A portfolio project demonstrating EU Cyber Resilience Act (CRA) compliance for an ESP32-based IoT sensor node.
[DHT22 Sensor] ──► [ESP32 Node] ──mTLS──► [MQTT Broker] ──► [Dashboard]
│
Signed OTA
NVS Encryption
Secure Boot
| Article | Description | Implementation |
|---|---|---|
| Art. 13.1.a | Security by design | Threat model, minimal attack surface |
| Art. 13.1.b | No known exploitable vulnerabilities | SBOM + CVE scanning |
| Art. 13.1.c | Secure configuration by default | mTLS required, no plaintext fallback |
| Art. 13.1.d | Protection of data | TLS 1.3, NVS encryption |
| Art. 13.1.e | Minimisation of attack surface | Disabled unused peripherals/services |
| Art. 13.1.f | Reduced impact of incident | Anomaly logging, broker rejection |
| Art. 14 | Vulnerability handling | CVD policy, SBOM, OSV scan |
| Art. 15 | SBOM | CycloneDX SBOM generated per build |
- Phase 1 — Threat Modeling (STRIDE)
- Phase 2 — Secure MQTT over Mutual TLS
- Phase 3 — SBOM Generation & CVE Scanning
- Phase 4 — Signed OTA Updates (Week 2)
- Phase 5 — NVS Encryption & Secure Boot (Week 2)
cra-esp32-secure-node/
├── firmware/ ESP-IDF application source code
├── pki/ Certificate generation scripts (keys excluded from git)
├── broker/ Mosquitto broker configuration
├── sbom/ Generated SBOM files (CycloneDX)
├── docs/ All documentation
│ ├── phases/ Phase-specific guides
│ ├── evidence/ Screenshots, logs, test results
│ └── templates/ CRA document templates
└── dashboard/ (Future) monitoring dashboard
See docs/phases/PHASE_1_THREAT_MODEL.md
All evidence artifacts are stored in docs/evidence/.
See docs/CHECKLIST_AND_KPI.md for progress tracking.
Built for EU CRA Consulting Portfolio | Author: [Your Name]