Cybersecurity Across the Product Lifecyle is Essential to Minimizing Security Breaches

Jun 15, 2020 2:00 PM ET
Blog

Cybersecurity is on everyone’s mind. Almost daily, you hear about product vulnerabilities that lead to breaches in some company’s security. As the world gets so much more interconnected, cyber criminals are constantly looking for ways to find weaknesses in any of the devices they can connect to. Those devices might be cars, smart devices, medical devices or any other connected product. At the same time, cyber security practitioners are constantly trying to prevent their companies from being the next news story.

Unfortunately, many of the products that we are connected to are not built with security in mind and can become easy targets for the cyber criminals. It is increasingly essential to embrace product security in all aspects of products’ lifecycle, from design, development to support and maintenance, to be more secure.

What is Product Security?
Simply said, product security is the work we do to build security into the products we create. It is a customized security framework that encompasses an organization’s people, processes, tools and training to ensure products are being developed and manufactured with security in mind. Like corporate information security, it typically consists of multiple stages designed to uncover or identify product vulnerabilities, protect/defend the product through activities such as vulnerabilities remediation and hardening, respond to product cybersecurity incidents, as well as continuously monitor and enhance a product’s security.

A product security lifecycle
Fig 1. A product security lifecycle

 

Product security in Keysight
Keysight has a corporate Product and Solution Security Program aimed at strengthening the cybersecurity of the products and solutions developed across all Keysight businesses. The areas of focus include processes and tools to support vulnerability management of our products and solutions, design standards for secure products and solution definition, and the adoption of secure design principles and secure coding practices in product development. Some of the key program activities include:

  • Keysight-wide software composition analysis program aimed at both identification of vulnerabilities and license compliance for open source software components.
  • Educating our engineers on secure design principles and secure coding practices.
  • Scanning of products for security vulnerabilities, both while in development and on a regular basis after release.
  • Application of secure OS hardening configurations for Keysight products.
  • Addition of specific security features and controls based on product/solution use models.
  • Processes for rapid response to critical cybersecurity issues.
  • Continuous monitoring and improvement of product security practice effectiveness.

Fig 2. Key product security activities at Keysight

Secure Communications as part of Product Security
Providing customers access to our products using secure communication in a standard, consistent manner is a key priority for Keysight and is one example of the security features currently being developed for our products. Across the industry, test and measurement products generally communicate with each other through standards that are defined by the IVI Foundation and the LXI Consortium. These standards provide a consistent, industry-wide method for communicating to LAN based instruments. 

To meet the ever-increasing demand for security in the test and measurement industry, the LXI consortium, in cooperation with the IVI Foundation, has chartered a Security Working Group tasked with developing extensions to the current communication standards that will support authenticated and encrypted communication to test and measurement instruments.  The extensions will also address security for instrument hosted webpages. Keysight is a charter member of the LXI Security Working Group and is working closely with its members on the creation of the new standard. 

The working group has developed an initial framework for instrument communication security and is currently prototyping proposed solutions. The plan is to distribute a draft standard to the member companies for ratification in the second half of 2020. Further information on the security investigations can be found on the LXI Consortium’s website at:

http://lxistandard.org/Resources/SecurityWorkingGroup.aspx