How Carrier’s product security team delivers the ‘right support for the right product’

John Deskurakis had a green field opportunity when he stepped into the role of chief product security officer in April 2020 at Carrier Global Corp.

United Technologies, which had spun off Carrier, took the existing product security function with it. That gave Deskurakis the chance to build an entirely new program—one that could meet the unique security needs of each of Carrier’s product lines.

“We didn’t want to replicate what United Technologies was doing, because it was focused on aerospace. We wanted to focus more on our specific areas because our products are different, our customers are different, they have different needs than aerospace,” he says. “So we decided to rebuild the capabilities to suit the diverse needs of our Carrier customers, to think about what’s the best outcome for the end users.”

The question then became how best to do that for a company which makes a wide selection of products with varying security risks.

That’s what Deskurakis set out to solve.

Securing extensive product line against varying risks

Carrier, one of the most recognizable brands in the HVAC space, has more than 80 brand businesses manufacturing thousands of components, products, and complex systems. Its products include industrial control systems, building management systems, automation systems, smoke detectors and commercial refrigeration, with some products considered part of the nation’s critical infrastructure.

The company makes operational technology, firmware, and software.

Like other manufacturers, Carrier has been adding digital technologies to its mechanical products, connecting them to the internet and making them “smart” in the process—and exposing them to potential cyberattacks.

“Anything that gets digitally connected could be attacked, could be exploited,” Deskurakis says. “So when we build these more advanced designs, we have to think about securing them. We have to not just think about it, we have to execute.”

As such, Deskurakis and his Global Product Cybersecurity (GPC) team must help ensure a product’s operational integrity as well as secure it against bad actors seeking to hack into its product’s digital systems—regardless of whether the goal is to use the Carrier products as conduits into core enterprise systems or to disrupt the product’s actual operation.

“We’re focused on securing all the things we ship to customers. And the more components you have, the more systems, the more complex it is, the more you need a product security team,” Deskurakis says.

There’s a lot at stake, as product security breaches could have catastrophic consequences, he says.

For example, one of the Carrier business lines makes transport refrigeration equipment and cold chain tracking and monitoring solutions to keep items, including vaccines, cold as they make their way around the globe.

The company also makes smart smoke and carbon monoxide detectors with indoor air quality monitors.

‘The right support for the right product’

Deskurakis says Carrier requires a product security function that delivers across the company’s wide range of products and delivers security throughout each product’s lifecycle.

In other words, he wanted a security program that would ensure secure product development, secure product operations, and cybersecurity innovation.

To achieve this, Deskurakis developed the Dynamic Secure Product Development & Support Lifecycle framework, a set of principles and philosophies that establishes security objectives across all business lines and how they’re going to achieve them.

The initiative, which earned the company a 2022 CSO 50 award, is meant to bring to all Carrier revenue-generating manufactured products and services security by design, standards-based governance, continuous improvement and innovation, differentiation and mission success for customers, partners and users, Deskurakis explains.

Deskurakis says it ensures standard security outcomes across the brands yet is also flexible so achieving them can be tailored to the unique product development processes and products themselves.

“This is why we use dynamic [in its name]. We flex to use the right support for the right product,” he says, explaining that a shipping container that needs to maintain subzero temperatures has “a different problem statement” than a physical access control system within a building. “So we have to have a global standard for all our businesses, but one that can be tailored to meet each of their diverse needs.”

Still, he says, “The overall goal of the program is to orchestrate and deliver security offerings throughout the product lifecycle. Our main objective is safe and secure offerings.”

Deskurakis says the initiative doesn’t just define outcomes; it also establishes how the GPC team will achieve them.

For instance, it requires a high degree of collaboration and coordination among certain teams to embed security into products during the design phase itself.

“We focus on designing for security, but security architects—who are the mainstay in this area—can’t do their job without information, such as threat intelligence, from security product operations. Architects get threat intel from the security operations folks so they can redesign existing systems or design one in build in a different way [to withstand known threats],” Deskurakis explains. “And operations can’t function in a silo; they can’t function without the support of architects, who help them investigate security incidents. So they’re really working together even as they’re doing two distinctly different jobs.”

The initiative also stresses the need for continuous improvement and cybersecurity innovation, which keeps the GPC team focused on solving today’s complex problems and also providing next-generation solutions to counter tomorrow’s threats.

Shared responsibility

Deskurakis says it took some work to get all stakeholders onboard with this new approach.

“One challenge with any change is what I refer to as institutional thinking—the idea that we need to do it this way because this is how we’ve always done it,” he says, noting that he encountered that institutional thinking in pockets. “They were accustomed to doing things in a certain way.”

Deskurakis and his team worked to win them over by spending time with the various Carrier business lines, learning from them and showing them how increased security could improve products.

“This way took time and far more conversations [than mandating change] but in the end it was easier to have it adopted,” he adds.

Today Deskurakis and the GPC team uses a federated operations model to ensure they can extend the Dynamic Secure Product Development & Support Lifecycle framework to all business lines and all their products.

“It wouldn’t work well if we just created a process and said, ‘This is what you should do.’ What they need is direct support,” he says, noting that product development teams and engineers don’t typically have cybersecurity expertise.

He explains that some of the Carrier businesses do have dedicated security personnel, but GPC is a centralized function with its own staff who work with all the businesses and product teams as needed.

“We get involved with them as if we’re part of the team so it becomes a shared responsibility, but because we can’t do all the fishing on our own, we teach them how to fish,” he says. “My team is there to mentor, teach, and solve problems. And the more we work with all the teams, the more advanced we can get with security.”