Organizations have wildly varying degrees of maturity when it comes to the cybersecurity of their products. Some, motivated by pressures from investors, clients, auditors or regulators, are highly mature when it comes to building cyber safe products. Others are less aware of the potential issues and risks, perhaps because they don’t understand the problem’s relevance, or perhaps because they believe that security is a barrier to product development (hint: done the right way, it doesn’t have to be).
Perhaps the best example of an industry where mature product security processes are likely to be in place is the medical device industry. Having long faced strong regulatory oversight from the U.S. Food and Drug Administration (FDA), medical device manufacturers build systems like pacemakers and insulin pumps that are critical for keeping their wearers alive. When you’re building life-supporting systems that often have Bluetooth or app connectivity, and you’re always under the sharp eye of regulators, your incentives for maintaining robust product security are strong. Makers of industrial control systems (ICS), including the Supervisory Control and Data Acquisition (SCADA) systems and Programmable Logic Controllers (PLCs) that operate in critical infrastructure facilities, also have reasons to be motivated to strengthen the security of their products. After all, these hardware and software systems control the operations of nuclear power plants, the electrical grid, wastewater treatment plants, dams, communication networks and other essential public infrastructure