Steffen Zimmermann (Germany), the responsible project leader for the development of ISO 22384, explains the need for such a guidance on “Product Security”:
"The increased level of interconnection of the global economy, the growing availability of complex manufacturing processes and protectionist efforts lead to a growing motivation of and ability for product related threats. Innovative, competitive or market leading manufacturers face physical and digital attacks on all levels of a product’s life. Products as medical devices, IoT sensors, or even complex machinery equipment are increasingly at risk of getting re-engineered, hacked or even integrated into IoT botnets.
An example of a faked and malfunction medical device is Emergency Ventilators that are widely used for COVID-19 patients. The air pressure given to patients is crucial in emergency conditions – but unfortunately, faked medical devices have been found in various ambulances. These specific counterfeits cannot provide sufficient air pressure that could lead to patients dying from insufficient oxygen levels. Additionally, the tubes are not fulfilling material requirements for medical use."
Cyber-physical threats arise
The increased level of interconnection of the global economy, the growing availability of complex manufacturing processes and the global digital transformation lead to a growing motivation of and ability for product related cyber threats.
Product related threats affect the whole supply chain - manufacturers, distributors, service providers and consumers - in many ways. From dangers to HSSE (health, safety, security and environment) to loss of jobs and taxes to decreased sales and damages to reputation for the organisations facing successful attacks on their product portfolio. Copycats can even overtake OEMs and eventually buy them up.
Plan and implement protection
Measures taken by affected organisations are often reactive, uncoordinated, or even mutually contradictory. For a sustainable approach it is necessary to follow an established, project-oriented methodology for assessing product security related threats, risks and countermeasures that arise throughout the product life cycle.
ISO 22384 gives guidelines for assessing product security‐related threats, risks and countermeasures by developing a suitable protection plan, supporting its implementation and monitoring its effectiveness after implementation. This includes consideration of impacts and modifications to, for example, product life cycle, supply chain, manufacturing, data management, brand perception and costs to adapt the protection plan accordingly.
ISO 22384 is applicable to all types and sizes of organizations that want to ensure authenticity and integrity to support the trustworthiness of products, including documents, data and services related to products. It supports organizations setting up a process to assess risks and to select and combine individual measures for developing a product protection plan. The standard was developed in Working Group 4 "Authenticity, Integrity and Trust for Products and Documents" of TC 292 "Security and resilience".
ISO 22384:2020, Security and resilience – Authenticity, integrity and trust for products and documents - Guidelines to establish and monitor a protection plan and its implementation , is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.