Executive Summary
What is the cumulative cybersecurity risk of an organization’s connected systems and products (CSP)? Does everyone agree the company is addressing the right risks at the right time? Do all partners understand their roles in responding to security issues?
CSP are driving industry growth across every sector of the market due to their cost saving and product lifecycle benefits. Security challenges have evolved
in this space and are more complex because security requires a different approach today–one that prioritizes not only availability, integrity, and confidentiality, but also control and safety.
In this article, we outline some of the most prevalent challenges posed by todays CSP–including lack of security integration into the development lifecycle–and provides an overview of an approach to integrating security into the lifecycle.
CSP and the security challenge
The increase in CSP brings mounting risks. In recent years, companies large and small have become susceptible to various attacks and exploits due to open vulnerabilities through their vulnerable CSP. Based on our experience with similar organizations, there are increased risks associated with CSP that send data to other CSP in accordance with their level of autonomy, leading to risks that transcend typical company risks (Table 1.1). These are heightened risks, primarily on disruptions to CSP, in turn causing system/equipment impairment, threat of physical safety, loss of R&D, and other critical issues. These have major consequences such as altered or interrupted automated production processes, and human injury or casualty. In addition, CSP, left unsecured, may affect customer expectations and customer trust. Security concerns have evolved in complexity due to the nature of CSP and the challenges they pose. A shifting paradigm requires that product security prioritizes confidentiality, integrity, availability, control and safety.
Top 5 challenges posed by CSP
In an evolving technology landscape driven by CSP, organizations face a myriad of challenges related to incorporating security within the development and post-development phases of CSP. Based on our experience with delivering cybersecurity services to organizations across a variety of industry sectors, we have compiled a list of top 5 CSP security challenges faced by our clients as follows:
Integrating security into CSP
In order to properly identify and mitigate these vulnerabilities, one must understand the environment and technologies that underlie them. Each component has a disparate development methodology, making it essential that the security program be holistic in nature. The final CSP is typically a combination of internally developed and externally sourced components, making it essential to ensure security of the underlying components from the supply chain.
Securing CSPs entails starting an inventory and risk profile, development of policies and procedures around CSPs, security testing, and monitoring. Securing analytics and control backend requires effective practices in software security, continuous monitoring, vulnerability identification and management, and denial of service protection. Finally, securing the operating product involves development of deployment guidance, intellectual property protection, threat intelligence, and incident response capabilities.
A common misconception across organizations is that traditional security controls can still be applied to a CSP environment since defects are fixed at a faster rate. While secure development principles still apply and automated checkpoints need to be built into each phase, the integration point and methodology need to be tailored for adaptation to faster phases and account for the operation’s changes.
Our outlined approach to connected products is unique because it covers the entire product development lifecycle. Maturing risk management is achieved by integrating an advanced risk identification processes into the development lifecycle, and the threat and vulnerability management processes. When implemented correctly, software security effectively manages the total cost of development and strategically aligns information security with business partners. Our approach can be applied to organizations regardless of their development methodologies or whether they build in-house or use vendors.
Author Note: This article and subsequent updates were co-written by Akshay Aggarwal and Shahnawaz Sabuwala.
