Why Physical Security Products Need Over-the-Air (OTA) Updates Under the EU CRA

The rise of connected devices globally has increased the need for robust cybersecurity measures to protect users, consumers, and society. On average, a cyber-attack costs upwards of $4.88 million dollars. Considering the increasing prominence of high-profile, costly outages, like the CrowdStrike outage or the Change Healthcare ransomware attack of 2024, governing bodies worldwide are enacting sweeping regulations to safeguard products, infrastructure, and consumers.

Mandated Remediation Throughout the Product Lifecycle

Approved in October 2024, the European Union Cyber Resilience Act (CRA) is at the forefront of a new regulatory wave, demanding more from manufacturers than traditional security measures. Going beyond conventional cybersecurity best practices, the CRA applies horizontally across products with digital elements (PDEs) and requires actively managing security risks throughout the product lifecycle.

A central component of CRA compliance is vulnerability remediation. Specifically, Annex 1.2.7 and Annex 1.3(k) mandate two actions that manufacturers must take:

1. “...provide for mechanisms to securely distribute updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner;” and
2. “...ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.”

In practical terms, the emphasis on “automatic” and “appropriate time frame” in the CRA regulation necessitates over-the-air (OTA) update capabilities.

The Challenges of Traditional Update Methods in Physical Security

Today, IoT devices, including physical security products, often operate in diverse and remote environments, with fleets typically ranging from thousands to tens of thousands of devices. By 2030, the number of IoT-connected devices is expected to reach 32.1 billion, with physical security systems playing a significant role in this growth.

Physical security products have increased in prominence and complexity, driven by the proliferation of smart devices and edge computing technologies. These innovations enable physical security systems to process data locally on devices, reducing latency and enhancing operational efficiency. However, as these systems become more intelligent and dispersed across campuses, cities, and regions, their security becomes increasingly complex. Physical security products are critical to ensuring safety and security in a digitalized world, from surveillance cameras and access control systems to alarm systems and sensors. Yet, the widespread deployment of these products presents challenges, particularly in remediating vulnerabilities in a CRA-compliant manner. 

Traditional methods of updating physical security devices, such as manual intervention or USB-based updates, are no longer practical in today’s interconnected world. The dispersed nature of these devices means technicians would need to visit each location physically – a costly and time-consuming process that presents the possibility of system outages and attacks. Traditional approaches also increase the risk of human error and leave devices vulnerable to cyber threats during the lag time between identifying and remediating updates. For example, consider a university security system with thousands of connected cameras. Coordinating manual updates across such a fleet would be a logistical nightmare, making it nearly impossible to meet the “appropriate time frame” mandated by the CRA for addressing vulnerabilities.

As physical security systems grow in complexity and scale, so does the need for automated, scalable solutions to manage their security effectively. Traditional manual updates that require onsite visits are impractical and costly, especially at scale, and increase the risk of non-compliance. OTA updates eliminate these challenges by enabling instant, remote deployment of security patches, ensuring compliance with CRA timelines.

The Critical Role of Security Patch Management

Security patch management is essential in maintaining the integrity of smart physical security devices. The CRA upholds the importance of patch management by requiring manufacturers to actively manage vulnerabilities throughout a product’s lifecycle. Additionally, Annex III distinguishes products with physical security functions as Class I and Class II, both with deeper auditing and documentation requirements, further underscoring the importance of timely patch management for physical security PDEs.

For physical security systems, comprehensive patch management – including automation, timeliness, documentation, and tracking – is a regulatory requirement as these classes of products, by nature, deal with sensitive information or functions. According to article 53.3 of the CRA, non-compliance with the CRA can result in significant penalties, including fines of up to €15 million or 2.5% of global turnover and the potential loss of market access in the EU. Automated patch management is not merely a convenience but a necessity for ensuring compliance and protecting against evolving cyber threats.

How OTA Updates Streamline Compliance and Security

OTA update technology addresses the challenges of traditional update methods by enabling manufacturers to deploy security patches remotely and instantly. This capability is particularly crucial for physical security systems, where delays in patching can have severe consequences, such as system outages, which leave users vulnerable and unprotected.

Key benefits of OTA updates:

• Timeliness: Meet CRA’s stringent requirements for addressing vulnerabilities within an appropriate time frame.
• Automation: Reduce the risk of human error and ensure updates are deployed consistently across all devices.
• Scalability: Support large fleets of devices, regardless of their physical location or complexity.
• Security: Ensure security for all PDEs throughout the product lifecycle with advanced functionality like encrypted delivery, rollback capabilities, and secure first boot.

Automation through OTA updates eliminates the delays, errors, and security risks of traditional methods. Features like phased or canary rollout, authentication, and delta updates ensure secure and efficient patch deployment, directly aligning with the CRA’s requirements and the robust security necessary to protect users of physical security products. For instance, if a vulnerability is discovered in a widely deployed access control system, an OTA solution can patch the issue across thousands of devices almost instantaneously, minimizing the window of exposure to potential threats. Aside from just compliance, OTA updates enhance fleet security by reducing vulnerabilities while protecting the manufacturer's reputation and consumer safety.

By leveraging OTA technology, manufacturers can maintain their products' security and functionality while ensuring compliance with the CRA.

The Future of Physical Security and OTA Updates

According to industry projections, the global physical security market is expected to exceed $200 billion by 2030. The physical security industry will continue to grow alongside the IoT market, with artificial intelligence (AI) and advanced analytics driving advanced technical innovation. These emerging technologies enable smarter, more proactive security solutions. However, they also introduce new cybersecurity challenges.

The transformation of global security regulations like the CRA, alongside the growth of the physical security industry, presents the need for modernized approaches to device security and compliance. As the physical security industry evolves, the importance of secure and efficient patch management will only increase. OTA updates are no longer a “nice-to-have” but a “need-to-have” for manufacturers aiming to meet the CRA’s requirements, protect their devices, and maintain customer trust. To capitalize on this growth, manufacturers must prioritize robust cybersecurity measures, with OTA updates as a critical strategy component. OTA updates provide a future-proof foundation for managing the security of smart physical security devices, ensuring they remain resilient against emerging threats.