Security team

How Carrier’s Product Security Team Provides the “Right Support for the Right Product”

John Deskurakis got an opportunity in the field when he started as Director of Product Safety in April 2020 at Carrier Global Corp.

United Technologies, which had spun off Carrier, took with it the existing product security function. This gave Deskurakis the ability to create an entirely new program capable of meeting the unique security needs of each of Carrier’s product lines.

“We didn’t want to replicate what United Technologies was doing, because it was focused on aerospace. We wanted to focus more on our specific areas because our products are different, our customers are different, they have different needs than aerospace,” he says. “So we decided to rebuild the capabilities to meet the diverse needs of our Carrier customers, to think about the best outcome for end users.”

The question then became how best to do this for a company that manufactures a wide selection of products with varying security risks.

This is what Deskurakis set out to solve.

Securing a wide range of products against various risks

Carrier, one of the most recognizable brands in the HVAC space, has more than 80 branded companies manufacturing thousands of complex components, products and systems. Its products include industrial control systems, building management systems, automation systems, smoke detectors and commercial refrigeration, with some products considered part of the nation’s critical infrastructure.

The company manufactures operating technology, firmware and software.

Like other manufacturers, Carrier has added digital technologies to its mechanical products, connecting them to the internet and making them “smart” in the process, and exposing them to potential cyberattacks.

“Anything digitally connected could be attacked, could be exploited,” Deskurakis says. “So when we build these more advanced designs, we have to think about securing them. We have to not just think about it, we have to execute.

As such, Deskurakis and his Global Product Cybersecurity (GPC) team must help ensure a product’s operational integrity as well as protect it from bad actors seeking to hack into its product’s digital systems, whether the purpose is to use Carrier products as conduits. in the company’s central systems or to interfere with the actual operation of the product.

“We are focused on securing all the things we ship to customers. And the more components you have, the more systems, the more complex, the more you need a product security team,” Deskurakis says.

There’s a lot at stake, as product security flaws could have catastrophic consequences, he says.

For example, one of Carrier’s business lines manufactures transport refrigeration equipment and cold chain tracking and monitoring solutions to keep items, including vaccines, cool as they travel around. of the world.

The company also makes smart smoke and carbon monoxide detectors with indoor air quality monitors.

“The right support for the right product”

According to Deskurakis, Carrier needs a product security function that spans the company’s extensive product line and provides security throughout each product’s lifecycle.

In other words, he wanted a security program that would ensure secure product development, secure product operations, and cybersecurity innovation.

To achieve this, Deskurakis developed the Dynamic Secure Product Development & Support Lifecycle Framework, a set of principles and philosophies that establish security goals across all industries and how they will achieve them.

The initiative, which earned the company a 2022 CSO 50 award, aims to provide all of Carrier’s revenue-generating manufactured products and services with security by design, standards-based governance, continuous improvement and innovation, differentiation and mission success for customers, partners and partners. users, says Deskurakis.

Deskurakis says it ensures standard security outcomes for all brands, while being flexible so their achievement can be tailored to unique product development processes and the products themselves.

“That’s why we use the dynamic [in its name]. We adapt to use the right medium for the right product,” he says, explaining that a shipping container that needs to maintain sub-zero temperatures has “a different problem” than a physical access control system. in a building. “So we need to have a global standard for all of our businesses, but one that can be adapted to meet each of their diverse needs.”

Yet, he says, “the overall goal of the program is to orchestrate and deliver security offerings throughout the product lifecycle. Our main objective is to offer safe and secure offers.

Deskurakis says the initiative doesn’t just define outcomes; it also establishes how the GPC team will achieve them.

For example, it takes a high degree of collaboration and coordination between certain teams to build security into products during the design phase itself.

“We are focused on designing for security, but security architects, who are the backbone in this area, cannot do their job without information, such as threat intelligence, from security product operations. Architects get threat intelligence from security operations managers so they can redesign existing systems or design one under construction in a different way [to withstand known threats]says Deskurakis. “And operations cannot operate in silos; they cannot function without the support of architects, who help them investigate security incidents. So they really work together even though they do two very different jobs.

The initiative also underscores the need for continuous improvement and innovation in cybersecurity, allowing the GPC team to focus on solving today’s complex problems and delivering next-generation solutions. to counter the threats of tomorrow.

Shared responsibility

Deskurakis says it took work to get all stakeholders on board with this new approach.

“A challenge with any change is what I call institutional thinking – the idea that we have to do it this way because that’s how we’ve always done it,” he says, noting that he has encountered this institutional thought in the pockets. “They were used to doing things a certain way.”

Deskurakis and his team worked to win them over by spending time with Carrier’s various business areas, learning from them, and showing them how increased security could improve products.

“This way took time and a lot more conversations [than mandating change] but in the end it was easier to get him adopted,” he adds.

Today, Deskurakis and the GPC team use a federated operations model to ensure they can extend the dynamic secure product development and support lifecycle framework to all lines of business and all of their products.

“It wouldn’t work well if we just created a process and said, ‘Here’s what you should do. What they need is direct support,” he says, noting that product development teams and engineers typically don’t have cybersecurity expertise.

He explains that some of Carrier’s businesses have dedicated security staff, but GPC is a centralized function with its own staff that works with all businesses and product teams as needed.

“We engage with them as if we were part of the team, so it becomes a shared responsibility, but since we can’t do all the fishing on our own, we teach them how to fish,” he says. “My team is there to coach, teach and solve problems. And the more we work with all teams, the more we can improve on safety. »

Copyright © 2022 IDG Communications, Inc.