Product Security Program
The times when security could be an afterthought in product development are long behind us. Technology experts and leaders understand that security needs to be considered from the very beginning of the product creation process and addressed throughout the entire product lifecycle.
MiR operates a Product Security Program which ensures that security is addressed in every step on the way from the idea for a product, through development and testing, to shipping it to our customers. And even beyond that: all the way through securely operating the product for many years at our customers’ sites up to secure decommissioning.
These are some, but by far not all, elements of the MiR Product Security Program:
Development encompasses multiple phases of the product’s lifecycle: everything from the concept phase to the release of a new product or product version. This is the most complex part of the product lifecycle: it is where the engineering activities are performed to make an idea become reality.
At MiR, we take several steps to ensure that we consistently deliver highly secure products which meet our customers’ needs for operating secure enterprise networks and industrial automation systems. Some of the most prominent include:
- Following the IEC 62443 standard for Industrial Automation and Control System security
- Conducting threat modeling as part of every product and feature design
- Following secure design principles
- Following secure coding guidelines
- Conducting a wide palette of automated security scanning and testing
- Conducting external penetration tests
All security findings, regardless of their source, are subject to a rigorous risk management process. We thoroughly assess the customer risk associated with a finding and take the appropriate risk response actions.
Security improvements are part of most MiR software releases, and where prompt actions are necessary, customers are contacted immediately and security patches are released as soon as possible.
MiR follows a formalized security patching strategy for all our products, so that the patching process is reproducible, efficient, and effective.
A patch release can be triggered by several things. One of these triggers is a newly discovered vulnerability in a third-party dependency. As part of our supply chain security controls, we actively monitor all our dependencies for vulnerabilities, and triage issues immediately upon discovery.