Diving into the evolving landscape of cyber resilience, join Rajeev Panicker, Business Head of Cyber Security & Privacy Services at DNV India & Middle East, as we explore the critical importance of product cyber security in today's digital frontier.

SHARE:

In today's digital era, cyber security stands as a crucial component in the entire lifecycle of any product, from its inception to its disposal. As various industries from automotive to consumer devices keep innovating, the concepts of cyber security and privacy by design have emerged as essential principles in product development. This is not just about adding more security or privacy features; it is about incorporating cyber security and privacy considerations into the core of products from the beginning.  

Cyber security by design refers to the process of integrating security measures and best practices into the structure and development of a product, while privacy by design refers to the process of embedding privacy protections and safeguards into the functionality and operation of a product. Both concepts are based on the idea that security and privacy should not be a later addition or an extra feature, but rather an intrinsic and proactive part of the product design. 

Cyber security & privacy challenges

A product with digital elements may face various obstacles and impediments that can affect its cyber resilience: 

• Lack of awareness: Developers and providers may not grasp or prioritize cyber security and privacy principles by design.  
• Resource Constraints: Financial, technical, or organizational limitations may hinder the integration of cyber security measures.  
• Poor collaboration and coordination: Stakeholders with differing roles and perspectives may struggle to communicate effectively on security and privacy issues.  

Why is cyber security verification critical?

It is essential to verify the cyber security of any digital product, no matter how big, simple, or useful it is. Here are some of the reasons why: 

• Protection against threats: Cyber security verification can protect against cyber-attacks, data breaches, and identity theft, which can lead to financial losses, reputational harm, and legal problems for the product owners and users. 

• Enhanced user experience: By verifying cyber security, the product can work well, be dependable, and have high quality, which can improve how the user feels and uses it. 

• Competitive advantage: Cyber security validation can show the reliability and quality of the product, which can enhance its attractiveness and advantage. 

Is cyber security verification required by regulations?

Several rules, existing or planned, mandate cyber security verification for all products that have some digital components. Some examples are: 

• The automotive industry has advanced in product verification. UN Regulation No. 155 (R155) is a significant directive that addresses cyber security in the automotive industry. R155 sets mandatory cyber security standards to safeguard modern vehicles from cyber threats as technology and connectivity become more integrated into vehicles. These requirements will apply to all vehicles of category M, N, O, L6 & L7 from July 2024, which means that all vehicles produced from this date must comply with R155. The ISO/SAE 21434 standard is designed to meet these automotive product specific cyber security requirements. 
• Cyber Resilience Act (CRA) was proposed by the European Commission on September 15, 2022, to enhance cyber security across the EU through common standards for products with digital elements, including hardware and software. It awaits formal adoption by the Council.  
• The US National cyber security strategy ensures the protection of cyber security of critical infrastructure and privacy of data that is stored in various products. 

• International society of automation (ISA), which manages the industrial cyber security requirements, suggests different product certification schemes such as; Component Security Assurance (CSA), IIoT component Security Assurance (ICSA) & ACS security assurance (ACSSA)  

How third-party verification benefits products

Cyber security verification is necessary and often legally required for digital products. It involves confirming the product's security and privacy measures to meet standards and user expectations of a digital product. This verification spans the entire product development lifecycle, employing methods like vulnerability scanning and compliance audits.   

Best practices for cyber security verification 

1. Establish the security goals: Define security requirements based on stakeholder and regulatory standards.  
2. Identify risks: Analyse social security threats based on product features, environment and intended use. 
3. Apply appropriate methods: Select verification tools, based on the scope, complexity, and budget of the product. 
4. Remediate issues: Address detected vulnerabilities promptly based on urgency, severity and impact. 
5. Continuous improvement: Regularly review and update the security verification process and results, based on the feedback, changes, and improvements of the product. 

Ensuring the cyber trustworthiness of such products is vital within the development lifecycle, minimizing the risks of cyberattacks and data breaches.  

It's crucial to tailor security verification methods to each project's needs, promptly addressing any identified issues. Security verification must be an ongoing process, adapting to product evolution and feedback. Adhering to best practices enables developers to deliver secure, reliable products to customers and stakeholders. 

DNV's experience and expertise in cyber security, means that we can support you in maintaining the resilience and security of your supply chain. Contact us to find out more.