In this blog, we recap our recent eBook, “Navigating IEC 62443: Strengthening Cybersecurity in Industrial Automation & Control Systems.”

Navigating IEC 62443: Strengthening Cybersecurity in Industrial Automation & Control Systems

Understanding IEC 62443

IEC 62443 is a comprehensive set of standards aimed at securing Industrial Automation and Control Systems (IACS) against cybersecurity threats. It provides guidelines for designing, implementing, and maintaining secure industrial automation systems, ensuring the integrity, availability, and confidentiality of these critical infrastructures.

Structure

This IEC series is organized into several parts, each focusing on different aspects of IACS security:

1. General: Introduces fundamental concepts, models, and terminology related to security.
2. Policies and Procedures: Focuses on establishing and managing security
3. Components and Requirements: Specifies technical security requirements for IACS components and secure product development practices.
4. Profiles: Defines industry-specific cybersecurity requirements and provides a structured approach to implementing measures based on cybersecurity profiles.
5. Evaluation: Describes assessment methodologies to ensure consistent and reproducible evaluation results concerning the requirements of individual parts.

RELATED: Mastering ISO/IEC 27001: A Guide to Information Security Management

Key Components

1. IEC 62443-1-1: Covers terminology, concepts, and models, laying the foundation for understanding the standards.
2. IEC 62443-2-1: Provides guidance on establishing security programs for asset owners, aligning with standards like ISO/IEC 27001.
3. IEC 62443-3-3: Specifies system security requirements and security levels, detailing technical requirements for systems
4. IEC 62443-4-1: Focuses on secure product development lifecycle requirements, outlining how to develop secure products.
5. IEC 62443-4-2: Defines technical security requirements for IACS components, ensuring components meet specific security standards.

Recent Developments

This IEC series is continually evolving to address emerging cybersecurity challenges. Recent updates include:

1. IEC 62443-1-5: Introduced in September 2023, this technical specification outlines the scheme for IEC 62443 security profiles, providing a structured approach to implementing cybersecurity measures based on defined profiles.
2. IEC 62443-2-1: The second edition, released in August 2024, updates the security program requirements for IACS asset owners, aligning with evolving industry practices and emerging threats.
3. IEC 62443-2-4: The second edition, published in December 2023, revises the requirements for IACS service providers, ensuring that integrators meet current cybersecurity capabilities across various domains.
4. IEC 62443-6-1: Released in March 2024, this technical specification introduces a security evaluation methodology for IEC 62443-2-4, aiming to ensure consistent and reproducible assessment results.consistent and reproducible assessment results.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Impact on Industrial Automation

This standard has a significant impact on industrial automation by establishing a structured framework for cybersecurity in industrial control systems (ICS) and operational technology (OT) environments. Here’s how it influences the industry:

1. Enhances Cybersecurity in Industrial Automation: IEC 62443 provides comprehensive guidelines to protect industrial networks, control systems, and automation components from cyber threats. It helps in mitigating risks associated with unauthorized access, malware attacks, and insider threats.
2. Establishes a Risk-Based Approach: The standard encourages risk assessment and mitigation strategies based on the specific threats and vulnerabilities of an automation system. This ensures tailored security measures rather than a one-size-fits-all approach.
3. Defines Roles & Responsibilities: IEC 62443 categorizes the responsibilities of different stakeholders in industrial automation, including:
   1. Asset owners (e.g., manufacturing plants, energy companies)
   2. System integrators (those designing and configuring industrial systems)
   3. Product suppliers (hardware and software vendors) Each entity must implement security controls based on its role in the automation.
4. Promotes Secure System Development & Lifecycle Management: The standard provides guidance on secure development, configuration, and maintenance of industrial automation components, ensuring security is embedded from design to decommissioning.
5. Improves Compliance & Regulatory Alignment: Many governments and industries are aligning cybersecurity regulations with IEC 62443, making it essential for organizations to adopt the standard to stay compliant with industry best practices and legal requirements.
6. Encourages Interoperability & Secure Communication: By enforcing secure communication protocols and access controls, IEC 62443 ensures that automation systems can safely interact with IT networks, cloud services, and IIoT (Industrial Internet of Things) applications without compromising security.
7. Supports Business Continuity & Resilience: A strong cybersecurity framework reduces downtime caused by cyber incidents, ensuring uninterrupted industrial operations and minimizing financial losses.

THIS HAS BEEN A PREVIEW – TO READ THIS EBOOK IN ITS ENTIRETY, VISIT:
Navigating IEC 62443: Strengthening Cybersecurity in Industrial Automation & Control Systems

Cybersecurity in Unregulated Industries: Proactive Strategies for Mitigating Risk

In today’s modern, digital landscape, cybersecurity threats are not limited to heavily regulated industries like aerospace, automotive, and medical devices. While government mandates drive compliance in regulated sectors, industries without strict cybersecurity oversight for specific products — such as consumer electronics, financial services, insurance, industrial manufacturing, and software development — are increasingly taking proactive steps to address cybersecurity risks. With cyberattacks growing in frequency and sophistication, companies in these industries must prioritize security to protect intellectual property, maintain customer trust, and prevent costly disruptions.

RELATED: Integrate Cybersecurity and Safety Risk Management in Jama Connect^® to Simplify and Accelerate Medical Device Development.

Cybersecurity Challenges in Unregulated Industries

Unlike regulated markets, where adherence to standards such as ISO 21434 (for automotive) or DO-326A (for Aerospace & Defense) is required, many industries operate without formal cybersecurity frameworks. However, recent high-profile breaches have underscored the need for stronger security measures:

• Consumer Electronics: A leading smart home device manufacturer recently faced scrutiny after vulnerabilities in its IoT ecosystem allowed hackers to access users’ security cameras. Without strict regulatory oversight, companies must self-impose cybersecurity best practices to safeguard consumer data.
• Industrial Manufacturing: A ransomware attack on a global industrial equipment provider disrupted production lines and resulted in significant financial losses. As manufacturers embrace Industry 4.0 and connected systems, cybersecurity must become a core consideration.
• Software Development: Open-source software dependencies have become a major target for cybercriminals. The recent exploitation of a widely used software library demonstrated how vulnerabilities in third-party components can create widespread security risks.
• Insurance: A major insurance provider suffered a data breach when cybercriminals exploited weaknesses in its cloud-based claims processing system. The breach exposed sensitive policyholder information, including Social Security numbers and financial details, highlighting the need for robust encryption and access controls in an industry handling vast amounts of personal data.
• Financial Services: A global investment firm fell victim to a sophisticated phishing attack that compromised employee login credentials, allowing attackers to execute fraudulent transactions. As financial institutions increasingly rely on digital banking and AI-driven trading, strengthening identity verification and fraud detection measures is critical to mitigating cybersecurity threats.

Even without formal regulations, companies in these industries recognize that cybersecurity is a business imperative – and also crucial to remaining trusted and respected in the market. Many are implementing best practices, such as adopting secure development methodologies, integrating threat modeling, and enhancing collaboration between security and development teams.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

How Jama Connect^® Supports Cybersecurity in Unregulated Industries

While unregulated industries may not face the same compliance pressures as sectors like automotive, medical devices, or aerospace & defense, they still need robust cybersecurity risk management. Jama Connect provides the tools necessary to build a strong cybersecurity foundation by:

• Embedding Security into Development Processes: Jama Connect enables teams to integrate cybersecurity considerations throughout product, project, and program development, ensuring that security is addressed from the earliest stages.
• Enhancing Collaboration and Risk Visibility: With real-time collaboration and traceability, teams can proactively identify, assess, and mitigate security risks before they escalate.
• Facilitating Secure Software Development: By providing structured frameworks for security requirements and risk assessments, Jama Connect helps organizations adopt secure coding practices and threat modeling techniques.
• Supporting Industry-Specific Best Practices: Even without formal regulatory requirements, Jama Connect allows organizations to implement cybersecurity frameworks aligned with industry standards such as NIST Cybersecurity Framework and Secure Software Development Lifecycle (SSDLC).

As cyber threats continue to evolve, companies in unregulated industries must take proactive steps to secure their products and operations. By leveraging Jama Connect, organizations can establish a structured, security-first approach that reduces vulnerabilities and builds resilience against emerging cyber risks.

Want to learn about how to mitigate cybersecurity risks in regulated markets? Check out this blog post.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Mario Maldari, Brian Morrisroe, and Kenzie Ingram.

Strengthening Cybersecurity in Regulated Markets: How Jama Connect^® Enhances Risk Management in Product Development

Discover how Jama Connect^® empowers product development teams in regulated markets like aerospace, automotive, and medical devices to integrate cybersecurity and safety risk management with requirements management

In today’s connected world, cybersecurity is a critical concern for product development in regulated markets. According to a recent report by Cybersecurity Ventures, cybercrime is predicted to cost the world $10.5 trillion annually by 2025, underscoring the growing risks facing industries that rely on connected products.

As products become increasingly software-driven and connected, they present new vulnerabilities that require robust security measures. Industries such as aerospace, automotive, and medical devices must navigate complex cybersecurity regulations to protect sensitive data, ensure product safety, and maintain compliance with evolving standards. Failure to address cybersecurity risks not only jeopardizes user safety but can also lead to costly delays, recalls, regulatory penalties, and reputational damage.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

The Importance of Cybersecurity in Regulated Markets

Regulated markets operate under strict guidelines to protect data, ensure operational integrity, and maintain public trust. Cybersecurity compliance involves adhering to laws, standards, and regulatory requirements established by governments and industry authorities to safeguard digital information and systems from threats like unauthorized access, data breaches, and cyberattacks.

Recent incidents underscore the urgency of robust cybersecurity measures:

• Medical Devices: The U.S. Food and Drug Administration (FDA) issued updated guidance requiring medical device manufacturers to submit cybersecurity plans as part of their premarket submissions. This move follows increasing concerns about vulnerabilities in connected medical devices that could jeopardize patient safety and data security.
• Automotive Industry: A notable cybersecurity breach involving a major automaker demonstrated how connected vehicles can be remotely accessed and controlled. This incident has accelerated the push for stricter compliance with ISO 21434, the international standard for automotive cybersecurity risk management.
• Aerospace & Defense: Cyberattacks targeting defense contractors have highlighted the need for stringent cybersecurity protocols. The implementation of DO-326A and other cybersecurity standards is becoming increasingly critical to protect sensitive information and ensure the safety of airborne systems.

RELATED: Jama Connect Enables DevSecOps Through Robust API and Integrations That Connect All Activity to Requirements

Jama Software’s Approach to Cybersecurity in Regulated Markets

Jama Software recognizes the critical importance of cybersecurity in regulated industries and has integrated out-of-the-box cybersecurity risk management capabilities into its industry-specific frameworks for Jama Connect. This integration facilitates a proactive approach to cybersecurity across various sectors, including airborne systems, automotive, and medical devices.

Aerospace & Defense

Aircraft, system, and subsystem manufacturers and their suppliers benefit from a customizable solution with a robust REST API aligning all cybersecurity activity with an integrated DevSecOps CI/CD pipeline, easy collaboration and reviews involving internal and external teams, and customizable reports to demonstrate compliance with the “Airworthiness Security Process Specification” (DO-326A). Jama Connect for Airborne Systems provides a framework to identify potential cyber threats, assess vulnerabilities, and implement security measures.

Automotive Industry

The shift towards software-defined vehicles has introduced new cybersecurity challenges. Jama Connect for Automotive offers OEMs and suppliers the capability to develop necessary work products that comply with ISO 21434 for cybersecurity management. It offers comprehensive cybersecurity diagnostics including Threat Analysis and Risk Assessment (TARA) templates and reports, as well as case management, progress monitoring, and reporting features to demonstrate compliance. By facilitating collaborative planning, validation, and alignment, it reduces risks through enhanced collaboration among specialized teams, removes guesswork from threat analysis, and accelerates project launches through efficient reuse of components.

Medical Device Industry

For medical device manufacturers, managing cybersecurity risk under standards like ANSI/AAMI SW96:2023 is complex. Jama Connect for Medical Devices harmonizes cybersecurity and safety risk management, simplifying complex risk evaluations and accelerating responses to threats. This integration reduces complexity, increases efficiency in managing risks, and ensures comprehensive documentation of traceability, which is crucial for regulatory compliance and patient safety. By embedding cybersecurity risk management into its industry-specific frameworks for Jama Connect, Jama Software empowers organizations to integrate cybersecurity risk management into product development processes for efficient and proactive identification, evaluation, and mitigation of cybersecurity risks, compliance with regulatory standards, and enhanced overall security posture of their products.

As cybersecurity threats continue to evolve, regulated industries must take proactive steps to safeguard their products, data, and users. The growing complexity of cybersecurity regulations highlights the need for robust risk management frameworks that integrate security into every stage of the product development lifecycle. By leveraging Jama Connect’s industry-specific cybersecurity capabilities, organizations can streamline compliance efforts, enhance collaboration, and mitigate risks more effectively. Investing in secure-by-design practices today ensures a safer and more resilient future for the products and industries that shape our world.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Mario Maldari and McKenzie Jonsson.

Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article from IndustryWeek, titled “With Hacks on the Rise, Manufacturers Hone Their Cybersecurity Smarts”, written by Stephen Gold.

With Hacks on the Rise, Manufacturers Hone Their Cybersecurity Smarts

Cyber-maturity is finally catching up to digital transformation, a new Manufacturers Alliance study finds.

A chief information security officer, a chief information officer and a chief manufacturing officer walk into a bar. Unfortunately, this isn’t the opening line of a joke – they’re in the bar because they need a stiff drink. These are harrowing times for manufacturing professionals who, in an era of Industry 4.0, are trying to integrate their information technology and operational technology while defending against the dramatically rising threat of cyber criminals.

It’s not like they have a choice on whether to integrate their IT with OT such as machine automation, industrial control systems (ICS), robotics, programmable logistics controllers (PLCs) and building management systems (BMS). Successful IT/OT collaboration is critical to modern manufacturers’ digital strategies. Unfortunately, it’s also the portal where cyber criminals gain entry to the lifeblood of the company: factory operations.

In fact, IBM’s X-Force Threat Intelligence reported that in 2021, manufacturing surpassed finance and insurance as the top targeted sector of cyber bad actors. Today, 1 out of every 4 cyber-attacks on business are against manufacturers. And no wonder: Despite FBI guidance, manufacturers pay the requested ransom more often than other industries – and at typically higher rates.

The biggest challenge? Cybercriminals with a track record of innovation set the pace of change. But manufacturers aren’t simply circling the wagons. Just the opposite – they’re meeting the challenge head on.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Catching Up Quickly

Manufacturers Alliance partnered with Fortinet recently to update a joint 2020 study on IT/OT convergence. They found that American manufacturers’ level of cyber maturity is catching up to their accelerated pace of digital transformation. This is vital because, while financial extortion related to data theft is a serious risk, infiltration of operating systems with the intent to sabotage or even shut them down poses an existential threat to manufacturers. (The cyber-attack on Clorox this August, which paralyzed manufacturing operations for weeks and led to shortages of Clorox products in stores across the country, is the most recent poster child for the risk that factories face.)

The Alliance-Fortinet survey of 155 U.S.-based mid-cap to large-cap industrial companies showed that a growing percentage of manufacturers are well on their journey with advanced anti-cybercrime programs and policies yielding impressive results. That journey, of course, starts with a large dose of reality. When asked to rank cybersecurity as a business risk, 80% put it in the top five, 10 percentage points higher than three years ago. And no wonder: that same percentage experienced at least one breach resulting in unauthorized access to data in the previous 12 months.

Thirty-six percent of respondents fell victim to a ransomware attack, up from 23% in our 2020 survey. And more specifically, the impact of OT breaches has significantly increased over the past three years. While 43% of manufacturers in both 2020 and 2023 said they experienced cybersecurity-related operational outages affecting productivity –

• 29% saw operational outages that affected revenue in 2023, a jump of 10 percentage points from 2020
• 26% saw a loss of business-critical data, 14 percentage points higher than in 2020
• 21% experienced a loss of IP, a jump of 10 percentage points in three years

So, how can manufacturers come out ahead of cybercriminals? Strategies are changing quickly. For starters, more than 90% of manufacturers say they’re focused on implementing new solutions to address risks specifically affecting OT, more than twice the percentage of just three years ago. Roughly the same percentage of manufacturers are now subjecting OT equipment to IT or cyber review prior to procurement. Among that group, many are deploying network access controls, including quarantining new devices until approved by the internal cyber team.

RELATED: Requirements Traceability Diagnostic

Finding Cybersecurity Talent Is Tough

Even with growing sophistication on managing OT threats, manufacturers face one primary obstacle to ultimate success: finding in-house expertise to oversee the cyber threat, a high hurdle considering the broader skilled talent shortage being experienced. In our recent survey, roughly 8 out of 10 manufacturers pointed to scarcity of talent and expertise as a key barrier to effective breach response within the last year.

Of course, manufacturers are in the business of making stuff, not securing networks. So given the scope of OT cybersecurity, from vetting new equipment to responding to breaches, fewer than 10% of companies handle all aspects with in-house resources. Two-thirds combine in-house and external expertise, and about 20% rely on third-party service providers for most of their security needs.

Remember the CIO, CISO and chief manufacturing officer walking into a bar? A decade ago they would never have been seen together. Today, their collaboration, and the smooth and rapid integration of IT and OT, is the key to a successful and safe implementation of Industry 4.0.

In the ever-evolving landscape of cybersecurity, staying ahead of emerging threats and regulations is crucial for organizations worldwide. One such regulatory framework making waves in the cybersecurity community is UN155. This post aims to shed light on UN155 and its significance in cybersecurity management.

What is UN155?

UN155 is a regulatory framework established by the United Nations to enhance cybersecurity practices across various sectors. The framework sets forth comprehensive guidelines and standards for organizations to protect their information systems, data, and infrastructure from cyber threats. It emphasizes a proactive approach to cybersecurity, encouraging organizations to implement robust security measures and continuously monitor and adapt to the evolving threat landscape.

RELATED: Jama Connect^® for Automotive

Key Components of UN155

UN155 encompasses several critical components designed to strengthen cybersecurity management:

1. Risk Assessment and Management: Organizations are required to conduct regular risk assessments to identify potential vulnerabilities and threats. This involves evaluating the likelihood and impact of various cyber risks and implementing appropriate mitigation strategies.
2. Incident Response and Reporting: UN155 mandates the establishment of incident response plans to swiftly address and mitigate cybersecurity incidents. Organizations must also report significant incidents to relevant authorities, ensuring transparency and accountability.
3. Data Protection and Privacy: Protecting sensitive data is a cornerstone of UN155. Organizations must implement stringent data protection measures, including encryption, access controls, and data minimization, to safeguard personal and sensitive information.
4. Continuous Monitoring and Improvement: UN155 emphasizes the importance of continuous monitoring and improvement of cybersecurity practices. Organizations are encouraged to regularly review and update their security measures in response to new threats and vulnerabilities.
5. Training and Awareness: Educating employees about cybersecurity risks and best practices is crucial. UN155 requires organizations to conduct regular training and awareness programs to ensure that staff members are equipped to recognize and respond to cyber threats.

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution for Automotive

The Impact of UN155 on Cybersecurity Management

The implementation of UN155 has significant implications for cybersecurity management:

1. Enhanced Security Posture: By adhering to the guidelines set forth by UN155, organizations can significantly enhance their security posture. Proactive risk assessments, robust incident response plans, and continuous monitoring contribute to a more resilient cybersecurity framework.
2. Regulatory Compliance: Compliance with UN155 is not just a best practice; it is often a legal requirement. Organizations that fail to comply with the framework may face legal penalties, reputational damage, and financial losses.
3. Improved Incident Response: With established incident response plans, organizations can respond more effectively to cybersecurity incidents. This minimizes the impact of breaches and ensures a quicker recovery, reducing downtime and financial losses.
4. Increased Stakeholder Confidence: Demonstrating compliance with UN155 can enhance stakeholder confidence. Clients, partners, and investors are more likely to trust organizations that prioritize cybersecurity and adhere to recognized standards.
5. Global Harmonization: UN155 promotes a standardized approach to cybersecurity, fostering global harmonization of security practices. This is particularly important for multinational organizations operating in diverse regulatory environments.

UN155 represents a significant step forward in the global effort to enhance cybersecurity management. By adopting the framework’s guidelines and principles, organizations can bolster their defenses against cyber threats, ensure regulatory compliance, and build trust with stakeholders. As the cybersecurity landscape continues to evolve, frameworks like UN155 play a pivotal role in shaping a secure and resilient digital future.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by McKenzie Jonsson and Matt Mickle.

Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from AECMagazine, titled “Cyberattacks: safeguarding contractors” – originally published on May 22, 2024, and written by Ben Wallbank.

Cyberattacks: Safeguarding Contractors

It’s every construction firm’s biggest nightmare: criminals taking control of their data and holding them to ransom. Ben Wallbank, Trimble, shares some best practices to mitigate cyberattacks

Cybersecurity and cybercrime often conjure up images of hackers in dark hoodies, sneaking in the digital back door. In reality, nearly 90% of corporate cybercrime, such as phishing or ransomware attacks, is a result of employee error.

The UK construction industry is no exception and could be an even greater target than other industries. Protecting massive amounts of data, including warranty and latent defect remediation periods, makes contractors attractive to cyber criminals. Cybersecurity is so crucial to construction that the National Cyber Security Centre produced a construction industry-specific guide, along with the Chartered Institute of Building (CIOB).

Cybercriminals who target the construction industry usually do so by accessing, copying, and sharing data illegally or by installing malware on a company’s computers and network, taking control of files, and holding them for ransom. It’s called ransomware, and it’s probably the most common and one of the most debilitating types of cybersecurity breaches in the construction world.

Each year, we hear of new cyberattacks, taking critical infrastructure offline and crippling construction businesses worldwide, including many here in Europe. These attacks cost billions of pounds a year and can cause whole cities, businesses, and services to grind to a halt.

UK contractors should follow these best practices to safeguard against cyberattacks and improve outcomes in case of an attack.

Create a business continuity plan

Preparing for the worst puts your business in the best position moving forward because you can act quickly and have more control of the outcome. A solid cyber security disaster plan can get quite detailed. It should be consistently reviewed, practiced, and updated to net the best results in case of an incident. At a minimum, a business continuity plan should include the following:

• Name of a leader to act as a central resource to manage disaster recovery across multiple departments.
• A communication plan for sharing key messages and managing crises with employees, clients, and additional project stakeholders.
• A maintenance plan for a continually updated (and backed up) list of employee contact information and asset inventory.

RELATED: Six Key Challenges in the Architecture, Engineering, Construction, and Operations (AECO) Industry and How to Solve Them with Jama Connect^®

Backup all data

A crucial aspect of any good cyber security plan is to make sure that everything is backed up, preferably on the cloud or physically on an offsite server that’s not on your network. Backups should be frequent and automated, so ask your IT provider to set them up so that they either happen in real-time (if you’re backing up to the cloud) or that they run daily after everyone has left the office.

Secure mobile devices

Mobile devices are more challenging to secure than other data systems, but just as critical. Utilizing an enterprise management platform, such as Cisco Meraki, allows you to maintain enterprise-level control over all of your devices. These kinds of platforms ensure that individual devices are still managed centrally, and contractors can limit software installation, track devices using GPS, disable devices, and more.

Protect software and servers

When it comes to software and security risks in construction, contractors should choose platforms and software providers that take security seriously. Granular permissions, user-friendly management systems, and multi-factor authentication, for instance, are all must-haves in any construction software.

By using cloud-based, connected construction software, contractors shift the responsibility of maintaining servers, ensuring SOC 2 Type II compliance, and data backup and storage. Project and business data backups happen automatically, providing daily protection, with costs often included or rolled into users’ subscription costs. New software features and security functionality are also rolled out automatically.

By coupling the backups with cybersecurity protections, cloud vendors use the latest technologies to thwart cybercriminals and provide an extra level of protection not otherwise achieved through in-house backups. When shopping for business software, make security one of your first discussion points.

Additionally, your web and email servers need to be properly protected to avoid online attacks. Physical network servers need to be secured, and you need to ensure that any cloud-based solutions you’re using also implement rigorous security protocols.

RELATED: Jama Connect^® Amazon Web Service (AWS) GovCloud US Hosting

Assure employee buy-in

Cybersecurity protection in construction requires every employee at every level to be fully engaged and actively vigilant. There are several steps to take to make that happen:

• Ensure all employees receive regular cybersecurity training, especially if online workflows or procedures change.
• Welcome feedback from team members and update cybersecurity policies and processes as needed.
• Counsel employees on everyday things to look for before opening email, like spelling and grammar errors, verifying sender’s email address, and never opening unexpected attachments.

Take the first step: get started

The most important step is the first one. The UK government offers two certifications – Cyber Essentials and Cyber Essentials Plus – that are crash courses in the basics to keep businesses safer from cybercrime. While they don’t replace a cybersecurity risk assessment, they will show you how to do one and how to select the security measures your business needs.

Anywhere your data is stored or used is a potential entry point into your company’s digital existence. It only takes one slip to allow malicious code or ransomware in, and once it’s there, it can cause millions of pounds worth of damage.

In this blog, we recap our webinar, “Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety” – Click HERE to watch it in its entirety.

Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety

Welcome to our Expert Perspectives Series, where we showcase insights from leading experts in complex product, systems, and software development. Covering industries from medical devices to aerospace and defense, we feature thought leaders who are shaping the future of their fields.

With more than 30 years of experience and a mission to elevate knowledge and proficiency in medical device risk management, Bijan Elahi has worked with both startups, and some of the largest medical device companies worldwide.

In this presentation on Risk Management and Designing for Cybersecurity & Patient Safety, Bijan covers:

• Significance of a comprehensive risk management approach, including safety & security, for medical devices
• Interfaces between safety and security risk management processes, and how they interact/complement each other
• Upcoming industry trends that impact risk management (safety, security) like AI/ML, rise in connected devices, wearables devices

Below is a preview of our webinar. Click HERE to watch it in its entirety.

The following is an abbreviated transcript of our webinar.

Kenzie Jonsson: Welcome to our Expert Perspective series where we showcase insights from leading experts in complex product, systems, and software development. Covering industries from medical devices to aerospace and defense, we feature thought leaders who are shaping the future of their fields. I’m Kenzie your host, and today I’m excited to welcome Bijan Elahi, a world-renowned expert on safety risk management for medical technology. With more than 30 years of experience and the mission to elevate knowledge and proficiency in medical device risk management, Bijan has worked with both startups and some of the world’s largest medical device companies. Without further ado, I’d like to welcome Bijan who’ll be presenting on risk management and designing for cybersecurity and patient safety.

Bijan Elahi: Hello. My name is Bijan Elahi. I’m delighted to be speaking to you about cybersecurity and medical device risk management. Before I start, I’ll briefly introduce myself. I am a technical fellow, a professor, and the founder of MedTech Safety, an education and advisory company. To give you a little background about myself, I come from the industry and have been a medical device product developer for most of my career. Most of the products that I have developed have been class III implantable devices such as pacemakers, defibrillators, and deep brain simulators. Now I’ve also developed a kidney dialysis system, which includes disposables. I’m based in Florida, but I teach and advise worldwide. Risk management is my passion. I have trained over 10,000 individuals worldwide in the latest knowledge and best practices in risk management.

RELATED: Jama Connect^® for Medical Device & Life Sciences Development Datasheet

Elahi: The companies that have benefited from my training range from small start-ups to the largest MedTech companies in the world. And here’s the sampling. I am also active in academia, for example, at Delft University of Technology and Eindhoven University of Technology in the Netherlands where I teach a graduate course to doctoral students in engineering. I am also an affiliate professor at Drexel University Graduate School of Biomedical Engineering and Health Science, where I teach safety risk management for medical devices. And lastly, I’m a contributor to the standard ISO 14971, and the author of two very popular books on medical device risk management published by Elsevier Publishing in the UK under the label of academic press. My publisher tells me that my books are bestsellers in the genre of medical books for them, and they’re available at all major booksellers such as Amazon.

So now let’s talk about cybersecurity and safety risk management. The threat of cybersecurity on medical devices is a rising concern as there’s an ever-increasing interconnectivity, interoperability, and reliance on digital technologies. Medical devices such as pacemakers, insulin pumps, and imaging systems often contain sensitive patient data and are integral to patient care. Cyber attacks on these devices can lead to severe consequences, including tampering with the device functions, unauthorized access to patient information, and destruction of critical healthcare services. The potential for harm is significant. For example, incorrect diagnosis, treatment delays, or even direct physical harm to patients. As cyber threats become more sophisticated, we need robust security measures, smart designs, and continuous monitoring to protect these vital components of modern healthcare systems. The safety impact of cybersecurity exploits must be considered in the overall residual safety risk of medical devices.

Safety risk management is distinguished from cybersecurity risk management. Safety risk management is primarily concerned with the safety of patients, users, and the performance of medical devices. This involves identifying, evaluating, and controlling the risks of harm to patients or users due to device malfunctions, use errors, or adverse interactions with the human body. The focus is on ensuring that the device functions safety and effectively under normal and fault conditions. On the other hand, cybersecurity risk management is focused on protecting the device and its data from malicious cyber-attacks and unauthorized access, which may have nothing to do with safety. Many hospital systems are currently under ransomware attacks with the intention of financial exploitation. Security risk management involves implementing measures to protect the data confidentiality, integrity, and availability of healthcare systems. Although these topics are distinct, there is an overlap between them.

RELATED: Mastering ISO/IEC 27001: A Guide to Information Security Management

Elahi: As mentioned before, there are different exploits that cyber attackers seek. Some are not safety-related. For example, private patient data, software codes or algorithms, financial data, money, et cetera. A famous example is the WannaCry cyber attack, which unfolded in May of 2017 causing widespread disruption across the globe. It all started on the 12th of May 2017 when many organizations began to notice that their computer systems were being encrypted and locked by ransomware demanding payment in Bitcoin to unlock them. The ransomware known as WannaCry exploited invulnerability in Microsoft Windows. The attack affected hundreds of thousands of computers in over 150 countries. Major organizations and institutions were hit, including the UK’s National Health Service, also known as NHS, FedEx, and many others. The impact on the NHS was particularly severe because medical staff were unable to access patient records leading to significant disruptions in healthcare services.

As you can see, this was a cyber attack with the intention of financial exploitation, but it ended up having a patient safety impact as well. A comprehensive risk management strategy for medical devices must integrate both safety and security measures. This ensures not only that devices are safe from operational risks, but also that they are protected against growing threats of cyber attacks, thereby safeguarding patient health and data integrity in a holistic manner. An interesting side note to the WannaCry story is that this vulnerability was known by Microsoft and they had released a security patch in March of 2017, two months before the cyber attack, but many hospitals and organizations have not applied the patch and remain vulnerable. This is a common issue even today, and many medical devices and healthcare systems remain vulnerable despite the available protections.

CLICK HERE TO WATCH THIS WEBINAR IN ITS ENTIRETY:
Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety

In this blog post, we summarize our Whitepaper titled “How to Manage Cybersecurity in Jama Connect^® for Automotive and Semiconductor Industries” – Written by Kevin Dibble and Jama Software. Click HERE to read the full thing.

How to Manage Cybersecurity in Jama Connect^® for Automotive and Semiconductor Industries

Learn how automotive and semiconductor teams use requirements management tools to support meeting ISO/SAE 21434 while increasing visibility, collaboration, and review-cycle efficiency.

Security threats such as malware, ransomware, and data breaches impact many industries, but with expanded connectivity in the automotive and semiconductor sectors, increased urgency exists to safeguard against fast evolving risks.

Research shows that 91% of vehicles are connected, and that number is expected to rise to 96% by 2030. With more automobiles and semiconductor devices being connected, attack surfaces (cybersecurity vulnerabilities) are expanding quickly, and the ISO/SAE 21434 standard aims to understand and safeguard against potential threats.

However, managing a cybersecurity case within the standard requires many steps, and cross-team visibility and collaboration are often challenging. As a result, some teams are turning to requirements management tools to help improve visibility and increase transparency in review cycles.

If you haven’t used a formal requirements management tool before, understanding the benefits, advantages, and how it works helps determine if it’s right for your team.

RELATED: A Guide to Road Vehicle Cybersecurity According to ISO 21434

Why manage a cybersecurity case in a requirements management tool?

A cybersecurity case is a structured argument supported by the evidence of work products to detail why risks found within the Threat Analysis and Risk Assessment (TARA) are reasonable.

Creating a cybersecurity case for ISO/SAE 21434 is a complex process with many moving parts. Using a requirements management tool has many benefits, including improved traceability, easier collaboration, and improved functionality for reviews.

Here are several ways a tool can help.

1. Improved collaboration between OEMs and tier 1 and 2 suppliers. A requirements management tool, such as Jama Connect^®, supports requirements interchange format (ReqIF), which can be used for bidirectional communication of requirements, item definitions, and more. Using the tool, you can support improved collaboration workflows.

2. Provides “trace as you go” visibility. You don’t want traceability to be an afterthought handled by your requirements engineer at the end of the project, especially when that project is complex. A purpose-built requirements management tool, like Jama Connect, allows you to create requirements tracing to parent requirements, design blocks for requirements allocation, and more. It supports a trace-as-you-go methodology.

3. Access impact analysis to handle midstream project changes more effectively. Jama Connect provides access to an impact analysis, a powerful capability supporting the trace-as-you-go approach. Running an impact analysis as project changes happen midstream allows for greater understanding and visibility.

4. Automatically generate test coverage reports. With Jama Connect, you can allocate requirements to design blocks or interconnect the requirements management system to design tools. Using tools like Design Architect provides powerful analytics and test coverage reports that are automatically generated.

5. Connect tools and avoid disjointed tooling challenges. Disconnected tools are often a source of visibility issues. Jama Connect links disparate tools and offers a “toolchain view” for more seamless tool functioning and visibility, like with the Design Architect example above.

6. View exactly where you’re at in a project in real-time. As you move through the management of a case, it’s important to see where you are in the process so you can stay on track. Jama Connect can provide analytics that clearly indicate where you’re at in a project, including allocated requirements, tests that have been covered, and more.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

How does a requirements management tool fit with the ISO/SAE 21434 standard?

Traceability, collaboration, and improved review processes are all benefits of a purpose-built requirements management tool, but to understand how it works, it helps to have an example. In the details below, we’ve used the Jama Connect platform as an example to see how it works – from product-dependent cybersecurity management to threat analysis and risk assessment methods.

ISO/SAE 21434 is organized by clauses and subclauses, broken out below.

The right requirements management tool will enable your teams to optimize the development process in many of the above areas. Specifically, here’s a breakdown of how the Jama Connect platform supports each of them, as indicated by the box’s color.

Green. These areas are fully supported and recommended to be implemented in Jama Connect. For example, when viewing section 9 in the chart above under the “Concept” heading, Jama Connect supports the item definition, cybersecurity goals, and cybersecurity concept.

Yellow. These are optional and can be implemented in Jama Connect. For example, you’ll see subclauses 5.4.3 “Information sharing” and 5.4.4. “Management systems” fall into this category.

Yellow-green. These are partially supported in the tool. In other words, Jama Connect can support some of the requirements but not all of them. As an example, 10.4.1 “Design” and 10.4.2 “Integration and verification” are included in this category.

Red boxes. These are not recommended for support in Jama Connect and are usually handled with an in-house tool instead—in that some are processes that expand throughout the organization, and some are activities or work products suited for alternative best-of-breed tools. The progression of these work products can, however, be brought back to Jama Connect to reflect status through the Cybersecurity case. An example is the areas under the “post-development phases, including 12 “Production” and 13 “Operations and maintenance.”

One of Jama Connect’s most powerful capabilities is supporting the green and yellow categories through document building and generation. The tool supports the process of building and reviewing documentation with real-time collaboration as well as creating documentation with a single click and no post-processing.

TO DOWNLOAD THIS WHITEPAPER IN ITS ENTIRETY, VISIT:
How to Manage Cybersecurity in Jama Connect^® for Automotive and Semiconductor Industries

In this blog post, we summarize our eBook titled “Mastering ISO/IEC 27001: A Guide to Information Security Management”. Click HERE to read the full eBook.

Mastering ISO/IEC 27001: A Guide to Information Security Management

Understanding Information Security Management

Information security, often referred to as cybersecurity, is a critical aspect of modern technology and business operations. It encompasses the protection of sensitive data, systems, and networks from unauthorized access, disclosure, disruption, modification, or destruction. The evolution of information security practices has been shaped by the rapid advancements in technology and the evergrowing sophistication of cyber threats.

In the early days of computing, security concerns were minimal, and systems operated in relatively isolated environments. As technology expanded and interconnected networks became prevalent, the need for robust information security measures became apparent. The 1980s and 1990s witnessed the rise of antivirus software and firewalls as the primary means of defense against early computer viruses and network intrusions.

The 21st century brought about a paradigm shift in information security, driven by the widespread adoption of the internet, cloud computing, and mobile technologies. With the increasing complexity of cyber threats, traditional security measures proved insufficient. The focus shifted towards a more holistic approach, including encryption, multi-factor authentication, and intrusion detection systems. The concept of “defense in depth” gained prominence, emphasizing multiple layers of security to safeguard against diverse attack vectors.

In recent years, artificial intelligence and machine learning have played a significant role in information security. These technologies enable proactive threat detection, behavioral analysis, and automated response mechanisms, helping organizations stay ahead of rapidly evolving cyber threats. Additionally, the adoption of zero-trust security models has become prevalent, assuming that no user or system is inherently trustworthy, and continuous verification is necessary.

As the digital landscape continues to evolve, information security practices must adapt accordingly. Privacy concerns, regulatory compliance, and the increasing interconnectivity of devices further underscore the importance of a comprehensive and dynamic approach to information security. Organizations must remain vigilant, continually updating and enhancing their security measures to mitigate emerging risks and safeguard sensitive information in an ever-changing digital landscape.

This guide “Mastering ISO/IEC 27001: A Guide to Information Security Management” provides a comprehensive and practical guide to understanding and implementing the ISO/IEC 27001 standard for information security management. Authored by experts in the field, the paper delves into the key concepts, principles, and requirements of ISO/IEC 27001, offering valuable insights into establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

ISO/IEC 27001 for Information Security

ISO/IEC 27001 is an internationally recognized standard that provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27001 outlines a systematic approach to managing information security within an organization.

The primary objective of ISO/IEC 27001 is to help organizations ensure the confidentiality, integrity, and availability of their information assets. It is applicable to businesses of all sizes and industries, acknowledging the
importance of information security in the digital age. The standard is not prescriptive about specific security measures but rather focuses on a risk-based approach, allowing organizations flexibility in implementing controls based on their unique needs and risk profile.

The key components of ISO/IEC 27001

• Scope and Policy Development: Organizations define the scope of their ISMS, identifying the boundaries and context for information security. A robust information security policy is established to guide the implementation and operation of the ISMS.
• Risk Assessment and Treatment: A thorough risk assessment is conducted to identify and evaluate potential threats and vulnerabilities to information assets. Organizations then implement controls to mitigate or manage these risks, taking into account the level of risk tolerance.
• Implementation of Controls: ISO/IEC 27001 provides a comprehensive set of controls organized into 14 domains, covering areas such as access control, cryptography, physical security, and incident management. Organizations select and implement these controls based on their specific risk assessment.
• Documentation and Records: Proper documentation of the ISMS, including policies, procedures, and records, is essential for effective implementation and maintenance. This documentation helps demonstrate compliance with the standard and facilitates audits.
• Monitoring and Measurement: Continuous monitoring and measurement of the ISMS performance are critical. This includes regular internal audits, management reviews, and the monitoring of security incidents to ensure the effectiveness of the security controls.
• Continuous Improvement: ISO/IEC 27001 follows the PDCA cycle, emphasizing continuous improvement. Organizations regularly review and update their ISMS based on changes in the internal or external environment and emerging threats.

Achieving ISO/IEC 27001 certification demonstrates an organization’s commitment to information security and can enhance its reputation, build customer trust, and improve its ability to compete in the marketplace. The standard provides a structured and systematic approach to managing information security, helping organizations adapt to the evolving threat landscape and safeguard their valuable information assets.

RELATED: How to Develop IoT Products with Security in Mind

Implementing ISO/IEC 27001

Setting up the ISMS Framework: The first step is defining the scope and objectives of the ISMS. This involves identifying the information assets to be protected, the boundaries of the ISMS, and the organizational context.
Organizations establish an Information Security Policy that aligns with their business objectives and regulatory requirements. The commitment of top management is crucial during this phase, as they provide leadership and
allocate necessary resources.

Conducting a Risk Assessment: A critical component of ISO/IEC 27001 implementation is the identification and assessment of information security risks. This involves evaluating potential threats, vulnerabilities, and the
impact of security incidents. The risk assessment is typically conducted through a systematic and comprehensive process, considering factors such as likelihood, impact, and risk appetite. The output of the risk assessment
informs the selection of appropriate security controls to mitigate or manage identified risks.

Developing and Implementing Security Controls: Based on the results of the risk assessment, organizations select and implement security controls to address the identified risks. As mentioned above, ISO/IEC 27001
provides a set of controls organized into 14 domains, covering aspects such as access control, cryptography, incident management, and business continuity. The selection of controls is tailored to the organization’s specific
context and risk profile. Implementation involves developing policies, procedures, and guidelines, as well as deploying technical measures to safeguard information assets.

Monitoring and Continuous Improvement: Continuous monitoring and measurement are integral to the success of an ISMS. Organizations conduct internal audits to assess the effectiveness of implemented controls and ensure compliance with the standard. Management reviews, which involve top management evaluating the performance of the ISMS, are also conducted periodically.

Throughout the implementation process, communication and awareness raising activities are essential to ensure that all employees understand their roles and responsibilities in maintaining information security. Employee training, regular communication about security policies, and promoting a security-conscious culture contribute to the overall success of ISO/IEC 27001 implementation.

By following these steps and incorporating a risk-based approach, organizations can establish a robust ISMS that not only complies with ISO/IEC 27001 standards but also adapts to the dynamic nature of the information security landscape.

TO DOWNLOAD THIS WHITEPAPER IN ITS ENTIRETY, VISIT:
Mastering ISO/IEC 27001: A Guide to Information Security Management

Jama Software is always looking for news that will benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Innovation News Network, titled “Ramping Up Security to Meet Operational Resilience Rules” – originally published on April 8, 2024.

Ramping Up Security to Meet Operational Resilience Rules

Philip Pearson, Field Chief Information Security Officer at Aqua Security, discusses how meeting operational resilience targets is crucial for effective cybersecurity measures.

Operational resilience is the ability to prevent, withstand, recover, adapt and learn in the face of disruption, including cyber events.

Currently, it represents a far-reaching set of issues that are increasingly important to private sector organizations and lawmakers alike. In both the EU and the UK, stronger regulatory frameworks are evolving, accompanied by serious consequences for those who fail to comply.

For instance, the Digital Operational Resilience Act (DORA) and the NIS2 Directive are two major pieces of European cybersecurity legislation aimed at strengthening operational resilience and cybersecurity across various sectors, including finance. While they share common goals, they focus on different aspects and have distinct scopes of application.

Designed to strengthen IT security across a wide range of financial entities, DORA comes into force in early January 2025.

It focuses heavily on improving resilience “in the event of a severe operational disruption.” It is relevant to financial services industry organizations that supply services inside the EU. Failure to comply can result in penalties of up to 2% of the total worldwide revenue for any organization found to be in breach.

For any business leaders that operate within the parameters set out by GDPR, the jurisdiction rules will have a familiar ring about them, and the UK’s position outside of the EU will, for many organizations, be an irrelevance.

The NIS2 Directive has been active since January last year. It aims to improve the level of cybersecurity protection across the EU, with an emphasis on harmonising security requirements and reporting obligations. In addition, it encourages member states to integrate new areas, such as supply chain security, vulnerability management, and cyber hygiene, into their national cybersecurity strategies. The Directive also promotes improvements in knowledge sharing, collaboration, the development of an EU-wide vulnerability registry, a Crises Liaison Network, and improved cooperation, among other measures.

RELATED: Jama Connect^® Amazon Web Service (AWS) GovCloud US Hosting

The role of Critical Third Parties in meeting operational resilience targets

In the UK specifically, regulators have looked closely at the role played by Critical Third Parties (CTPs) – external organizations whose services are vital to the operational integrity and operational resilience of financial institutions. CTPs could include cloud service providers such as AWS or Microsoft and a range of other technology businesses that play a key role in supporting the sector. Additionally, the Cross Market Operational Resilience Group, chaired by the Bank of England, provides detailed guidance on operational resilience for the financial services sector, which, whilst not legally binding, acts as a good base for best practice.

Our recent survey conducted at the Cloud & Cyber Security Expo at Tech Show London in March with 100+ cloud professionals indicated that awareness remains low around new compliance obligations. Nearly half – 46.5 % – were unsure of their organization’s ability to comply with supply chain regulations and frameworks such as NIS 2 or SBOM. And of those respondents who work in the finance sector, 30% were unaware of the Digital Operational Resilience Act (DORA). Just over a third – 35% – were confident of their organization’s ability to comply.

Additionally, the shift towards cloud-native technologies, with their distributed systems and microservices architectures, presents a new set of challenges for regulatory compliance and operational resilience. This environment, characterized by dynamic resource scaling to meet demand, introduces complexities in maintaining compliance amidst the fluid nature of containerized deployments and autoscaling practices.

Autoscaling, a hallmark of cloud-native environments, allows for efficient resource management but necessitates a nuanced approach to operational resilience. The ability of systems to automatically adjust resources complicates adherence to stringent regulatory frameworks, requiring organizations to adopt innovative monitoring and management strategies that align with the fluid dynamics of cloud-native operations.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

How can organizations be compliant, secure, and agile simultaneously?

So what impact are these regulations making (or will they make) in practical terms, and what technology priorities should organizations address to ensure compliance?

Across the current financial industry ecosystem, for example, there is an increasing reliance on the provision of agile, scalable, and reliable applications, with Kubernetes and DevOps among the platforms and methodologies playing an important role in software development and delivery strategies. In this context, resilience and security are – understandably – key considerations.

Operational resilience ensures that organizations working with Kubernetes and cloud environments deploy robust, secure infrastructure and applications capable of swiftly recovering from disruption. This includes implementing best practices for Kubernetes security, ensuring high availability and disaster recovery capabilities, and effectively managing third-party risks associated with cloud service providers.

Operational resilience in these environments also involves continuous monitoring, incident response planning, and regular testing of recovery procedures to ensure that the organization can maintain its critical functions under a variety of adverse conditions.

In relation to DevOps, which has become a widely adopted software development methodology globally, security can be improved by integrating advanced measures directly into development and deployment processes. This includes implementing ‘Compliance as Code’, which integrates automated compliance checks within the CI/CD pipeline.

The most effective approaches enforce compliance policies and regulatory requirements directly in the infrastructure as code (IaC) templates and container configurations. This ensures that every deployment automatically adheres to necessary compliance standards, reducing manual review processes and the potential for human error.

This should be accompanied by the use of immutable security policies for containerized applications and Kubernetes clusters. By defining strict security policies that cannot be altered once a container or service is deployed, this approach ensures that any attempts to change the security posture can only be made through the CI/CD pipeline, enforcing consistency, audibility, and compliance with existing security standards.

Looking more closely at the issues associated with CTPs or the wider supply chain, the creation of a Software Bill of Materials (SBOM) is a critical component in ensuring the security and integrity of software applications and their dependencies. This approach is increasingly relevant in the context of broader cybersecurity strategies and compliance with regulatory requirements such as DORA and is important for several reasons:

• Transparency: SBOMs provide a clear, comprehensive view of an application’s software components, including open-source and third-party libraries. This transparency is vital for assessing software products’ security posture and compliance
• Vulnerability management: With an SBOM, organizations can quickly identify which components might be affected by newly discovered vulnerabilities. This capability allows for rapid assessment and remediation, significantly reducing the window of exposure to potential threats
• Compliance and reporting: Regulatory frameworks, including DORA, increasingly recognize the importance of understanding and managing the risks associated with software supply chains. SBOMs facilitate compliance with such regulations by documenting the use of components and ensuring that they meet the required security standards
• Risk assessment: SBOMs enable organizations to perform detailed risk assessments of their software inventory, identifying potential security and compliance issues. This proactive approach supports DORA’s ICT risk management requirements by enabling financial entities to manage and mitigate risks associated with their software supply chain
• Incident response: In the event of a security incident, having an SBOM allows for a quicker and more accurate determination of impact, supporting effective incident response strategies as outlined in DORA

However, while SBOMs provide a comprehensive inventory of all the components present in a software application, including those that may not be actively loaded into memory or called during runtime, these inactive components can still pose security risks.

Inactive but vulnerable components could potentially be used as part of an exploit chain or become an active threat later if the application’s functionality changes over time.

Therefore, SBOMs are a critical tool for risk management in the supply chain, but they must be part of a larger holistic security. It’s essential to consider the security implications of all components within a software application, even if they are currently unused. Maintaining a comprehensive SBOM and regularly reviewing it for vulnerabilities, even in inactive parts, are crucial security practices.

Additionally, alongside utilizing SBOMs, organizations must take a more comprehensive approach to vulnerability management, including continuous monitoring, prioritization, and proactive remediation.

Organizations must act now to stay ahead of the curve and ensure compliance with emerging regulations. Some concrete steps they can take include:

• Educate staff on the requirements of DORA, NIS2, and other relevant regulations and take steps to assess the current level of compliance
• Engage with industry peers, regulatory bodies, and security experts to stay informed about best practices and evolving threats
• Develop a roadmap for enhancing your security posture, prioritizing initiatives that align with regulatory requirements and their overall business objectives
• Partner with trusted security vendors and service providers who can provide the expertise, tools, and support needed to implement effective security measures and maintain compliance over time

Looking ahead, these represent just some of the key considerations for organizations operating in and around the finance industry ecosystem. In a climate where the role of regulation seems likely to increase even further, organizations that can integrate security into their development processes now will be better placed to adopt future changes in regulation as they emerge.

It’s essential to consider the security implications of all components within a software application, even if they are currently unused. Maintaining a comprehensive SBOM and regularly reviewing it for vulnerabilities, even in inactive parts, are crucial operational resilience practices.

CONTRIBUTOR DETAILS

Philip Pearson, Aqua Security  Field Chief Information Security Officer
Website: https://www.aquasec.com/