How cyber-mature are your products and organization?
While some organizations have created a basic security framework to improve the cybersecurity of their systems, practices, and products, many others are still seeking guidance on how to incorporate safeguards to reduce potential risks to their business, customers, and users. In response to this need, CSA Group and its volunteer committee members developed a method that would evaluate organizations on cyber maturity and their product software development practices to help reduce the overall risks related to the deployment of digital technologies.
From the needs of utility organizations to a Standard for all
The concept of the new bi-national standard CSA/ANSI T200:22, Evaluation of software development and cybersecurity programs, originated from the utility sector. As utility companies started to introduce smart thermostats and similar products in homes, questions arose around the cybersecurity vulnerabilities that could be introduced to consumers in their homes, as well to the utilities themselves. That brought out a need for a cybersecurity standard based on industry best practices that would evaluate both the organization and its products. A common framework of best cybersecurity practices would also help utilities assess vendors of digital and connected solutions. At the same time, it would provide vendors with a clear set of expectations, leveling the field and helping to reduce cybersecurity risks. Moreover, such a framework could help demonstrate compliance with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP-013-1) plan aimed at maintaining an efficient and reliable supply of electricity in North America.
This led to creating a CSA Group committee on Cybersecurity Verification, bringing together experts from manufacturing, utilities, engineering, security, and other organizations and stakeholders. The aim was to develop a standard applicable across all industries and sectors covering IoT and related products and solutions.
New Standard helps define the path to cybersecurity
The resulting CSA/ANSI T200:22 cybersecurity standard helps organizations approach cybersecurity from a more holistic perspective. The Standard outlines a methodology for assessing the cyber maturity of the organization, its processes, products, and solutions. It applies to the entire product lifecycle, from conception and commissioning to end of life.
CSA/ANSI T200: 22 introduces a maturity model, offering organizations a flexible approach rather than a ‘one-size-fits-all’ set of requirements. It means that organizations can define cyber maturity levels for their vendors, and vendors can optimize costs associated with the certification of their products and services. Moreover, the leveled maturity model promotes continuous improvement of organizational and product security, encouraging businesses to address cybersecurity even more effectively.
The Standard provides an overview of the IoT threat landscape and components that comprise IoT products and solutions and describes baseline product cybersecurity controls and concepts that need to be considered. It also includes requirements and recommendations for the self-evaluation process, audit, and testing and validation to determine the achieved maturity level of the organization. Further, an informative supplement of the Standard focuses on electric utility companies and specific cybersecurity controls for their supply chains and third-party vendors to help enhance security and reliability of electrical infrastructure.
We’re always here to help. Let’s talk.
We’re here to answer your questions and help you get started right away. Call or send us a message anytime.