The S+C Security Story
Steelcase has been working on Internet of Things (IoT) and IIoT (Industrial Internet of Things) security architecture since 2014 and cloud computing security architecture for a decade.
In 2016 we began a security program for Smart & Connected products based on our Board of Directors’ imperative of protecting our customers and our 106-year-old brand reputation by building new technology products with security by design and privacy by design. While Steelcase has had a dedicated corporate IT security staff and program for decades, we knew that we would need to bring in more talent and expertise to rise to the challenge. New roles we created in our IT security organization included cloud security architect, security program architect, application security engineer and privacy engineer all focused on our S&C products.
We broadly group our S+C security program into three areas:
- Development
- Operations
- Compliance
Development
Once software and hardware go into the development and build phase, we use a variety of tools to check for security vulnerabilities and license restrictions in our code. We use a commercial static code analysis tool to validate custom code, we use a commercial Kubernetes container security tool to validate containerized code used for micro-services and we use a commercial software composition analysis tool to check license restrictions and vulnerabilities in open source software we use. These tools are used just prior to the first release of product, at the time of each following release and then monthly as required. As an agile software development shop, we integrate these security scanning tools into our release pipeline and our Kubernetes environment to ensure early detection of security issues. Prior to final release system configurations are checked and a final risk review is conducted. Steelcase uses a trusted 3rd party penetration testing firm to further evaluate new S&C products we are releasing.
Operations
Once we have developed new products our security work enters a new phase of technical operations. Steelcase requires updated static code analysis and software composition analysis scanning prior to each release and on monthly cadences. We run monthly scans against Steelcase software to detect new vulnerabilities in the National Vulnerability Database and new vulnerabilities supported by our security tool vendors. For our Kubernetes & container security, our tool is a near real-time continuous monitoring package. Our source code is also protected by enterprise class repositories that require strong authentication for access to prevent tampering. Our cloud platform is at the heart of our value proposition and we ensure that our customer data and connected systems are protected by using automated security tools such as security templates in Azure and automated patching of servers. We further validate these systems with regular (quarterly or better) vulnerability scans and annual 3rd party pen tests of the system. Steelcase uses security event probes throughout our cloud platform. We also use a series of 3rd party security infrastructure appliances such as Web Application Firewalls, IPS (Intrusion Prevention Service) and firewalls, and event logging systems. Azure based servers also run 3rd party antivirus protection and all security events are monitored 24x7 by a US based 3rd party Security Operations Center. Customer premise systems (gateways and sensors) are monitored for operations and, if needed, security patches are pushed from our cloud platform to the devices using OTA (Over the Air) updates which does not require customer intervention. Customers are also able to monitor the status of equipment through our cloud portal. The on-premise device architecture does not permit local access to the gateways or sensors and the devices do not listen for services other than DHCP for obtained a local IP address and DNS responses.
Compliance
Our third area covers compliance, which is primarily focused on privacy controls and monitoring as well as annual third-party auditing. Our privacy practice is based on a corporate policy of stringent personal information protection based on the EU GDPR (General Data Protection Regulation) for all customer and employee information globally. S&C products and contracts are reviewed by our dedicated legal privacy staff and protected in consultation with our technical privacy engineer. The process starts with a privacy review and PIA (Privacy Impact Analysis) and continues through development and operations with testing and monitoring of sensitive information. As part of our complete ‘lifecycle management’ approach, when a system is shut down or disposed of, all customer data is deleted or destroyed. While we have very talented staff and partners, we use another ‘set of eyes’ to oversee our processes and controls. For this we are working towards the SOC 2 Type 2 audit standard for an annual report on our security and privacy controls. In 2018 we started working on the security principle audit for Steelcase Workplace Advisor and Find. Since audits rely on a history of data and controls, it takes months of data collection after the controls are reviewed to generate an initial report. Since our products deal with personal data, we will build the privacy principle reports as we prepare to collect and process that data.
While these measures are considered best of class security practices, the security landscape is always changing and presenting new challenges. Our architects stay on alert for new risks and threats and we continually evaluate the effectiveness of our program
Steelcase S+C Security Features
Does our competition provide these features?
Many of the IoT products on the market are ‘consumer grade’ and often make the headlines due to poor security controls and a consumer market that does not understand security. Here is a set of security features that quickly show our capabilities:
Our IoT devices are hardened
Each of our device types have been penetration tested for vulnerabilities by 3rd party specialists.
Device credentials are unique keys
There is no direct login to our devices, all devices use a unique key which is used to securely communicate to our platform through an encrypted connection. Keys are pre-provisioned in our manufacturing facilities and pre-programmed to lock down communication to customer specific devices.
Operating System & Firmware Updates
Newer Steelcase products such as WPA Subscription and the newest generation RoomWizard are updated using automated solutions that allow the devices to be updated by Steelcase without requiring customers to take on the task of updating the devices.
No configuration
There is no concern about security misconfiguration by the customer. All the systems are pre-provisioned to work out of the box based on an implementation plan engineered in advance.
Wireless Security
In all our products, any wireless interface that is not being used is disabled at the OS level. For those products that require wireless communication, such as the communication between our wireless gateways and passive infrared sensors, we use a multi-level security scheme which helps us keep data private and secure. Level one is BLE (Bluetooth low energy) itself, which provides a means to setup an encrypted connection between sensor and gateway. That’s where level two security comes in: before we get data from the sensor, the sensor and gateway go through a challenge-response authentication step using a unique key exchange between sensor and cloud, in both directions. Only once that passes do we get access to the actual occupancy/other data on the sensor. (eg, Public/Secure world).
Our next generation of IoT devices will incorporate BLE MESH and we'll use MESH's built-in security mechanisms, which are also multi-tiered. More on MESH security can be found here:
https://www.bluetooth.com/blog/bluetooth-mesh-security-overview/
Secure communications
Enterprises expect gateways that talk to sensors and actuators through a Bluetooth network or LAN are secure and do not put sensitive data at risk. This is both a security and privacy imperative. Steelcase uses encryption on all sensitive communication.
User credentials
All user access is handled by a Microsoft PaaS (Platform as a Service) through Azure Active Directory which supports enterprise Single Sign On (SSO). This means that Steelcase does not have access to customer passwords but relies on Microsoft to handle authentication. Role based access control ensures that each customer can only see their own data and that the customer can grant privileges to their own users as they see fit.
IoT is part of a service
We will have a SOC 2 Type 2 report - these are an evolution of the SSAE16 audit reports but feature 5 service principles (all but the security principle is optional). The SOC 2 will reveal many of the capabilities of a service provider from risk management and business continuity planning to change management practices and patching. The type 2 report goes beyond the review of the design (type 1) and reviews the operational effectiveness of the existing controls for each principle.
Enterprises are not equipped to monitor IoT devices
We actively monitor devices not just for operation and health but also for security status. Steelcase has dedicated security staff to process alerts 24x7 and escalate security incidents to security experts. A security incident response program is part of our program.
Vulnerability management
Steelcase scans our products monthly and prior to each release and uses continuous monitoring tools where possible. This includes the entire product ecosystem, from the code to the running cloud services to annual penetration testing. Issues that are discovered are evaluated and logged for remediation.
Penetration Testing
Steelcase employs 3rd part Penetration Test Vendors for our products. This is done at the end of the initial development and on a regular basis thereafter. It is surprising how many providers have never done this; many are startups that simply do not have the resources and capital to invest heavily in security. This additional care tends to separate the consumer grade devices from enterprise grade devices.