PRODUCT SECURITY

Product Security for Embedded Devices, Connected Devices, and Energy Automation Systems

When designing new products, Product Security teams should be responsible for balancing risks and vulnerabilities, and making recommendations for mitigating controls. They also need to prioritize security fixes. Listed below are some things that a product security team should do. Embedded device manufacturers, connected devices, and energy automation infrastructure manufacturers should all consider how to implement product security. Then, they can help their customers choose the right product for their needs. But before they begin, they should understand their organization's goals, priorities, and security budgets.

Embedded device manufacturers

Embedded devices are not isolated from the rest of the world and are more connected than ever. The proliferation of connected devices is driving new demands in the market and a variety of technology trends, including ubiquitous connectivity, automation, and consolidation of functions. These trends also create new challenges for embedded device manufacturers because these products often contain sensitive information and are more vulnerable to cyberattacks. Manufacturers must balance their interest in protecting the end user with their obligation to protect the product.

 

One of the most common vulnerabilities is due to lack of testing. While many asset owners require audits and certifications of their products, these processes can be gamed and companies should conduct their own security testing. While some vendors offer encrypted update/firmware packages, most do not. Moreover, manufacturers should be aware that cryptography primitives are not secure enough. The resulting vulnerabilities can lead to implementation issues and re-use of cryptographic keys.

 

Connected device manufacturers

Product security for connected device manufacturers is important for many reasons, but perhaps none are more pressing than legal concerns. Today's connected devices are veritable computer networks on wheels, and the majority of them contain software and firmware provided by third parties. As a result, the OEM typically has little control over these third-party components, which create a new layer of risk. In this article, we will discuss how manufacturers can address these concerns and ensure their connected devices remain secure.

 

As the cyberthreat landscape continues to evolve, the challenges faced by connected device manufacturers are also becoming more complex. To stay abreast of threats, developers must constantly monitor and address product vulnerabilities across the lifecycle. Fortunately, there are some new technologies that can help product security teams manage threats without delaying time-to-market. Product security for connected device manufacturers can benefit from continuous monitoring of SBOM to identify and prioritize vulnerabilities.

 

Energy automation infrastructure manufacturers

Energy system vendors face increasing cyber security threats, especially with energy supply being considered a critical infrastructure. This paper examines the latest cyber security challenges faced by energy automation vendors and proposes solutions. Cybersecurity concerns range from technical to organizational and regulatory issues. The paper also focuses on an implementation strategy for the IEC 62351 security standard, which Siemens has used in its energy sector group. The paper also discusses the importance of maintaining security and resilience in energy systems to ensure the energy supply remains reliable.

 

With a strong focus on product security, energy automation infrastructure manufacturers are embracing new cloud-based and IoT technologies to enhance efficiency. COPA-DATA offers zenon, an automation software solution based on industry standards for reliable and secure operation. Digitalization is transforming utility operations and enabling new business opportunities. Product security is essential. By leveraging the benefits of digitalization, utilities can take advantage of new opportunities and improve overall operational efficiency.

Medical Device and software manufacturers

The FDA guidance document applies to devices that contain software (including firmware) or programmable logic and software as a medical device (SaMD). The guidance is not limited to devices that are network-enabled or contain other connected capabilities. This guidance describes recommendations regarding the cybersecurity information to be submitted for devices under the following premarket submission types: 

  1. Premarket Notification (510(k)) submissions; 

  2. De Novo requests; 

  3. Premarket Approval Applications (PMAs) and PMA supplements; 

  4. Product Development Protocols (PDPs); 

  5. Investigational Device Exemption (IDE) submissions; and 

  6. Humanitarian Device Exemption (HDE) submissions.