Threat-driven security requirements development
In a world of changing threats, managing a product’s digital lifecycle requires continuous assessment of threats and risks to the development process and the end product, and mirroring identified security requirements against them. As product understanding grows, the requirements identified for the product and development process may prove to be qualitatively insufficient or lacking during the lifecycle. The threat landscape is also changing faster than before – the features that create cyber resilience today do not necessarily guarantee resilience tomorrow. Disruption, slowness or parallelism in the value chain of requirements easily increases development costs, as products of poor quality in terms of cyber resilience end up in production.
During the digital lifecycle of a product, information security requirements should flow efficiently to the left and right – from the conceptualisation phase through product development to production and vice versa. We can talk about a requirements value chain that involves different actors inside and outside the company during the product lifecycle. For example, a threat modelling workshop targeted at the value chain is an effective tool to ensure that the information security requirements of the product and the security features already in production correspond to the prevailing threat landscape.
In addition to threat modelling, systematic verification of product information security, for example through penetration testing, increases the certainty that cyber resilience is up to date. Threat modelling and penetration testing must be linked with development (DevSecOps) as a regular activity, and these are repeated at least when product versions are updated. As Gofore’s Harri Laukkanen wrote in his blog, a digital twin can be created in the production phase before the physical device is manufactured. This makes it possible to simulate production digitally in advance. Scenario-based security modeling in digital twins enables test product itself and validity of security requirements against the prevailing known threat landscape safely and without consequences from the physical world.
Read more about digital twin as a part of Digital Product Lifecycle
Impacts of EU regulation on product development
In recent years, the European Union has launched numerous regulatory projects aimed at rapidly improving cyber resilience and the implementation of risk and threat based development in different sectors. One of the key unifying factors for regulations is improving the ability to manage information security incidents and taking control of supply chain security.
In Finland, the national implementation of the Network and Information Security Directive (NIS2) aims to ensure a sufficient level of risk- and threat management activities in sectors classified as critical. In the current proposal, there will be a new law called “Act on Cyber Security Risk Management”. The impact of the upcoming law will extend to the value chains of critical entities, so the impacts will be wide ranging. On the other hand, the also upcoming Cyber Resilience Act (CRA) will set requirements for manufacturers of products with digital elements for the security of the development process and products. The Cyber Resilience Regulation will oblige manufacturers, among other things, to deliver security updates free of charge throughout the expected lifecycle of the product.
Continuous improvement and change
Companies already have the technology and know-how needed to use the digital product lifecycle, but implementing the change in traditional manufacturing organisations is challenging. The change is not only technological, but it also concerns the organisational model, the changing roles of employees and the change or combination of different development and manufacturing processes. Taking over the value chain of information security requirements is also a change that requires a systematic development approach and understanding and commitment of different actors and their roles. Defining ownership of the value chain is critical to making change management responsibility clear.
Now is a good time to think about how your company’s information security requirements are developed and maintained during the digital lifecycle of the product. Is the value chain of information security requirements managed? Do requirements flow in different directions in your day-to-day operations?
Even though the new requirements for cyber resilience that come with regulation are already knocking on the door, there is still time to make things right.
