Digital technologies, the Internet of Things, and connected and embedded devices have become common in many industrial and commercial products and services. While their use is intended to expand capabilities and efficiencies, these technologies bring new cyber and privacy risks. Businesses and consumers might assume that digital products and services they are using were designed with security considerations and passed through some level of security testing and evaluation. However, with no clear and consistent regulatory requirements, such principles are not always applied consistently, or even worse, they are not applied at all. That leaves organizations and individuals exposed to malware and cyber-attacks, often with devastating effects on businesses and critical infrastructure.

While some organizations have created a basic security framework to improve the cybersecurity of their systems, practices, and products, many others are still seeking guidance on how to incorporate safeguards to reduce potential risks to their business, customers, and users. In response to this need, CSA Group and its volunteer committee members developed a method that would evaluate organizations on cyber maturity and their product software development practices to help reduce the overall risks related to the deployment of digital technologies.

From the needs of utility organizations to a Standard for all

The concept of the new bi-national standard CSA/ANSI T200:22, Evaluation of software development and cybersecurity programs, originated from the utility sector. As utility companies started to introduce smart thermostats and similar products in homes, questions arose around the cybersecurity vulnerabilities that could be introduced to consumers in their homes, as well to the utilities themselves. That brought out a need for a cybersecurity standard based on industry best practices that would evaluate both the organization and its products. A common framework of best cybersecurity practices would also help utilities assess vendors of digital and connected solutions. At the same time, it would provide vendors with a clear set of expectations, leveling the field and helping to reduce cybersecurity risks. Moreover, such a framework could help demonstrate compliance with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP-013-1) plan aimed at maintaining an efficient and reliable supply of electricity in North America.

This led to creating a CSA Group committee on Cybersecurity Verification, bringing together experts from manufacturing, utilities, engineering, security, and other organizations and stakeholders. The aim was to develop a standard applicable across all industries and sectors covering IoT and related products and solutions.

New Standard helps define the path to cybersecurity

The resulting CSA/ANSI T200:22 cybersecurity standard helps organizations approach cybersecurity from a more holistic perspective. The Standard outlines a methodology for assessing the cyber maturity of the organization, its processes, products, and solutions. It applies to the entire product lifecycle, from conception and commissioning to end of life.

CSA/ANSI T200: 22 introduces a maturity model, offering organizations a flexible approach rather than a ‘one-size-fits-all’ set of requirements. It means that organizations can define cyber maturity levels for their vendors, and vendors can optimize costs associated with the certification of their products and services. Moreover, the leveled maturity model promotes continuous improvement of organizational and product security, encouraging businesses to address cybersecurity even more effectively.

The Standard provides an overview of the IoT threat landscape and components that comprise IoT products and solutions and describes baseline product cybersecurity controls and concepts that need to be considered. It also includes requirements and recommendations for the self-evaluation process, audit, and testing and validation to determine the achieved maturity level of the organization. Further, an informative supplement of the Standard focuses on electric utility companies and specific cybersecurity controls for their supply chains and third-party vendors to help enhance security and reliability of electrical infrastructure.

To find out more about CSA/ANSI T200:22 visit CSA Store.