Product Cyber Security
Protect products from hacker attacks!
In today's digital networked world, there are few products that do not have a digital interface to the environment. Most products are part of a network - a system of systems. These types of distributed systems bring along with them many advantages (increased functionality, higher convenience, etc.) as well as new threats. In order to develop a completely secure product, it is necessary to identify the risks of the digital interfaces and to secure the entire system against potential hacker attacks. Furthermore, this subject is a component of numerous standards and regulations, such as UNECE WP29, whose requirements must be met in order to successfully launch a product on the market.
The terms safety and security are ubiquitous in product development. In practice, however, there is a lack of a clear distinction between the terms. The term 'safety' focuses on topics of accident prevention and maintaining the health of stakeholders (users, maintenance staff, passers-by, etc.), while 'security' considers topics of crime prevention and thus only allows authorized persons to access a location or system. The following example illustrates this correlation. One of the functions of a vehicle door is to prevent another vehicle from entering the interior in the event of a crash (safety). Furthermore, the door also protects the car from strangers by denying access to the vehicle, making a potential theft more difficult (security). The topic of product cyber security is becoming increasingly important, particularly due to digitalization, but also in the area of data security. A holistic security approach takes into account not only the individual control devices, data networks and external interfaces (e.g. Bluetooth, WiFi), but also the end-to-end security of the entire system, i.e. including the cloud (see shell model).
In order to ensure the integrity of the data and the system in the lifecycle, it is necessary to integrate security engineering during product development. The goal of security engineering is to influence system design by applying principles and analyses to the security-related requirements of the development, production, usage and disposal phases. Security Engineering, meanwhile, requires continuous development during the entire lifecycle to ensure permanent integrity. In concrete terms, it means that the organization must adpat correspondingly in the aspects relating to product, process, organization/ roles and IT. These must be adapted to the existing system context (organization, product, business model). Exemplary results of these aspects are shown in the following figure: