10 Steps Integrators Should Use to Ensure Manufacturers’ Products Are Cyber Secure

More and more security devices are being placed on networks and therefore need to tested and designed to withstand hacking attacks. Learn what to be aware of, look for and verify in a vendor.

3. Is there a protection profile (PP) for the product?
Systems integrators should request (and the manufacturer should freely provide) information regarding testing and formal validation process (i.e. NIST, ISO and Common Criteria) that have been performed on the specific IT-connected components.

These protection profiles specifically define the essential functions and critical components inside the IT connected components, and cover use case scenarios and situations where acceptable risk levels are approved, or a plan of action to implement if countermeasures are required.

The formal validation processes provide system assurances for the systems integrator only for a specific snapshot and period of time that the PP was delivered. It is important to verify that the PP is not outdated and is applicable to the specific systems the integrator is deploying. In the event the PP does not reflect current components, it is important to know what changes have been implemented to the IT component system that brings it to its current cybersecurity standard.

4. Is the manufacturer supply chain reliable and verifiable?
Can the manufacturer prove by providing technical evidence that it has evaluated the risk that an adversary may infect the supply chain? This includes sabotage, malicious introductions of unwanted functions or acts that otherwise subvert the design integrity of the product.

Systems integrators should look to the manufacturer and determine the source of origin to ensure its legitimacy. Testing procedures should be implemented for introduced info systems that can verify the initial system state is consistent with predefined checks.

The systems integrator should request and internally determine whether the manufacturer has implemented countermeasures against counterfeiting, infection of the supply chain and other threats.

5. Has the manufacturer met industry standard conformance benchmarks?
Most manufacturers follow customary practices such as ISO 9001 quality management, Six Sigma or other standards related to fault management and quality controls from a process perspective. These benchmarks include functionality, reliability, usability, efficiency, maintainability and portability into development models, and that the necessary feedback loops are in place to establish accountability through business processes.

Manufacturers that are committed and achieved these standards are reputed to have strong internal and organizational controls in place that are of value to the systems integrator. Products sold into markets should exemplify best practices according to the industry certifications held by the manufacturer.

6. Does the product component(s) have a reference security architecture?
Most manufacturers involved in deploying logical information technology solutions create significant value to the customers by providing what is known as reference architecture to systems integrators. Reference architectures remove much of the guesswork from a systems integrator perspective for how a manufacturer solution should be deployed.

For example, virtual machines and virtualized environments with scripts allow for easy loading, configuration and data-driven forms to achieve expected outcomes, but also use proven templates and solutions for a particular application or environment.

These repeatable, proven patterns of deployment facilitate better risk management of the solution provided by the manufacturer.

Systems integrators should look for and verify if reference security architecture related documentation or technical reference information exists.

7. Can the product maintain a provable root of trust?
Does the architecture enable the definition of a root of trust that can protect the firmware and software from data manipulation or exfiltration from adversary? Can physical control structures (e.g. sensors) rely on these secure processes to maintain integrity?

Does the product precisely define how the individual components maintain a specific cybersec
urity state when interfaced with other systems?

Without a root of trust, infected or attacked systems can be staged to attack other systems within an IT-connected environment.

Manufacturers that have cyber-secure products can describe and define how their system manages a provable root of trust, and can maintain functions and processes within their system and be resilient against attack.

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!

Subscribe Today!

Get Our Newsletters