TechBizWebTechBizWeb

    Subscribe to Updates

    Get the latest news about Technology and Business from all around the web..

    What's Hot

    Jump in the public queue to purchase a PS5 from Sony

    June 27, 2022

    Russian missile strike on Ukraine shopping mall draws outcry

    June 27, 2022

    Amazon is reportedly hosting a second major Prime-exclusive shopping event this year

    June 27, 2022
    Facebook Twitter Instagram
    • About Us
    • Privacy Policy
    • Guest Post
    • Terms
    • Contact
    Facebook Twitter Instagram
    TechBizWebTechBizWeb
    Subscribe
    • Home
    • Technology

      Jump in the public queue to purchase a PS5 from Sony

      June 27, 2022

      Amazon is reportedly hosting a second major Prime-exclusive shopping event this year

      June 27, 2022

      Valve is doubling Steam Deck shipments, so you might get yours faster

      June 27, 2022

      The Supreme Court says it won’t consider rewriting defamation law… yet

      June 27, 2022

      Roku’s capable Streambars are down to their lowest prices

      June 27, 2022
    • Business
    • Cyber Security

      87% of executives have no cybersecurity tools on personal devices

      June 27, 2022

      CISA releases cloud security reference

      June 27, 2022

      Colin Ahern named New York’s Chief Cyber Officer

      June 27, 2022

      Contractors don’t have to increase your risk profile

      June 27, 2022

      Pharmaceutical company secures network with AppSec compliance tools

      June 24, 2022
    • Blockchain
    • Vulnerabilities
    • Social Engineering
    • Malware
    • Cyber Security Alerts
    TechBizWebTechBizWeb
    Home»Cyber Security»How the Secure Development Lifecycle Can Help Protect IIoT Deployments
    Cyber Security

    How the Secure Development Lifecycle Can Help Protect IIoT Deployments

    January 22, 2019Updated:January 22, 2019No Comments7 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Have you been attacked? Digitpol the global investigation firm can help you, visit Digitpol’s website to learn more.


    It’s Not Enough to Assume a Vendor Has Done Its Job When it Comes to Securing IIoT Devices

    As the process of digitization accelerates across all sectors, so too does the number of cybersecurity challenges that present themselves. Once perceived primarily as a challenge to engineering, corporate IT and consumers, it’s now a hot topic for all. From the healthcare and automotive sectors, to industrial control systems (ICS), building management or energy distribution, the growing fears that increasing network capabilities will lead to greater risk are very real and justified. More networked devices are finding their way into more systems, and the abilities of attackers are improving by the day.

    Over-exposure to cyberattack, however, is a symptom of a more fundamental problem that is common to all product areas, and there’s a solution which is the same for any industrial setting. Security considerations are not being taken into account early enough in the development of new products, leaving potential vulnerabilities to be fixed at a later stage when it is often too late. What is required is strict adherence to the principles and framework of the Secure Development Lifecycle (SDL) process.

    SDL is well understood and was first introduced to software engineering almost two decades ago, yet it is still notable by its absence in many new deployments of Industrial Internet of Things (IIoT) technologies, and in more general hardware development. It’s much more than a process, too. Having a mature SDL process is a key tool that vendors can use to demonstrate their products are secure by design. 

    To put it another way, SDL is key both to protecting industrial components and networks from cybersecurity risks, and improving the level of trust and confidence that users will ultimately place in them.

    What is SDL?

    SDL is a mature process for providing cybersecurity assurance. It’s a methodological process to identify and reduce potential threat vectors, based on detailed knowledge and understanding of how and where a product will operate. The latter is a particularly difficult task in the worlds that are opening up to connected devices, such as automotive, medical devices, building management systems and ICS, because they tend to be highly fragmented environments that have been expanded in an ad hoc manner over time. Consequently, it is not always clear at the outset where a product will be operational, and what other systems it will interface with.

    At its heart, SDL is simple to understand. It’s a strategic way of ensuring that assets are prepared for an attack, by baking security considerations into the design process at every stage of product development. It starts with a full and documented risk assessment even before an initial design document is produced.

    During the design process, a full analysis of the attack surface presented by the product should be conducted, along with threat modelling based on the context in which a device will be used.

    SDL means that developers should adhere to strict code guidelines – which means no more easter eggs or humorous comments/hints hidden in programmes. It also means that security testing (e.g. manual/automated code review) should be an intrinsic part of the regular quality assurance process, given the same priority as bug hunting and compatibility checks.

    Through careful and constant assessment right up to the point of deployment, SDL should ensure that there are no undocumented backdoors, that network interfaces are properly configured and that access to devices is strictly controlled. Continuous testing throughout the design process should include penetration testing, static analysis and “fuzzing”, a process that involves trying to overload systems with random data to look for weaknesses that might be exploited by hackers.

    Post-deployment, SDL should ensure that there are mechanisms in place for securely upgrading firmware, checking device integrity and monitoring for unusual behaviour – and the same continuous testing

    Why isn’t SDL universal?

    While there has been an improvement in many vendors’ approach to product design in recent years, SDL should incorporate the entire supply chain for a networked solution, and too often elements are left until later in the design pipeline, which leaves security bolted on as an afterthought. In the design of industrial equipment, physical safety has always been of paramount importance; today cybersecurity needs to be treated in the same way.

    There are three key reasons that this tends to occur: 

    Firstly, the primary motivation for product creators is getting a new technology to market. There’s always a push on the development team to meet certain deadlines, and KPIs are structured around these targets. This means that there is not always enough time to look at the security of what is being built in terms of software and hardware, and devices are pushed out before they are ready.

    Secondly, there is a cost factor to SDL. You need assurance reviews, better tooling and processes, specialised software and hardware, all of which has an associated cost. 

    And finally, there’s the issue of awareness and shortage of skills when it comes to developing the applications that underpin industrial hardware and the IIoT. A software engineer’s role is to build an application or system to specification. You can be a brilliant developer when it comes to writing code that executes quickly and meets the project requirements, but writing secure code is a skill set which isn’t as widespread. Developers don’t know what they don’t know – it’s difficult to ask for advice to fix potential security holes if they are not aware of the problems they may be creating.

    What’s the answer? SDL as competitive advantage

    Customers are aware of the risks around deploying new technology on their networks, and SDL should be seen as a key way for suppliers to differentiate their offering. Using the language and processes of SDL to demonstrate mission readiness is a powerful sales tool, and responsible developers will invest in the best possible protection against the potential damage to revenue, reputation and operations that a cyberattack can cause, providing the benefits are clearly communicated.

    Likewise, for end customers SDL provides a toolkit for interrogating suppliers. They should look for vendors who can explain their implementation of SDL, and whose design departments are compliant with the ISA/IEC 62443-4-1/2 standards. For the last 12 years, the organization ISASecure has worked to certify ICS equipment that meets these standards and help customers understand what they mean. Likewise, suppliers of IIoT solutions should be familiar with the Industrial Internet Consortium’s (IIC) Internet Security Framework (ISF) document, and the Open Web Application Security Project, a forum for professionals who share information.

    And ultimately, customers should realize that it’s not enough to assume a vendor has done its job. Even if messaging is right, corners may have been cut. Customers should have their own resources on hand for regular testing and hardening of solutions over time.

    Put all of that in place and SDL becomes a vital tool for improving and communicating about security in IIoT deployments. Without it, we’ll just keep making the same mistakes over and over again.

    Learn More About Industrial Security at SecurityWeek’s ICS Cyber Security Conference

    view counter

    Jalal Bouhdada is Founder and Principal ICS Security Consultant for Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission providers, water utilities, petro chemical plants and oil refineries He holds a B.S degree in Security Assurance from Amsterdam University of Applied Sciences and is an active member of the Industrial Internet Consortium (IIC), ISA99, NEN, CIGRE and other professional societies.

    Previous Columns by Jalal Bouhdada:
    Tags:



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    87% of executives have no cybersecurity tools on personal devices

    June 27, 2022 Cyber Security

    CISA releases cloud security reference

    June 27, 2022 Cyber Security

    Colin Ahern named New York’s Chief Cyber Officer

    June 27, 2022 Cyber Security

    Contractors don’t have to increase your risk profile

    June 27, 2022 Cyber Security

    Pharmaceutical company secures network with AppSec compliance tools

    June 24, 2022 Cyber Security

    How secure is your digital supply chain?

    June 24, 2022 Cyber Security
    Editors Picks

    Russian missile strike on Ukraine shopping mall draws outcry

    June 27, 2022

    Amazon is reportedly hosting a second major Prime-exclusive shopping event this year

    June 27, 2022

    Theresa May leads opposition to bill to rip up N Ireland protocol

    June 27, 2022

    Valve is doubling Steam Deck shipments, so you might get yours faster

    June 27, 2022
    Trending Now

    Roku’s capable Streambars are down to their lowest prices

    By techbizweb

    Prosus/Tencent: reducing stake further would close valuation gap

    By techbizweb

    Colin Ahern named New York’s Chief Cyber Officer

    By techbizweb

    https://www.nationalsportsacademy.com

    slot gacor hari ini

    http://www.inadesfo.org/

    http://www.eueomgbissau.org/

    http://www.congo-mai-mai.net/

    http://www.angelesdelafrontera.org/

    http://fifaworldcup2018schedule.com/

    http://tony4gtrmcr.co.uk/

    http://www.standrewsagreement.org/

    http://www.bob-russell.co.uk/

    http://davidmulholland.co.uk/

    http://railwayhotelenniskillen.com/

    http://www.fantasysportstrades.com/

    http://www.rainleaf-flooring.com

    http://mothersagainstguns.org/

    http://ma-coc.org/

    slot online

    http://www.paradoxmag.com/situs-judi-slot-online-gampang-menang-2021/

    http://www.paradoxmag.com/situs-judi-slot-online-terbaru-2021/

    http://slot-terbaru.net/

    Slot Gacor

    Slot Online

    Situs Slot Gacor

    http://www.appdexterity.com/

    https://cars4kids-deutschland.de/

    https://www.stretchingculture.com/

    https://www.b-123-hp.com/slot-gacor/

    https://denzstaffing.nl/

    https://ezbbqcooking.com/slot-gacor/

    https://www.mbahelp24.com/slot-gacor

    https://minhtanstore.com/slot-jackpot-terbesar/

    https://njbpusupplierdiversity.com/slot-gacor-gampang-menang/

    https://www.floridaspecialtycropfoundation.org/slot-gampang-menang/

    https://childrenscornerpreschool.org/slot-gacor-gampang-menang/

    https://cryptoquoter.com/slot-online-terbaik/

    https://alorkantho24.com/slot-gacor/

    https://ellas.xyz/slot-gacor/

    https://it.dougamatome.xyz/slot-online/

    https://www.daltercume.com/slot-gacor/

    https://josi-ana.dougamatome.xyz/slot88/

    https://josi-ana.dougamatome.xyz/slot-gacor/

    https://fastobserver.com/slot-jackpot-terbesar/

    https://www.planetexperts.com/slot-gacor/

    https://bfsolution.group/slot-bet-kecil/

    https://rustleva.co/slot/

    https://bfsolution.group/slot-bet-kecil/

    https://www.hotelcalimareal.com/togel-online/

    https://anime-game.dougamatome.xyz/slot-gacor-gampang-menang/

    https://anime-game.dougamatome.xyz/togel-online/

    https://bourbonbarrelfoods.com/slot/

    http://suneo39.wp.xdomain.jp/slot/

    https://techbizweb.com/slot-gacor/

    https://www.generalcatalyst.com/18-daftar-slot-gacor-terbaik-gampang-menang-jackpot-hari-ini/

    https://www.hotelcalimareal.com/slot-online/

    https://www.blockgates.io/slot-gacor/

    https://l12.com.br/slot-gacor/

    slot paling gacor

    https://www.donalds-hobby.com/slot-online/

    https://thecryptodirt.com/slot-gacor-hari-ini/

    http://iseta.edu.ar/aulavirtual/app/upload/users/1/1205/my_files/sbobet.html

    http://escuelavirtual.mincit.gov.co/app/upload/users/1/194/my_files/slot.html

    https://www.dev.medecinesfax.org/courses/JUDICASINO/document/slot.html

    http://www.e-archivos.org/cursos/courses/JUDICASINO/document/slot-gacor.html

    http://iesma.com.br/ead/main/upload/users/4/447/my_files/slot.html

    https://www.fundacoop.org/chamilo/app/upload/users/1/1185/my_files/slot.html

    https://fata-aatf.org/eskola/main/upload/users/3/31/my_files/slot.html

    https://uancv.edu.pe/ofinvestigacion/app/upload/users/3/328/my_files/slot-terlengkap.html

    https://micost.edu.my/EL/app/upload/users/2/209/my_files/slot-gacor.html

    https://www.academiacoderdojo.ro/elearningdev/app/upload/users/2/2442/my_files/slot-online.html

    http://campus-cidci.ulg.ac.be/courses/JUDICASINO/document/slot-termurah.html

    https://www.escueladerobotica.misiones.gob.ar/aula-ste/courses/LIVECASINO/document/slot-tergacor.html

    http://ccdipeepccqqfar.usac.edu.gt/chamilo/app/upload/users/3/358/my_files/slot-online.html

    https://cunori.edu.gt/campus/app/upload/users/7/7334/my_files/slot-online.html

    http://u-rus.com.ar/aula/app/upload/users/1/1322/my_files/slot.html

    http://icrodarisoveria.edu.it/chamilo/app/upload/users/1/1855/my_files/slot.html

    https://iestpliliagutierrez.edu.pe/clarolgm/courses/CASINO/document/slot.html

    http://pva.cobach.edu.mx/app/upload/users/7/7379/my_files/slot.html

    http://www.imb-pc-online.edu.gt/PL/app/upload/users/3/373/my_files/slot.html

    http://avcs.upeu.edu.pe/main/upload/users/3333/my_files/slot.html

    https://chamilo.fca.uas.edu.mx/app/upload/users/1/11186/my_files/slot-online/

    TechBizWeb
    Facebook Twitter Instagram Pinterest Vimeo YouTube
    • Home
    • Guest Post
    • About Us
    • Privacy Policy
    • Our Authors
    • Terms and Conditions
    • Contact
    © 2022 Tech Biz Web. Developed by Sawah Dev.

    Type above and press Enter to search. Press Esc to cancel.