory initiatives:
Regulatory Convergence
The alignment between CISA's guidance and other regulatory frameworks (CRA, DOT connected vehicle requirements, FDA guidance) suggests a growing consensus around basic security practices. We're likely to see increased harmonization of these requirements, making compliance more straightforward for manufacturers.
Emphasis on Supply Chain Security
The focus on SBOMs and vulnerability management indicates a shift toward greater supply chain transparency. This trend will likely accelerate, with manufacturers required to provide more detailed information about their software components and security practices.
Security by Design
The industry is moving decisively toward security as a fundamental design consideration rather than an afterthought. This shift, driven by both regulatory requirements and market demands, will likely lead to:
- Increased adoption of memory-safe languages
- Better integration of security features in development toolchains
- More sophisticated vulnerability management programs
- Enhanced logging and monitoring capabilities
Standardization of Security Features
We're likely to see greater standardization of security features across connected devices, making it easier for organizations to implement consistent security policies. This may include:
- Standardized MFA implementations for device management
- Common logging formats and capabilities
- Unified vulnerability disclosure processes
Predictions for the Next Five Years
- Memory-safe languages will become the default choice for new development in critical systems
- Automated vulnerability management, supported by machine-readable SBOMs, will become standard practice
- Cloud-based security management platforms will emerge as the primary means of securing distributed IoT devices
- Regulatory requirements will drive increased investment in security features and capabilities
- Security transparency will become a key differentiator in the market
The industry is at a turning point, with CISA's guidance representing just one piece of a broader movement toward more secure connected systems. Success will require commitment from manufacturers, clear regulatory frameworks, and continued innovation in security technologies and practices.
Larry Pesce
VP of Services
Larry Pesce is a lifelong hacker, educator, and leader in embedded and connected device security. As the Vice President of Services, Larry drives strategic security initiatives across the software supply chain, helping product teams build resilient devices from the ground up. With over 15 years of hands-on penetration testing experience spanning IoT, healthcare, ICS/OT, and wireless technologies, he combines deep technical knowledge with real-world expertise. Larry is also a renowned SANS instructor and co-host of the long-running Paul’s Security Weekly podcast, shaping the next generation of security professionals.