Cybersecurity Readiness for Connected Products

IEES supports organisations developing or maintaining:

• Radio-connected products
• Internet-connected embedded devices
• Industrial electronics
• Connected sensors and gateways
• Software-enabled products
• Medical and life-sciences product platforms
• Edge-AI and connected-device systems
• Long-life products requiring secure updates and lifecycle support

Manufacturers often need to answer questions such as:

• Is cybersecurity clearly represented in the product architecture?
• Are trust boundaries, interfaces, assets, and data flows documented?
• Are security requirements traceable to product risks and mitigations?
• Is there a clear vulnerability handling process?
• Are software components and third-party dependencies visible?
• Is the update mechanism secure and resistant to rollback or unauthorised firmware?
• Are manufacturing, provisioning, and device identity assumptions documented?
• Is cybersecurity evidence available for engineering, quality, regulatory, and security review?
• Are lifecycle and end-of-life responsibilities clear?

RED / EN 18031 Readiness Review

IEES reviews connected-product security assumptions against the types of evidence and engineering controls expected for relevant radio-connected products.

Cyber Resilience Act Readiness Mapping

IEES helps product teams identify cybersecurity gaps across architecture, software supply chain, vulnerability handling, secure updates, lifecycle support, and technical documentation.

Product Threat Modelling

IEES maps assets, actors, interfaces, trust boundaries, attack paths, mitigations, and residual risks to make product cybersecurity visible and actionable.

SBOM and Vulnerability Handling Review

IEES reviews software component visibility, SBOM readiness, third-party dependency risk, vulnerability intake, triage, remediation, and disclosure workflows.

Secure Update and Lifecycle Security Review

IEES reviews firmware and software update mechanisms, rollback protection, signing assumptions, product support periods, post-market cybersecurity, and end-of-life considerations.

Secure Manufacturing and Provisioning Review

IEES reviews provisioning workflows, device identity, key handling, firmware loading, production traceability, and manufacturing security assumptions.

Typical Client Outputs may include some of the below examples:

• RED / CRA readiness gap summary
• Product cybersecurity evidence map
• Boundary diagrams
• Data-flow diagrams
• Product threat model
• Attack-surface register
• Security requirements recommendations
• SBOM readiness observations
• Vulnerability workflow review
• Secure update review
• Secure provisioning review
• Prioritised remediation roadmap
• Internal review summary for engineering, quality, regulatory, and security stakeholders

A Practical Starting Point:

• A readiness review does not need to start as a broad audit. IEES can begin with one product, product family, connected workflow, architecture, or lifecycle process.

Example Starting Points At Client Engagements:

• Connected product architecture review
• RED / EN 18031 readiness gap assessment
• Cyber Resilience Act readiness mapping
• Threat modelling for a connected product workflow
• SBOM and vulnerability-handling process review
• Secure update and lifecycle security review
• Secure provisioning and manufacturing review