THE INDUSTRIAL INTERNET of Things (IIoT) explosion creates a crucial need for robust cybersecurity practices and well-defined standards that provide customers with confidence that their connected devices will operate securely throughout their entire lifecycle. Cybersecurity is a critical capability and aspect of creating trusted environments. How can you validate that secure-by-design principles have been applied to every product installed across your systems?
Secure-Development Lifecycle (SDL) was created in response to an increase in virus and malware outbreaks at the turn of the 21st century. This approach to product development places cybersecurity front and center from inception through deployment and lifecycle maintenance. SDL can help manufacturers stay ahead of cybercriminals by managing cybersecurity risks throughout the entire lifecycle of a product or solution.
As an early spearhead of the SDL initiative, Microsoft (microsoft.com) made its SDL tools, processes, and guidelines widely available. Since then, SDL has been widely adopted across industries, including electrical and critical infrastructure. Today, SDL is a proven strategy to proactively address risk with a system-wide defensive approach.
For manufacturers, adopting an SDL approach that has been validated by a third party is critical to creating trusted environments. It’s the third-party certification that gives customers confidence in the processes and technologies they’re applying, much like safety certifications and standards in the National Electric Code.
Although SDL is not an inherent code or standard, it does dictate how cybersecurity should be integrated into processes for product procurement, design, implementation, and testing teams. The International Electrotechnical Commission (IEC, Geneva, Switzerland, iec.ch) 62443-4-1 lays out guidelines for secure product lifecycle development in the electrical industry. The IEC guidelines specify process requirements for the secure development of products used in industrial-automation and control systems. They also define a secure-development lifecycle for developing and maintaining secure products. These requirements can be applied to new or existing processes for developing, maintaining, and retiring hardware, software, or firmware for new or existing products.
Third-party validation for SDL processes is important because it provides customers with confidence and helps reduce risk by confirming that the technologies and processes they’re applying comply with proven industry guidelines. Manufacturers who are committed to SDL use proactively manage cybersecurity risks in products through a framework involving threat modeling, requirements analysis, implementation, verification, and ongoing maintenance.
A “defense in depth” mechanism that is effective today may not be effective tomorrow because vulnerabilities keep evolving. This is why administrators of industrial-control-system networks must be ever alert to changes in the cybersecurity landscape and work to prevent any potential vulnerabilities.
The cybersecurity process certifications outlined by IEC provide customers with confidence that manufacturers have instilled the organization-wide approaches needed to ensure robust cybersecurity over the lifecycle of any given product.
Beyond adhering to SDL development processes, it is also critical that organizations across the electrical industry establish a robust cybersecurity program that includes periodic assessment of their IT/OT network to ensure they stay on top of network vulnerabilities. If they don’t have this expertise in house, they can leverage third-party cybersecurity service offerings from trusted suppliers. Two of these services include:
An initial audit and assessment focused on people, processes, and technology to help customers take corrective action and advance system uptime.
Workforce education focused on how to design, develop, deploy, and maintain products and solutions on infrastructure and keep up to date with evolving cybersecurity threats.
As connected devices flourish, cybersecurity increases in importance. If your organization isn’t currently adhering to SDL processes, there’s no better time to start than now.
Max Wandera is Director of the Cybersecurity Center of Excellence at Eaton, Beachwood, OH, (eaton.com). Wandera provides leadership and oversight for the research, design, development, and implementation of security technologies for products, systems, and software applications.