Once upon a time, in what’s now a bygone era, computers were computers, cars were cars and toasters were toasters. In today’s increasingly connected and sensor-enabled world, however, a new car can contain over 3,000 silicon semiconductor chips — since computing power is essential to controlling everything from in-car navigation systems to transmissions. Modern refrigerators feature touchscreen interfaces and WiFi connectivity-enabled features; some can even synch with your smart dishwasher or smart microwave. A plethora of other consumer-oriented products now enable people to interact with them via their smartphone or tablet, even when they’re away from home.
In short, the line between “product” and “technology product” has become ineluctably blurred. Ever-growing numbers of manufacturers are incorporating sensors into product designs or adding digital connectivity into formerly analog devices. This means that increasing numbers of companies — many without backgrounds in software engineering — are now developing applications. How can they ensure that the products they’re building are secure against modern cyber threats?
Enterprise security vs. product security
It’s a fact of life for today’s businesses: organizations that want to bolster their resilience against cybersecurity risks will need to build a robust internal cybersecurity program or seek help from a managed detection and response (MDR) provider or other external expert team. In and of itself, maturing an enterprise security program is a complicated endeavor. In addition, companies that create, develop and sell technology products should also consider what they’re doing to build out cybersecurity for their products.
Product security entails a distinct set of concerns that are different from what the Chief Information Security Officer (CISO) is responsible for. While an enterprise security program aims to protect corporate computing systems from external attackers and ensure the confidentiality of intellectual property and sensitive customer data, a product security team’s goal is to protect the application connectivity, web services and computing infrastructure that’s associated with their product, to figure out how they’d handle the incident if one of these systems were compromised, and to manage software vulnerabilities within the product itself.
In general, product security teams are tasked with:
- Incident response: If a customer (or security researcher) discovers a vulnerability in the product, how will you handle it?
- Investigating complaints: If customers report that a product or its associated application is unreliable, does this mean it’s vulnerable to attack?
- Vulnerability management: What will you do if software inside the product you sell needs patching?
- Strengthening product security during all design phases: Does your development team leverage secure coding practices? What types of software testing do you do? How early? How often?
Enterprise and product security teams are wholly different organizations with different goals, requirements and motivations. Depending on the type of product involved, it’s likely that regulatory oversight will differ as well. Of course, the company wants to be able to build and sell products profitably, but it also needs to ensure that it meets compliance standards that were designed to protect the public. Reducing litigation risk is increasingly important, too.
Industries leading the way in product security
Organizations have wildly varying degrees of maturity when it comes to the cybersecurity of their products. Some, motivated by pressures from investors, clients, auditors or regulators, are highly mature when it comes to building cyber safe products. Others are less aware of the potential issues and risks, perhaps because they don’t understand the problem’s relevance, or perhaps because they believe that security is a barrier to product development (hint: done the right way, it doesn’t have to be).
Perhaps the best example of an industry where mature product security processes are likely to be in place is the medical device industry. Having long faced strong regulatory oversight from the U.S. Food and Drug Administration (FDA), medical device manufacturers build systems like pacemakers and insulin pumps that are critical for keeping their wearers alive. When you’re building life-supporting systems that often have Bluetooth or app connectivity, and you’re always under the sharp eye of regulators, your incentives for maintaining robust product security are strong. Makers of industrial control systems (ICS), including the Supervisory Control and Data Acquisition (SCADA) systems and Programmable Logic Controllers (PLCs) that operate in critical infrastructure facilities, also have reasons to be motivated to strengthen the security of their products. After all, these hardware and software systems control the operations of nuclear power plants, the electrical grid, wastewater treatment plants, dams, communication networks and other essential public infrastructure