The real world is increasingly becoming intertwined with the virtual world. Highly integrated production plants, smart homes and autonomous vehicles are no longer the stuff of science fiction. The Internet of Things (IoT), where computers and systems communicate wirelessly, is becoming a significant element in everyone’s professional and private lives.
Greater convenience and increased productivity, however, has a price. Utilizing the IoT potentially allows harmful agents access to our systems. In our modern world, the risk of cybersecurity breaches has implications for all products, services and systems – from everyday objects to data centers.
The risks associated with security breaches mean nations and companies are beginning to act. Recent moves include:
- European Cybersecurity Act (March 14, 2019) – establishes a European Union-wide framework for cybersecurity certification, creating a new level for cybersecurity in digital products and services
- GDPR – General Data Protection Regulation – protects European citizens’ personally identifiable information
- Cyberspace Administration of China (CAC) – pushes forward cybersecurity regulation (Cybersecurity Law and several draft regulations) and related standards for the Chinese market
- United States – several cybersecurity regulations – federal and state led – e.g. California has signed into law the California Consumer Privacy Act (CCPA), effective in 2020
- Charter of Trust (CoT) – initiatives like this demonstrate the importance global business is placing on cybersecurity. These measures take a serious and structured approach to security, covering the complete life cycle of a product – from definition, to disposal. The aim is the implementation of appropriate measures by all suppliers along the whole supply chain, as requested by Charter of Trust members
Standards are increasingly becoming the primary focus for implementing effective cybersecurity measures in products, services and systems. They can provide procedures that address generic and vertical-specific cybersecurity requirements.
Many product standards already include requirements that tackle cybersecurity. For example, the EU’s new Medical Device Regulation 2017/745 now mandates information security requirements to be covered and the US’s AAMI TIR 57 proposes a risk management process for cybersecurity risks using ISO 14971 methodology.
The urgent need for better medical device security has been underpinned in recent years by several instances of hacking, most prominently involving pacemakers and insulin pumps.
Regulators are pushing for manufacturers and suppliers to consider better cybersecurity throughout a product’s life cycle and will accordingly be requiring evidence of pre- and post-market cybersecurity measures. This is explicitly requested in the new EU Medical Device Regulation 2017/745, coming into effect in 2020, and is already an implicit requirement in the ISO 14971 Medical Devices – Application of risk management to medical devices standard.
Furthermore, the European Cybersecurity Act and General Data Protection Regulation are increasing the pressure on introducing security certification for products:
- Handling personally identifiable information (PII)
- Being confronted with safety risks induced by cybersecurity threats
- Implemented into critical infrastructure systems like hospital IT systems
It is expected that medical products and systems will be among the first products to fall under stringent new European cybersecurity regulations.
In the US, the FDA may begin to request cybersecurity protection evidence during product approvals. Accordingly, guidance documents were issued in 2016: “Premarket Submissions for Management of Cybersecurity in Medical Devices” and “Postmarket Management of Cybersecurity in Medical Devices”.
Consumer Electronics and Appliances
The Internet of Things (IoT) is reaching every aspect of our daily lives. Connected consumer devices, appliances, and related online services that have a weak cybersecurity concept can be easily compromised. Devices infected by malicious software will put data privacy at risk or allow unauthorized access to consumer networks. Such manipulated devices can also be integrated into botnets controlled by hackers and used as platforms to orchestrate distributed denial of service attacks against internet servers of companies, service providers, governmental agencies or operators of critical infrastructure. This is already happening on a daily base.
Product security certification helps ensure products comply with cybersecurity requirements and data privacy regulations. This includes the need to update and maintain security implementations once a product is in the field. It is expected that CE marking will mandate product security certification and market surveillance activities for product families with according cybersecurity risk exposure in the midterm, as a consequence of the European Cybersecurity act.
In 2018, SGS began amalgamating all its existing cybersecurity capabilities under a single umbrella – Digital Trust Services (DTS). DTS covers four cybersecurity areas:
By concentrating its existing capabilities within one unit, SGS aims to offer a world-leading cybersecurity service that can be utilized by customers across all global industries.
For the medical device industry, DTS offers:
- Cybersecurity assessment to ISO 14971 – offering risk management reviews/audits where security threats are generating safety risks requiring mitigation
- Audits connected to the new EU Medical Device Regulation
- Product security assessment and certification based on new vertical agnostic lightweight security certification schemes tailored to meet the requirements of the industry:
- For example: LINCE introduced by CCN in Spain and BSZ introduced by BSI in Germany
- FDA recognized cybersecurity testing per UL 2900 standards – accepted as evidence for product approvals
- Certification of Information Security Management Systems according to the ISO/IEC 270xx family of standards
- IT Security Certification for Industrial Automation and Control Systems according to the IEC 62443 family of standards
With a CyberLab in Madrid, Spain, and the new CyberLab opening in Graz, Austria, SGS provides cybersecurity evaluation and certification services to stakeholders around the world. Our high-tech laboratories and global network provide specialist cybersecurity testing and certification services for digital products, networked systems and online services.
Cybersecurity is now a fundamental requirement to be considered during product definition, development, deployment and maintenance. It must be reflected in pre- and post-market planning, and must operate across organizations, people, networks and supply chains. SGS DTS provides a one-stop-shop approach for all cybersecurity certification matters, offering a comprehensive range of services to help manufacturers and suppliers comply with international, national and industry standards.
For more information, please contact:
Head of Marketing & Sales, Secure Products & Systems
t: +43 664 88210582