As a trusted partner of our customers, Schneider Electric brings world-leading expertise to integrated, end-to-end lifecycle industrial IoT solutions in smart industries, resilient infrastructure, future-proof data centers, intelligent buildings, and intuitive homes.
A key factor, in the trust our customers place in us, is our understanding of how our solutions support the security posture of their environments. In product development, for example, we aim for our products to not only meet our customers’ performance expectations but also to play a part in protecting their security.
That’s why our Secure Development Lifecycle (SDL) process is driven by the mantra “secure-by-design.” Because security is a fundamental part of our solutions, we integrate it throughout the product lifecycle and proactively identify and address potential risks along the way.
Secure-by-design starts with committed support throughout the company
Within Schneider Electric, the secure-by-design is implemented using a process called product security maturity model (PSMM). This is used to evaluate the maturity across various critical vectors essential for a successful product security program.
Through this process, our developers gain an understanding of what is required to deliver secure solutions that our customers can trust. We work diligently to formally document and review these requirements and confirm that we have the right ones in place to provide our customers with the components they need to build secure systems. Our developers also use tools that drive greater efficiency so they can achieve the most impact for their efforts.
Compliance with standards is core to our approach
Schneider Electric’s secure-by-design SDL approach is built upon several industry standards that assure our customers we have a complete and formal process for managing the security of our products – and not just because we say so. By achieving certifications for these standards, we prove we meet the requirements of the standards. Our continued compliance is also proven through annual audits by recognized independent third-party assessors.
One of the company’s primary certifications is the ISA/IEC 62443 standard, which provides guidance for securing industrial automation and control systems. As part of this, our SDL process complies with ISA/IEC 62443-4-1, which provides governance for SDL requirements.
Schneider Electric was the first company to achieve the ISA/IEC 62443-4-1 certification of our SDL process several years ago, and in 2022, we became the first company to achieve Maturity Level 4. We also hold three other independent certifications based on the ISA/IEC 62443-4-1 standard: TÜV Rheinland Cybersecurity Management (CSM), ISASecure Security Development Lifecycle Assurance 3.0.0, and IECEE Certification Body. Our annual audits help us continually validate our SDL process to make sure we are always improving.
Validating and verifying are equally important
While certifying our SDL process is important, our concern for the security of our customers’ solutions doesn’t stop there. We also validate and verify each individual requirement to be sure our products meet the intended level of security. When we deliver systems, we want our customers to feel confident that the security designed and built into those systems makes them robust against cyberattack.
Key to this assurance are the validation and verification processes that we use throughout the lifecycle of our products.
- Validation: Our validation process reinforces that we have built in the best security possible to defend against potential attack. Conducted with thorough threat intelligence, detailed design reviews, and threat modeling, this process confirms our products are designed to meet customers’ needs and that they perform securely in our customers’ use cases.
- Verification: Through a verification process, we test to be sure that our products operate as designed. We go through extensive unit testing and penetration testing to ensure the security mechanisms we built work as designed. Using both standard security testing and various attack methods, we try things that should work and things that absolutely should not. Our CREST certified penetration testing laboratories then spend weeks trying to get past our security features, using advanced world-class tools and techniques available in our three global labs. Issues found during this phase of testing identify what an attacker could achieve in the real world – and then we address those issues appropriately prior to the product shipping.
We recognize vulnerabilities and address them promptly
As hard as any organization can work to avoid vulnerabilities, they can and do happen. How a company responds and supports customers under these circumstances is a critical part of the customer experience.
We understand that vulnerabilities in a customer’s solution can be unsettling – and it’s important that we appreciate this – and are responsive. During our vulnerability management process, we involve the talent and stakeholders who can help us react swiftly but with care that addressing the issues demands.
Schneider Electric’s vulnerability management process portion of our SDL process is independently certified to the ISO/IEC 29147:2018 and ISO/IEC 30111:2019 standards, which affirms and proves our commitment to addressing vulnerabilities affecting our products and protecting our customers.
To Schneider Electric, and our customers, trust is everything
As mentioned earlier, customer trust is critically important to Schneider Electric, and we have woven trust-building measures into our company fabric by recognizing that product security is an essential business imperative for us, our ecosystem, and the industry at large.
We diligently work to safeguard our customers’ installations through our secure-by-design approach. And we recognize that is a continuous process, and as cybersecurity threat actors and their attacks evolve, so do we.
Add a comment