Shlomi Ashkenazy and David Leichner recap the highlights of the past year and light the beacon for Product Security managers in 2023.
2022 has been an incredible year for the Product Security community. New regulations gained traction, software bills of materials (SBOMs) became ‘the bomb’, and the ramifications of Log4j and other vulnerabilities made it starkly clear that product security is a critical part of the organization.
This was the year that Product Security broke away from IT cybersecurity to become a division in its own right, with appropriate resources and budget. “Connected devices, control systems, PLCs are all front and center now,” says David Leichner, CMO of Cybellum, creators of the Product Security platform that focuses on allowing companies to secure connected products and comply with industry-specific regulations. “Asset owners are asking device manufacturers for detailed SBOMs of connected products that are everywhere in our society’s hospitals, critical infrastructure, and vehicles.”
Throughout the year, the hosts of Cybellum’s Left to Our Own Devices podcast, David and Shlomi Ashkenazi, Cybellum’s Head of Brand, interviewed 19 product security leaders and policymakers from around the globe and across industries. These are their takeaways:
The Highlights of 2022: UN Automotive Regulations and SBOMs
Starting July 2022, the United Nations Economic Commission for Europe’s (UNECE) WP. 29 regulations on automotive cyber security (UN R155) became mandatory for all new vehicle types in UNECE countries.
“This is the most comprehensive cybersecurity regulation for the automotive industry that has ever been implemented,” says David. “In 2024 the regulation will also apply to all vehicles produced in signatory countries, including EU, UK and Japan.” The result will be a massive redirection of resources by OEMs and automotive component manufacturers to detect, track and address vulnerabilities throughout their products’ lifecycle.
It is no wonder that interest in SBOMs has risen exponentially, emerging as a cross-industry effort. “SBOMs have transitioned from a nice to know framework, to something everyone is talking about,” explains Shlomi. “The medical field has been handling SBOMs for a while, and now automotive is adopting heavily, too. We are even seeing chip manufacturers implementing SBOM management workflows.”
If you’re interested in more about SBOMs, check out the mind blowing episode with Allan Freedman from CISA who is considered to be ‘THE SBOM rockstar’.
Moving Towards Trustworthiness, Transparency and Resilience
In 2022, regulatory bodies around the globe displayed that they view device vulnerabilities as a major threat to society. They invested time and effort in updating cyber requirements while working admirably with industry.
During early 2022, for example, the FDA released their updated guidelines for cybersecurity in medical devices. In our podcast with Dr. Suzanne Schwartz of the FDA, she shared that the pre-market guidelines are a living document which have indeed changed significantly.
“In fact, the original cyber security guidelines were 9 pages long in 2013. In contrast, the latest guidelines are 40 pages long (!) with underlying themes of trustworthiness, transparency and resilience,” notes David.
Dr. Schwartz mentioned in a recent conference that the FDA received some 1,200 comments on the document from stakeholders across the pipeline and were working to address and incorporate them for the next rollout.
Despite the government’s desire to communicate with industry, however, one thing is clear – the responsibility for medical device security lies squarely with the manufacturers. Unless products are vulnerability-free, with the documents to prove it and procedures to ensure it, the FDA won’t hesitate to hold back approvals.
Outside the US, two new cyber regulations emerged that are worth keeping an eye on. “In the EU, a new Cyber Resilience Act was put forward [in September 2022] mandating the creation and management of SBOMs starting a few years from now.” says Shlomi. In China, a highly descriptive and detailed automotive regulation has just come which, as Shlomi puts it, “seems like a step forward [from older regulations like ISO 23434]. It’s worth learning from them and applying to other cyber security workflows.”
3 Tips for Product Security Teams in 2023
To put things into perspective, consider that the CEO of Europe’s Zurich Insurance Group, Mario Greco, recently said cybersecurity could pose a larger threat to insurers than systematic issues like pandemics and climate change.
In that light, product security teams would be wise to heed advice from David and Shlomi:
- Integrate product security into the entire life-cycle, from design to post market. Supply chain cybersecurity regulations will continue to expand, requiring manufacturers to source components from trusted suppliers, and with as much automation as possible.
- Go beyond SBOM ‘creation’ to SBOM ‘management’
Product security teams need to be able to manage the plethora of SBOMs that will be created. They have to be able to detect vulnerabilities, and “most importantly,” says David, “manage risk with the understanding what the impact could be in the event of a cyber attack on their manufacturing organization.”
- Build effective PS-IRTs and automate
Product security incident response teams need to react very quickly to newly discovered vulnerabilities, mitigate risks, and limit damage in the event of an attack. “Automation is necessary to make this happen at scale,” emphasizes David, “we’re talking about thousands of components.”
If we’ve learnt anything from Log4j it’s that automation and vulnerability management of products in-market is crucial. Although it technically happened in 2021, the impact spread deep into 2022. “People realized they couldn’t answer simple questions like ‘What products are vulnerable? Which ones have been affected?, What do I even have in my software?’” reminds Shlomi.
Chris Gates, who wrote the first book on cybersecurity for medical devices said: “Every developer should be thinking ‘How secure are the devices I’m building and the components I’m shipping? How secure is this open source code?” Expounding on that, David invites product security professionals to take stock and answer one question: “How can I best uncover vulnerabilities that potentially lie inside our products, mitigate risks and remediate quickly?”