Carrier CPSO John Deskurakis developed a framework for product security that works for the lifecycle of all products across all business lines Credit: Carrier Global Corp. John Deskurakis had a green field opportunity when he stepped into the role of chief product security officer in April 2020 at Carrier Global Corp.United Technologies, which had spun off Carrier, took the existing product security function with it. That gave Deskurakis the chance to build an entirely new program—one that could meet the unique security needs of each of Carrier’s product lines.“We didn’t want to replicate what United Technologies was doing, because it was focused on aerospace. We wanted to focus more on our specific areas because our products are different, our customers are different, they have different needs than aerospace,” he says. “So we decided to rebuild the capabilities to suit the diverse needs of our Carrier customers, to think about what’s the best outcome for the end users.” The question then became how best to do that for a company which makes a wide selection of products with varying security risks. That’s what Deskurakis set out to solve.Securing extensive product line against varying risksCarrier, one of the most recognizable brands in the HVAC space, has more than 80 brand businesses manufacturing thousands of components, products, and complex systems. Its products include industrial control systems, building management systems, automation systems, smoke detectors and commercial refrigeration, with some products considered part of the nation’s critical infrastructure. The company makes operational technology, firmware, and software.Like other manufacturers, Carrier has been adding digital technologies to its mechanical products, connecting them to the internet and making them “smart” in the process—and exposing them to potential cyberattacks.“Anything that gets digitally connected could be attacked, could be exploited,” Deskurakis says. “So when we build these more advanced designs, we have to think about securing them. We have to not just think about it, we have to execute.”As such, Deskurakis and his Global Product Cybersecurity (GPC) team must help ensure a product’s operational integrity as well as secure it against bad actors seeking to hack into its product’s digital systems—regardless of whether the goal is to use the Carrier products as conduits into core enterprise systems or to disrupt the product’s actual operation.“We’re focused on securing all the things we ship to customers. And the more components you have, the more systems, the more complex it is, the more you need a product security team,” Deskurakis says.There’s a lot at stake, as product security breaches could have catastrophic consequences, he says. For example, one of the Carrier business lines makes transport refrigeration equipment and cold chain tracking and monitoring solutions to keep items, including vaccines, cold as they make their way around the globe.The company also makes smart smoke and carbon monoxide detectors with indoor air quality monitors.‘The right support for the right product’Deskurakis says Carrier requires a product security function that delivers across the company’s wide range of products and delivers security throughout each product’s lifecycle.In other words, he wanted a security program that would ensure secure product development, secure product operations, and cybersecurity innovation. To achieve this, Deskurakis developed the Dynamic Secure Product Development & Support Lifecycle framework, a set of principles and philosophies that establishes security objectives across all business lines and how they’re going to achieve them.The initiative, which earned the company a 2022 CSO 50 award, is meant to bring to all Carrier revenue-generating manufactured products and services security by design, standards-based governance, continuous improvement and innovation, differentiation and mission success for customers, partners and users, Deskurakis explains.Deskurakis says it ensures standard security outcomes across the brands yet is also flexible so achieving them can be tailored to the unique product development processes and products themselves.“This is why we use dynamic [in its name]. We flex to use the right support for the right product,” he says, explaining that a shipping container that needs to maintain subzero temperatures has “a different problem statement” than a physical access control system within a building. “So we have to have a global standard for all our businesses, but one that can be tailored to meet each of their diverse needs.” Still, he says, “The overall goal of the program is to orchestrate and deliver security offerings throughout the product lifecycle. Our main objective is safe and secure offerings.”Deskurakis says the initiative doesn’t just define outcomes; it also establishes how the GPC team will achieve them.For instance, it requires a high degree of collaboration and coordination among certain teams to embed security into products during the design phase itself.“We focus on designing for security, but security architects—who are the mainstay in this area—can’t do their job without information, such as threat intelligence, from security product operations. Architects get threat intel from the security operations folks so they can redesign existing systems or design one in build in a different way [to withstand known threats],” Deskurakis explains. “And operations can’t function in a silo; they can’t function without the support of architects, who help them investigate security incidents. So they’re really working together even as they’re doing two distinctly different jobs.” The initiative also stresses the need for continuous improvement and cybersecurity innovation, which keeps the GPC team focused on solving today’s complex problems and also providing next-generation solutions to counter tomorrow’s threats.Shared responsibilityDeskurakis says it took some work to get all stakeholders onboard with this new approach.“One challenge with any change is what I refer to as institutional thinking—the idea that we need to do it this way because this is how we’ve always done it,” he says, noting that he encountered that institutional thinking in pockets. “They were accustomed to doing things in a certain way.”Deskurakis and his team worked to win them over by spending time with the various Carrier business lines, learning from them and showing them how increased security could improve products. “This way took time and far more conversations [than mandating change] but in the end it was easier to have it adopted,” he adds.Today Deskurakis and the GPC team uses a federated operations model to ensure they can extend the Dynamic Secure Product Development & Support Lifecycle framework to all business lines and all their products.“It wouldn’t work well if we just created a process and said, ‘This is what you should do.’ What they need is direct support,” he says, noting that product development teams and engineers don’t typically have cybersecurity expertise.He explains that some of the Carrier businesses do have dedicated security personnel, but GPC is a centralized function with its own staff who work with all the businesses and product teams as needed. “We get involved with them as if we’re part of the team so it becomes a shared responsibility, but because we can’t do all the fishing on our own, we teach them how to fish,” he says. “My team is there to mentor, teach, and solve problems. And the more we work with all the teams, the more advanced we can get with security.” Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe