“Security by design” describes the proactive approach of identifying all necessary security aspects from the outset and integrating them into the entire life cycle to preventively close security gaps and minimise cyber threats. This principle is not only applicable in software and product development, but also in the planning, implementation and operation of IT and OT systems.
The advantage of “Security by Design” lies in a comprehensive and adapted security approach that considers the existing environment, new requirements, and current technical best practices already in the design and development process of systems, products, and infrastructures. The goal is to incorporate security aspects into the design from the very beginning to identify and address potential vulnerabilities before they can be exploited by attackers. In this way, risks are minimised, and necessary cybersecurity issues are addressed sustainably and cost-efficiently right from the start, instead of making elaborate adjustments afterwards.
Why is Security by Design not (yet) standard?
As with fire protection and other emergency precautions, it is objectively most efficient to develop integrated solutions from the outset. Although the concept is far from new, it is still often dispensed with – or simply forgotten. Be it due to a lack of competences because other aspects of the project have been prioritised higher, due to the costs or because of insufficient management guidelines.
According to the German IT Security Association (Bundesverband IT-Sicherheit e.V.), security by design is not a ‘nice to have’ for companies, but an absolute must to be able to operate successfully on the market. A guide with recommended actions for decision-makers is intended to help improve awareness and knowledge of the principles. [1]
How can Security by Design be implemented?
Secure Product Lifecycle Management (SPLM) starts with the idea and accompanies the product until the end of use. The goal is to select, adapt and integrate the security requirements of the respective area according to the current state of the art.
In addition to the three protection goals of integrity, confidentiality and availability, the Open Web Application Security Project (OWASP) offers very good guidance with its ten Security by Design principles: [2]
- Minimize attack surface area
- Establish secure defaults
- Principle of Least privilege
- Principle of Defense in depth
- Fail securely
- Don’t trust services
- Separation of duties
- Avoid security by obscurity
- Keep security simple
- Fix security issues correctly
For useful basic protection, depending on the industry and requirements, proven basic principles can also be taken from established cyber security standards and manufacturer recommendations, such as CIS-18 Controls, ISO27000 or IEC 62443. [3] [4] [5]
Planning Security by Design for IT and OT Operations
While both IT and OT work with digital systems, there are crucial differences that need to be considered when applying Security by Design. IT is mainly concerned with the processing and management of information, while OT is aimed at the control and monitoring of physical processes, e.g., in industrial plants or critical infrastructures. OT environments usually have longer life cycles and security solutions must be tailored to the specific requirements of these systems.
For a stable and reliable environment, the following issues should be considered:
- Use of secure protocols, procedures and settings or replacement or exclusion of insecure protocols
- Adapted and clear security policies covering all relevant areas (from access control to password policies).
- Continuous reviews, such as security audits, to identify potential vulnerabilities and risks, also during operation.
- Integration of proactive measures to identify and mitigate potential threats at an early stage.
- Planning of relevant emergency scenarios such as hacker attack or ransomware attack (incident response).
Planning Agendas for IT Security Governance
The management of a company and IT security officers play a central role in promoting and implementing a proactive security culture.
- Publish and communicate principles and guidelines that promote safe planning and implementation and are aligned with the organisation’s own security strategy.
- Regular training and awareness-raising activities to improve safety awareness throughout the organisation and among all staff.
- Promote a positive security culture in which cybersecurity is seen as a shared responsibility of all employees and is defined as a common goal.
Security by design throughout product lifecycle management
Not only in development, but also in the selection and operation of systems and products, the overall security design plays an essential role.
- Integration of security aspects already in the conception and design phase to address potential risks from the very beginning.
- Continuous risk management through regular assessment and improvement of security during the development, testing and production phases.
- Security measures over the entire life cycle, including commissioning, regular updates during operation over the necessary runtime up to appropriate precautions at the end of use to prevent data leaks and unwanted accesses.
Security by design is a critical concept in today’s data and information-driven world. A holistic security strategy that includes proactive measures and especially continuous improvement allows companies to develop and operate robust and secure products and systems that can withstand constantly growing security challenges.
This might also interest you:
Defense in Depth: Multi-layer approach for lived OT security
Secure APIs against unauthorised access and manipulation
5 best practices for reacting quickly to security incidents
Sources:
[1] https://www.teletrust.de/publikationen/broschueren/security-by-design/
[2] https://wiki.owasp.org/index.php/Security_by_Design_Principles
[3] https://www.cisecurity.org/controls/cis-controls-list
[4] https://www.security-insider.de/was-ist-iec-62443-a-8afae9df06ebcb1f8589b32514f4088c/
[5] https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node.html