The Device Chronicle interviews CMO David Leichner and Head of Brand Shlomi Ashkenazy from Cybellum on the current state of product cybersecurity and the factors that are driving cybersecurity programs adoption.
Cybellum is the product security platform with a mission to create one place where product security teams can come and manage their entire operations. This would be across the product lifecycle from design through development to post-production and then also catering for scale. There is a need to be able to do this from the micro to the macro – from the component level to the product/device level and you can also manage the entire operation from across all of the different product lines.
Cyber Digital Twins
David and Shlomi took some time to give us a briefing on their experiences in the cybersecurity field so far: Shlomi begins by saying that Cybellum has a unique technology called “Cyber Digital Twins” which allows for the creation of a digital replica of the product which is a central element of the product security platform. He says “Cybellum is also industry obsessed – focussed on certain industries and tailoring to the needs within. These focus industries are automotive, medical and industrial.”
Started out in automotive, then moved on to Medical and Industrial
Cybellum started out by addressing needs in the automotive segment. This was, according to David, a slightly “opportunistic” scenario in that the company had people on the team who had worked extensively in automotive and had good connections into the major automotive manufacturers. Secondly, David explains that automotive was ripe as this sector had clear compliance needs. “There was a need to have systems to support compliance with WP.29 and UNR R155. There was a compelling event coming up where they needed to implement a product/device security strategy within their organizations.”
Cybellum then progressed into the medical segment as there was a strong compliance push from the FDA, the CyberEO signed off by President Biden and the FDA draft for premarket guidelines that came out a few months ago. These standards require very specific cybersecurity measures for the supply chain – namely a software bill of materials (SBOM). The software components listed on that software bill of materials must be monitored for vulnerabilities, and if any vulnerabilities are detected then they must be swiftly mitigated. On the industrial side, there are different compliance standards and regulations across oil and gas, and utilities due to highly visible cyber attacks on critical infrastructure and machines.
Cybersecurity programs are essential – not “nice to have”s
David further remarks that “One of the things we notice is that companies will put cybersecurity programs in place when there is a compelling event to do so. It is critical, not a “nice to have” but it can be intrusive and time-consuming in the development process, if it is not implemented correctly.” On the flip side, David observes that if the cybersecurity program is implemented correctly then it can save time in the development process because the customer won’t get to the costly point where they discover that they have vulnerabilities in the product just as they are about to launch it to market and then be forced to delay or withdraw it, or change the software or hardware.
Compliance requirements grow in each industry sector
David explains that every industry vertical will have specific cybersecurity compliance requirements. There is a heterogeneity and diversity of compliance and regulatory requirements: “In defense, there is NSA and ELA6, NIST FIPS 140-2, ISO 21434 and ISO 26262 for functional security in automotive, for medical devices there is the FDA Class 2 and Class 3 and these will be upgraded with the pre market, from which 1600 organizations gave input, on SBOMs and vulnerabilities – due by July 2022. In avionics, there is PL4 and FAA DO 178B Level A. David further predicts that as the regulatory bodies become more able at monitoring compliance, the (cybersecurity program) adoption will increase and the world will become safer. “Still the hackers will try even harder to breach the systems.”
The serious attacks
Shlomi recalls that the Solarwinds attack started the compliance and regulatory snowball that has led to the Cyber EO for supply chain security. He also says the infamous LOG4j vulnerability caused a lot of disruption. Some recent attacks that made the news was the hack on the supply chain of Toyota. Honda also experienced vulnerabilities and ransomware attacks. “In addition, the teenager David Colombo was able to demonstrate how he could get access to 28 Teslas around the world from his home office in Bavaria. Also, hospitals are being hacked but often these incidents are being kept private for brand reputation protection reasons.”
David recalls a conversation a while back with a banking organization where they told him they would rather pay €50,000 ransom than €5m to put a cybersecurity system in place; they came back quickly for a solution after the second attack in quick succession! The hacker had clearly found multiple ways in. Financial loss is one form of brand reputation damage, but loss of life and health damage is even worse. Infusion pumps could be hacked and medication doses for patients increased by determined hackers. Pumps had to be pulled off the market and the product had to be redesigned.
Problems solved by Cybellum
Cybellum addresses many use cases across the product lifecycle: the company starts at the beginning of the product life cycle for vulnerability management, SBOM and CBOM creation, red team testing tools and threat modeling and much more. Cybersecurity compliance management is another important Cybellum service — the ability to detect risks and vulnerabilities in real time, get mitigation recommendations, and then extract reports for compliance.
David concludes with 3 principles that are key to the success of Cybellum’s approach:
- The product spans the entire product life cycle – from design to post production, including the supply chain
- Strong focus on compliance and security management – detection, remediation, including the “system of systems” technology for management to drill down from a complete vehicle or medical device into its individual components and develop a risk model so you understand the overall level of risk, and quickly address the issues that put your organization at risk.
- Implement automation to the greatest extent possible – from vulnerability detection, prioritization, and mitigation, to incident response, TARA, and reporting.
We wish David, Shlomi and their colleagues at Cybellum the best and urge you to check out their top cybersecurity podcast – Left to Our Own Devices.