September 7, 2023
The objective of this Product Security article is to explain Epiroc’s Product Security initiatives, practices, and functions to customers as well as to the internal organization in the Epiroc group.
This is not an exhaustive or detailed technical paper – rather our intention is to provide an overview of the scope of our security programs, and the processes we have developed to implement and maintain responsible, modern security practices in our internal environment and the digital solutions we develop.
The product security group has been established by Epiroc to lead and guide this process.
Product Security in a Nutshell
What we do
At Product Security we work with digital product owners and product development teams to understand the digital solutions we develop and provide help, advice, and guidance in cybersecurity related areas.
Our Mission Statement
Our mission is to maintain a secure data architecture and apply the proper IT security controls in the digital solutions our company develops.
Key principles
• Protect the End User
• Secure by design
• Fail safe/secure
• Balance Security and Usability
• Enforce Least-privilege
• Implement defense in depth
Today more and more devices are connected to the Internet. Industries and companies across the globe are going through the digital transformation of their products and services in the modern age.
As a leading productivity partner for the mining and construction industries Epiroc is increasingly providing customers with groundbreaking solutions within connectivity and digitalization. As this development gains momentum, Epiroc wants to keep its customers at the technical forefront and accelerate the digital transformation in all fields of their operations.
"Automation, digitalization and electrification are transforming mining into a much safer, more sustainable and profitable business. We want to make sure our customers have access to the right solutions that truly meet their current and future needs.[1]"
"We strive to be open and agnostic with our Digital Solutions. At the same time, we want to be a market leader in product safety. For this to happen we support and participate in many industry initiatives to improve Cybersecurity."
Epiroc’s Digital Solutions Division develops, implements, and maintains OEM-independent, modular and scalable digital solutions that deliver:
Safe and sustainable operations
Our digital solutions enable a holistic approach to safety and sustainability in the mining and construction industries, including ESG, automation, collision awareness and avoidance, and other products and services designed to keep people, equipment, and the environment safe.
Connected assets management
Solutions that deliver value by turning the data from your connected assets into actionable insight. Connecting your business to the possibilities of IoT in mining and construction.
Planning and scheduling
In mines and construction projects alike, effective planning and scheduling is a strategic driver of success. Our solutions enable seamless planning from the life of the project to the details of every shift.
Operational performance
Optimizing your operational performance requires effective short interval control with detailed oversight, asset health monitoring, and advanced solutions to solve production challenges as soon as they appear. Our products help customers to continuously improve safety, productivity and profitability in their operations.
Enterprise solutions
End-to-end business optimization requires integrated and interoperable systems. Our platforms are designed for the specific challenges of mining and construction, and work across your choice of equipment OEM or systems partner.
( https://www.epiroc.com/digital-solutions )
The increasing cyber threats combined with our dependency on Information Technology means that we must manage these risks properly and take steps to protect ourselves against cyber threats. The Global Mining Guidelines Group states: “With technology advances and the rise of remote working, the mining industry is susceptible to new and advanced cyber threats and attacks that can cause incredible damage for both mines and suppliers”[2]. To prevent or mitigate those risks to an acceptable level, adequate security countermeasures and controls must be in place and risk assessments must continuously be carried out across the Epiroc group – safeguarding both our internal operations as well as the digital products we develop.
[2] Source: Global Mining Guidelines Group –https://gmggroup.org/groups/cybersecurity-working-group/
It is vital for us to continuously uphold security and protect our digital assets. From an information security standpoint, Epiroc’s digital assets include data, intellectual property developed as digital products, and other information that requires protection. The security of information and data is essential to good governance and confidence, necessitating security risk management and due care.
Epiroc continuously works to ensure security measures and controls are in place to preserve the confidentiality, integrity, and availability of digital assets, while it is being processed, in transit, and in storage. There are three types of security controls:
· Administrative controls including IT Security policies, Information Classification, Cybersecurity awareness programs, online training etc.
· Technical Controls like Firewalls, Access Control, Endpoint Security and data back-ups.
· Physical Controls such as fences, turnstiles and other barriers to unauthorized entry or access.
To operate effectively Epiroc must ensure the confidentiality, integrity and availability of its information, systems, and the digital solutions it provides to customers.
Proper digital product security requires us to be intentional in the way we design, build and maintain the solutions we provide to customers by implementing processes and practices including:
· Security in the software development life cycle
· Security controls in development environments
· Security conscious code review (peer review) processes
· Secure coding guidelines and standards
· Security assessment and testing
An ongoing initiative within Epiroc Product Security is to support the Digital Solutions division in Software Development Security related activities by sharing best practices on secure coding guidelines, requirements, and standards.
Epiroc, like many global companies, has decided to implement General Data Protection Regulation (GDPR) standards throughout the group (with the caveat that stricter local laws and regulations may apply in the countries where we do business). We take appropriate security measures to protect any personal data in our care against unauthorized access, alteration, and erasure[3].
The Data Privacy Manager at Epiroc is part of the Legal department and works closely with Epiroc IT Security team on GDPR-related areas.
[3] For further information regarding Epiroc Data Privacy see https://www.epirocgroup.com/en/privacy-portal/privacy-notice
Epiroc is structured in two groups specialized in cybersecurity – Group Information Security, and Epiroc IT Security.
Cybersecurity in Epiroc is organized across three lines of defense:
· Epiroc IT Security/Product Security lies in the first line – Divisional Management/Technology & Innovation and Digital Solutions division.
· Group Information Security, managing cybersecurity risks, is in the second line, and
· Epiroc’s Group Internal Audit and Assurance (GIAA) team makes up the third line.
Proper risk management is maintained at Epiroc with the Head of Information Security and Information Security Specialists making up the Group Information Security function. The Group Information Security function’s area of responsibility include (but is not limited to):
· Assessing and reporting Epiroc cybersecurity risk and advising on risk mitigation.
· Facilitating and monitoring the implementation of IT Security controls.
· Monitoring the adequacy and effectiveness of IT Security controls, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies.
· Developing and maintaining an effective security awareness program, building a secure culture by ensuring everyone at Epiroc understands their responsibility for cybersecurity and follows our IT Security practices.
· Ownership of the Information Security Management System (ISMS).
· Reporting on cybersecurity to the Epiroc Group Management [4]quarterly and to the Board’s Audit Committee[5] twice per year.
[4] Epiroc Group Management is appointed by the President and CEO. Please see details on https://www.epirocgroup.com/en/investors/corporate-governance/group-management
[5] Board/Audit committee details are available on https://www.epirocgroup.com/en/investors/corporate-governance/committees
Our Product Security Manager works with product owners and technical service teams at the Epiroc Digital Solutions division to understand the solutions and provide help, advice, and guidance on cybersecurity.
The IT Security team is headed by the Global IT Security Manager and leads a team of security professionals with responsibilities and functions in the following cybersecurity areas:
· Security Operations/Incident Response and Remediation
· IT Security Architecture
· IT Security Governance
· Product Security
· Operation Technology (OT) Security
· Identity and Access Management (IAM)
The Epiroc cybersecurity team has developed an OT (Operational Technology) and Product security strategy, with the following guiding principles:
Trusted partner
Our customers and partners are increasingly raising their security requirements. Epiroc must be a trustworthy partner in society by displaying that our cybersecurity is being managed correctly - protecting us, our customers and our partners.
Security as a competitive differentiator
Good cybersecurity means customers can entrust us with their data, giving us a competitive edge by using our customer's data to improve their business.
Security culture
Everyone at Epiroc knows they have a responsibility for cybersecurity and follow our clear secure practices. To achieve this, we train our colleagues and partners.
Risk reduction
Risk assessments are carried out across the company, including cybersecurity risks. Group Information Security and Epiroc IT Security assist in putting controls in place to reduce risk to an acceptable level.
As Epiroc’s digital product portfolio grows organically or through acquisitions, the cybersecurity and individual product teams collaborate to attain the following security characteristics in our products:
Strong Authentication (Multi-factor authentication) - For our suppliers and in our products
· Our suppliers connect to their installed base of products and solutions at our sites using log-on by strong multi-factor authentication. Our connected products are MFA-enabled.
· Prevent cyber threat actors from account takeovers/unauthorized access.
Monitored Network Traffic - Security Operation Center - To and from our suppliers and customers
· Monitored outbound and inbound traffic between Epiroc and our suppliers and customers.
· Provide early, automated responses to detected cyber threats, such as intrusion attempts, malicious code, ransomware etc to ensure resilient and continuous operations.
Digitally Signed Software - From suppliers to customers
· We use and consume digitally signed software from our suppliers. We digitally sign our own developed software that we provide to our customers.
· Ensures that only desired and officially released versions/functionality are in play.
· Prevent cyber threat actors from manipulating software.
Encrypted Network Traffic - From suppliers to customers
· Outbound and inbound traffic to and from Epiroc must be encrypted.
· Protect Epiroc and our customers from information leakage.
No cybersecurity team’s job is ever done – a reality we are very aware of! As such, we realize that continued learning, vigilance and a willingness to change must be a part of our DNA. While we strive to provide standards, model best practices and support product teams and customers alike, we also know that success lies in every Epiroc employee’s hands as much as in ours.
Epiroc is actively growing, and different product lines, teams and business areas may be at different points in their journey to full adoption and implementation of the standards and guidelines we set from a group perspective.
We would like to point out that this article contains information pertaining to ongoing projects and may include forward-looking statements that are subject to various risks and uncertainties. The contents of this document are provided for informational purposes only and do not constitute a commitment or guarantee of any future developments or outcomes.
The information presented herein is based on current knowledge and assumptions up to the date of publication, which is September 2023. However, the actual results and timelines of the projects discussed may differ significantly from the statements made in this document due to a multitude of factors beyond our control. We expressly disclaim any obligation to update or revise the information in this article in light of new developments or unforeseen events.
