By Darnell Washington · October 14, 2016
During the past five years, explosive demand for mobile devices and network/Internet-connected cyber-physical systems (CPS) has caused a paradigm shift from traditional design, installation and support methodologies. Physical security manufacturers have lagged in their level of technical proficiency in cyber-hardened devices to develop secure IP-based solutions to meet market demand. Many have jumped into the water (often without a life vest) to maintain competitiveness and relevance in the market. Previous systems that were maintained autonomously from the network were isolated and only required minimal computing resources.
The lack of technical proficiency has led to major breaches and cybersecurity incidents, causing unintended consequences by introducing vulnerable security gaps that open hospital, school and university end users to a swath of unintended cyber risks, many of which are unobservable without significant knowledge of certain tools and processes. Manufacturers that have committed to being cyber aware have undertaken significant investment through training, product technical reviews, product development and system engineering to bring legacy products into mainstream focus. These manufacturers deserve applause (and your business) for their efforts as they establish themselves as leaders in an ever-changing industry.
Achieving system/software security assurance (S/SSA) from a product perspective is the process of ensuring that systems and software are designed to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability or misuse of the data and resources that it uses, controls and protects.
The 10 steps that follow provide guidance on how to understand and vet manufacturer products for cyber assurance, and resiliency for products required to be “cyber hardened” or “cyber secure.”
1. Has the manufacturer implemented a cybersecurity system security plan (SSP) for IT components in the product documentation?
Manufacturers with cyber-secure solutions will provide explicit information of the boundaries, subsystems, hardware, software, firmware and network connection rules demonstrating how the system is determined to be “cyber secure” when deployed in a specific system environment.
Emerging best practices in providing requirements and techniques for hardening or securing their products should include a system security plan. The SSP defines many of the security controls that are present in the system and includes data encryption, data loss protection, key management, data classification, user roles and responsibilities, authentication, mobile security, etc.
The SSP also describes the information flows, ports, protocols and services, and how system capabilities will be protected from attack.
2. Is the supplier’s solution developed around a system development lifecycle (SDLC) approach?
Manufacturers should have detailed technical documentation to support a systems development and lifecycle approach. This SDLC process includes security requirements, design, build, testing and deployment strategies.
Configuration management, risk assessment and vulnerability/flaw remediation, patch management, and ongoing system monitoring and auditing capabilities of the solution should be addressed in the SDLC.
One factor that is often overlooked in the SDLC is ongoing cybersecurity training requirements. Ongoing training in cybersecurity development and awareness should be provided to manufacturers’ development teams as well as systems integrators.