Cybersecurity at Smiths Detection

Cyber Security

Cybersecurity (or IT security): the art of protecting networks, devices and data from unauthorised access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.1

The tremendous growth in network connectivity and digital data sharing exposes more and more organisations to cybersecurity threats. Threats can be internal and external, deliberate or unintentional, so it is important to take a holistic approach and develop both policies and a culture that consider not just technology, but also people, processes, and hardware.

That which protects must itself be protected!

Our products and solutions capture, process, store and generate data to support, for example, substance analysis; the screening and decision-making process and data exchange with external IT systems. Any data alteration or manipulation in these applications can potentially damage revenue, reputation, health or pose a societal risk. Because the information generated by our equipment is generally considered to be business essential or crucial, we hold ensuring its confidentiality, integrity, and availability to be of the highest importance.

A shared responsibility

As part of ensuring the security of Smiths Detection equipment, early on in our conversations with customers we seek to understand their operational risks and compliance requirements. We help with the evaluation of potential solutions versus risk and cost and the creation of a secure operating environment.

Our approach adheres to current best practices as laid down by the key cybersecurity legal and regulatory bodies and enables Smiths Detection to discuss with our customers a range of topics including network protection, hardening, monitoring and logging, patch and incident management, access control, supply chain, and human resources.

But cybersecurity is not a one-off consideration, it’s an on-going process and we are dedicated to ensuring protection evolves to maintain optimal security during the lifetime of the Smiths Detection equipment. This is key to on-going effective cybersecurity management and a fundamental part of any long-term partnership.

Rigorous internal procedures

With all of this in mind, cybersecurity is infused into our culture, policies, and ways of work.

Cybersecurity is an integral part of Smiths Detection product design principles. ISO 27001 certification and annual audits ensure the company’s development, production and business processes consistently follow the highest information security standards. In the USA, our Special Security Agreement (SSA) certification ensures we are in compliance with federal and state requirements.

New employees are screened prior to joining the company including (when appropriate) a comprehensive background check. They must comply with policies on handling electronic media and incident reporting. Electronic access to systems is restricted and only authorised on a need basis following a ‘least privilege’ principle. General staff do not have access to any areas with a high information security risk such as research & development or IT infrastructure.

All employees are regularly trained on  cybersecurity, our Smiths Code of Business Ethics and Anti-Bribery and Corruption (ABC).  We offer both a standard and a longer version of the latter which are assigned based on employee role and ABC risk.  The completion and delinquency rates for these courses are actively tracked across the business in order to achieve 100% compliance. 

Regulatory development

The importance of cybersecurity has escalated quickly with laws and regulations at state or government level relevant to all industries and sectors.

In Europe, the NIS Directive was the first piece of EU-wide legislation on cybersecurity, providing legal measures to boost overall levels of cybersecurity. NIS1 (and soon NIS2), along with the FISMA laws in the USA, are setting key requirements and obligations which are relevant to any organisation operating within critical infrastructures.

As part of the European Commission strategy, essential sectors will be (re)categorised with a requirement for stricter cybersecurity policies and risk management.  As these measures will in some degree apply to suppliers and service providers, the entire supply chain will be impacted.

In the USA, FISMA laws set federal cybersecurity obligations for the US administration (including DOD, TSA and CBP).  Practical aspects are described and managed in the NIST Risk Management Framework. Suppliers must adhere to specific rules and processes in order do business with the administration, offering support and services during the lifetime of products plus assessments of the hardware and software to be delivered.

It is a constantly changing landscape and Smiths Detection stays informed and up-to-date with regulations, laws and frameworks along with any amendments to compliance from national cybersecurity agencies such as: ENISA in Europe; UK Department of Transport (DfT); Cyber Security and Infrastructure Agency (CISA) and Transport Security Administration (TSA) in the USA; the WTO’s Information Technology Agreement (ITA); and the French National Agency for the Security of Information Systems (ANSSI).

Next steps

Cyber threats are increasingly sophisticated, and no-one is safe from attacks. We are always looking to future proof our screening technology and the same approach is needed for cybersecurity. By building flexible and robust foundations today, organisations will be able to adapt to the inevitable new and developing threats.

Smiths Detection can help you in finding the appropriate cybersecurity solution for your business.

Everything we do is aimed at making the world a safer place – and that includes the cyber world.

1US Cybersecurity and infrastructure security agency

_______________________________________________

Following this general introduction to cybersecurity from Smiths Detection’s perspective, we will be publishing a series of articles covering a range of aspects from risk assessment, technology and processes to regulatory and other external influences, plus a look at specific markets.