3 tips towards developing cybersecure products

If a product such as embedded electronics seems more like hardware than software, cybersecurity can easily be missed or belittled. If that happens, and the product is launched in the market, it is prone to be easy prey for cyberattacks. In the worst case, the product can be dangerous to its users.

“A common misconception is to simply develop a product first, and to perform a quick vulnerability test as the very last thing in the development process. Another misconception is to believe that the developers are highly skilled and will take cybersecurity into account automatically without any need to specify or demand anything”, says Mikko Lindström, Etteplan’s Director of Software Testing and Cybersecurity.

He urges companies to have cybersecurity on the table in all product development teams as early on as possible. If cybersecurity is shrinked into a last-phase test, the probability to find vulnerabilities is going to be very high.

“At that stage, it is quite possible that fixing would break everything else, or it would be difficult or very expensive. Fixing things early is much easier and cheaper. Early planning is most important and having people with cybersecurity expertise participate in the team”.

There is no need to aim at total cybersecurity. It is unrealistic and unnecessary. It is enough to make the product as difficult as possible for adversaries.

“Focus should be on lowering the risk level. Typical attackers are after money, certain information, personal fame, or looking for a way to hurt the brand. Make an intrusion attempt so complicated and time consuming that a potential attacker finds that the target is not worth the effort, and gives up, and finds some easier victim”, Mikko Lindström tells.

There are many good practices to follow for raising the level of security. Regarding the forthcoming regulation it is essential to check what the standards and regulations require. The IEC 62443 standard, and in particular its 4-series, include plenty of useful definitions worth knowing for developers.

“However, companies need to keep in mind that the standards don’t tell how to do things in practice. They need to figure out that by themselves”, says Toni Rosendahl, Cybersecurity Specialist at Etteplan.

According to Rosendahl, it should be natural to incorporate cybersecurity, when the product’s requirements are under consideration. A critical phase is the selection of hardware components and their inherent security features that differ from each other.

Modern electronics components run their own firmware that can include vulnerabilities well known to malicious actors. Developers must be aware of them and build controls to mitigate the risks.

“One example is to have an immutable root of trust in the component level with memory protections and different isolation levels. However, just having secure components will not do any good, if they are not used properly. It requires skills and experience to combine features to create a system with a secure architecture”, Rosendahl describes.

“Try to figure out what bad guys would do to your product. To achieve genuine scenarios, it is smart to have somebody with an offensive posture in the team”, says Donny Werner, a cybersecurity expert at Etteplan.

He points out that a typical approach in cybersecurity is too narrow: it is limited to the way the product is intended to be used. For instance, developers may fail to realize that the Wi-Fi connectivity in a product’s peripheral can be used by intruders as an access point to achieve critical access on a main unit.

“Attackers only want to break the products without any limits in the mindset. Security testers should try the same equipped with analytical out-of-the-box thinking. A good approach is not to know how to use the product”, Werner says.