Defined information security for the development of new products
Information security has become a mandatory design goal in the development of connected industrial products. IT and system security, secure M2M communication as well as the data connection in ERP or cloud applications have to be defined as product features. These properties have to be implemented in an economical way and maintained throughout the entire life cycle.
The emlix security workshop forms the basis for planning an effective implementation of information security for connected devices, machines and systems based on Linux or Android. It provides a framework for evaluating product risks and determining economically viable and practicable protective measures. The workshop also provides the basis for a fundamental definition of the system architecture and implementation measures.
Competitive advantages with a defined security level
Security features as well as security patches (patch management) throughout the entire life cycle are demanded product features. This offers the opportunity to achieve competitive advantages thanks to a sustainable information security. In this matter, it is not only essential to bear in mind the corresponding properties in the product design stage and the planned usage context, but also to foresee processes and mechanisms for the security life cycle management.
Protection goals can be for example manipulation security and thus the availability of the device, the protection of personal or competitive data (e.g. machine data) as well as intellectual property of the manufacturer or the integrity of, for instance, sensor data. It is not uncommon that there has to be an assurance in supplier declarations and IT compliance declarations that these objectives have been achieved. It is also possible that this has to be certified by audit reports (e.g. ISO 27001 or TISAX).
Primary goal of the emlix security requirements workshop is the development of a security strategy for a specific product (device under construction) and its usage context. This strategy is being devised together with the development, product management, marketing and sales team of the customer.
In the first stage of the workshop, an analysis of the product’s requirements regarding the IT system security is being carried out. After an introduction to the device or system, the system‘s assets that have to be protected (data, IP and/or functions) are being assessed and their respective need for protection is being determined. On that basis, attack scenarios and vectors are being identified and basic protective measures defined.
Important topics are for example:
- Introduction to the device under construction
- Security assessment of the device under construction
- Evaluation of attack scenarios for the product
- Selection and evaluation of protective measures
- System maintenance / security monitoring
- Evaluation of possible project risks
- Definition of cornerstones of the implementation strategy
Together with the customer‘s team, possible protective measures for the defined assets are being evaluated. This evaluation is to take place against the backdrop of the effectiveness, implementation effort as well as the practicability and maintainability of the protective measure. Long-term economical and market-related aspects are also taken into account in this process. The aim is to define a technically valid and economically viable system security.
The technical solution tool kit includes simple ways for hardening at the operation system level and the corresponding authorization concepts. It also offers solutions for a secure network integration, encryption, strict software separation and secure boot. The resulting rough architecture of the system forms the basis for implementing the security features and the necessary (additional) software components.
In this context, the implementation of processes required by almost all compliance guidelines should also be taken into account. In addition, the requirements and cycles for the security life cycle monitoring should be taken into consideration.
Finally, an implementation strategy with technology decisions and prioritization of the various tasks can be outlined on a rough level. Possible risks of the implementation of security features can also be identified and evaluated.
The outcome of the workshop is an initial planning of measures and architecture for the development of a defined system security of your product. Furthermore, requirements and cycles for the security life cycle monitoring can be derived in order to maintain the security of the software components of the product.
If required, other topics such as the organization of patch and release management, production and update concepts as well as the implementation of certification requirements can be part of a customer-specific workshop agenda.
The workshop is aimed at project managers and developers. Given the strategic importance of the decisions to be made, it also addresses product managers and development managers.
With our security requirements workshop, you gain:
- A quick and product-specific overview on cyber security and economical protective measures
- Validly defined design goals and implementation instructions for the IT and system security
- Information for supplier declarations and supporting documents for cyber security as a strategical competitive advantage
- Quick access to decision-relevant practical know-how and the well-founded assessments of our experts
- Comprehensible and concrete proposals for improving the IT security of products under development on the long term
- Concrete technical advice for the architecture and hardening of products
- Product-specific criteria and properties for new products which can serve as a basis for marketing communication
In a preparatory phone call with you, we would like to agree on the initial situation, subject and objectives of the workshop. On that basis, we can quickly provide you with an individual quotation.
Phone +49 (0) 551 / 306 64 - 0
solutions [at] emlix.com
The emlix security monitoring supports you in the operation and maintenance phase of embedded Linux-based industrial products (industrial control system, ICS) for maintaining a defined security status. We monitor information sources and evaluate possible risks against the background of the product-specific use context of your product. The emlix security monitoring gives you recommendations for security patches and updates on a monthly basis or ad hoc.