This blog overviews our Datasheet, “Simplify Complexity, Risk Assessment, and Safety and Cybersecurity Compliance with Jama Connect for Industrial Machinery Development”

KEY BENEFITS

• Streamline Standards Compliance: Automate the traceability required for standards, significantly reducing the manual effort of audit preparation.
• Support Secure-by-Design: Seamlessly incorporate cybersecurity planning and controls from design initiation to ensure compliance with EU Cyber Resilience Act requirements.
• Adopt Agile Approach to Contextualize Functional Safety Assessments: Customize assessments to fit each specific product or iteration instead of using the same preset list of hazards and responses for every project.
• Unify Risk Management: Integrate hazard analysis (HARA) and Failure Mode and Effects Analysis (FMEA) directly into the development process to ensure safety risks are identified and mitigated early.
• Enhance Multi-Disciplinary Collaboration: Align mechanical, electrical, and software teams on a single platform to prevent silos and ensure system-wide coherence.
• Accelerate Variant Management: Manage product variants efficiently to meet specific customer specifications without sacrificing speed to market.
• Ensure End-to-End Traceability: Maintain links between requirements, risks, and tests to ensure every design decision is verified and validated before release.

Simplify Complexity, Risk Assessment, and Safety and Cybersecurity Compliance with Jama Connect for Industrial Machinery Development

Developing modern industrial machinery involves navigating a dense web of complexity where precision is paramount. Engineering teams must synchronize mechanical, electrical, control, and software components while adhering to rigorous safety and security standards like ISO 13849-1 and 2, IEC 62061, IEC 61508, and IEC 62443. The pressure to deliver tailored product variants rapidly often conflicts with the need for thorough risk assessment and documentation. Without a unified approach, gaps in requirements can lead to costly delays, safety incidents, or field recalls, threatening both market reputation and operational efficiency.

Jama Connect for Industrial Machinery Development provides a robust, pre-configured framework designed to tame this complexity. By aligning directly with major machinery and functional safety and security standards, the platform creates a clear digital thread from high-level stakeholder requirements down to specific component verification. This solution bridges the gap between diverse engineering disciplines, ensuring that control systems, safety functions, and mechanical designs evolve in lockstep. Teams manage the entire product lifecycle — from concept to validation — within a single source of truth that actively monitors for compliance and risk.

RELATED: Agile Robots Boosts Internal Process Efficiency by Moving to Jama Connect

Jama Connect for Industrial Machinery Development includes the following:

• End-to-End Traceability. The out-of-the-box, customizable Traceability Information Model™ starts right at the top with every stakeholder or customer requirement tracing back to a specific standard or clause. This traceability provides teams with a clear link between what they’re building and why it’s required, and detailed documentation for auditors.
• Functional Safety Compliance. The classic V-model structure covers stakeholder to system, subsystem, component, design, and then test for a clean, end-to-end chain that mirrors the safety lifecycle — define it at the top, prove it at the bottom.
• Integrated Cybersecurity Framework. Identify relevant threats and vulnerabilities using pre-defined templates to align threat analysis with security requirements and verifications, enabling teams to respond to incidents quickly at all stages of the product lifecycle.
• Risk Management. Each use case connects into a hazard analysis or FMEA, which flows naturally into safety function requirements. That means that identified risks turn directly into design actions, not just documents that sit on the shelf.
• Control Systems Safety. Safety functions break down into the safety-related parts of the control system — electrical, electronic, or software layers, where things like Performance Level or SIL come into play.
• Verification and Validation. Every safety function, every requirement, has a clear link to the tests or activities that prove it’s been met.

From standards, threats, and risks all the way through design and verification, everything is connected. It makes compliance smoother, audits faster, and the overall process a lot more reliable and efficient.

Example of Hazard Analysis Trace Matrix

Companies choose Jama Connect for Industrial Machinery Development to innovate faster and deliver complex, safety-critical machinery with confidence, knowing that every requirement is met, tested, and documented for the global market. To learn more, visit www.jamasoftware.com

TO DOWNLOAD THIS DATASHEET, VISIT:
Simplify Complexity, Risk Assessment, and Safety and Cybersecurity Compliance with Jama Connect for Industrial Machinery Development

The post Simplify Complexity, Risk Assessment, and Safety and Cybersecurity Compliance with Jama Connect® for Industrial Machinery Development appeared first on Jama Software.

Watch the entire presentation here: Engineering for the Cyber Resilience Act: Navigating Compliance Across the Product Lifecycle.

Engineering for the Cyber Resilience Act: Navigating Compliance Across the Product Lifecycle

Preparing for the Cyber Resilience Act: What Engineering Teams Need to Know Now

The EU Cyber Resilience Act (CRA) is setting new expectations for digital product development. It introduces mandatory requirements for vulnerability management, secure-by-design engineering, traceability, and post-market monitoring. For manufacturers of connected or software-enabled products, this represents a critical shift in how you build, document, and maintain your technology.

In this webinar, Patrick Garman, Manager of Solutions & Consulting at Jama Software, breaks down the complexities of the CRA, reviews enforcement timelines, and demonstrates how to integrate cybersecurity directly into your product lifecycle.

What You’ll Learn:

• Deconstruct CRA Requirements: Gain a clear understanding of obligations for manufacturers, importers, and distributors, including secure development practices and vulnerability handling.
• Operationalize Secure-by-Design: Learn practical strategies to embed security into your engineering workflows from day one.
• Master Software Bill of Materials (SBOM) Transparency & Traceability: Discover how to maintain the rigorous documentation and traceability of the new regulation demands.
• Navigate the Enforcement Timeline: Get a clear view of upcoming deadlines to help you prepare your organization strategically.
• Leverage Jama Connect^® for Compliance: Explore how a modern requirements management tool helps track threats, link mitigations to requirements, integrate testing, and prove compliance.

Don’t wait until the deadline approaches to address these critical changes. Watch now to ensure your team has the knowledge and tools to navigate the CRA successfully.

The video above is a preview of this webinar – Click HERE to watch it in its entirety!

TRANSCRIPT PREVIEW

Patrick Garman: Hi, everyone, and thank you for joining today. My name’s Patrick Garman, and I am the Solutions Manager for Energy, Industrial, and Consumer Electronics sectors here at Jama Software. Today, I’m going to be talking about the EU’s Cyber Resilience Act, or the CRA. I’ll explain what the CRA actually is, what it means for product developers, and how you can show evidence of secure by design without creating unnecessary overhead. I’m also going to briefly show how Jama Connect supports your CRA compliance. At a high level, the Cyber Resilience Act is an EU regulation that applies to products with digital elements, so hardware with software, firmware, or connectivity, and standalone software products as well. It’s not a technical standard, and it does not tell you how to implement security; it focuses on outcomes. Did you consider cybersecurity risks? Did you define mitigations? Can you show how those were implemented and maintained? It’s also worth saying what it’s not. It’s not saying that products must be perfectly secure, and it’s not trying to turn product teams into security researchers. It’s really about making cybersecurity part of normal product engineering, just integrating it into your process.

And the motivation behind the CRA is pretty straightforward: products today rely heavily on software, but cybersecurity practices across manufacturers vary a lot. Some teams are very disciplined, and others rely more on informal knowledge and experience. From a regulatory point of view, that makes it hard to assess product risk and hard to respond when vulnerabilities show up later, so the CRA is really about creating a consistent baseline, so cybersecurity is treated more like safety, reliability, or quality, something you design for, document, and revisit throughout the product lifecycle. And the penalties can be pretty stiff for non-compliance. You hear, for non-compliance, up to 15 million euros or 2.5% of your global annual turnover. Products can be barred from the EU market for non-compliance. It does include mandatory incident reporting, and it also establishes liability for manufacturers for unsafe or insecure products, so it is something that is very important to prepare for and be ready for. If you strip away the legal language, the CRA requirements really fall into a few practical buckets. First, you’re expected to identify cybersecurity risks that are relevant to your product and how it’s used.

RELATED: Buyer’s Guide: How to Select the Right Requirements Management and Traceability Solution

Garman: Second, those risks should lead to actual security requirements, design constraints, controls, or behaviors that mitigate the risks. Third, there needs to be evidence, not just that you thought about security, but that the requirements were implemented and verified. And finally, the CRA expects manufacturers to manage vulnerabilities after release, things like intake, assessment, updates, and communication. And the challenge is doing it consistently and in a way that you can explain later, especially if this information is spread across different repositories. Before I jump into a demo in Jama Connect, I want to set up how to think about CRA compliance in Jama Connect. The CRA is ultimately asking for something pretty specific, can you prove a clean line from the cybersecurity risk to mitigation to verification, and then keep that story intact as the product changes? And Jama Connect’s a great tool for this because it’s designed for exactly this kind of lifecycle traceability with definable traceability information models that provide guardrails for your process. And the model I’m showing here, threats must link to one or more security requirements, and security requirements must link to verification evidence like test cases or analysis.

And if we want to go deeper, we can link into design and implementation artifacts as well. And the reason that this matters is that once these rules are in place, you’re not relying on memory or tribal knowledge. Jama Connect can guide teams towards consistent linking, and it becomes much easier to answer the questions that come up in audits and reviews, such as which risks are unmitigated, which mitigations aren’t verified, and what changed since the last release? And the other big benefit is the change impact. Sorry. When a new vulnerability pops up or a design decision shifts, Jama makes it practical to see what requirements, tests, and releases are affected without manually stitching it together across documents and spreadsheets. With that framing, what I’ll show next is a simple example. We’ll take a threat and author a requirement against it, and then see the verification evidence, so you’ll see how the relationship rule set keeps the traceability clean and reviewable. For this dem,o I’m going to keep the model intentionally simple. We’re going to start with a cybersecurity threat analysis, trace that to a security requirement, and then to a validation.

RELATED: SPAN Electrifies Its Product Development and Safety with Jama Connect

Garman: And in this scenario, I’m going to use the CVSS, which stands for the Common Vulnerability Scoring System, the 3.1 model, to score severity consistently. CVSS is traditionally used for vulnerabilities, but teams often use that same scoring structure for threat scenarios because it is familiar and repeatable. And I have a pre-created threat analysis item so that we can focus on the traceability aspects. But here you can see I have a place where I can provide a name, a description of the threat or vulnerability, and also select all of the appropriate vectors within the CVSS scoring model. And I’m also using Jama Connect Interchange™‘s Excel functions to calculate the base score and assign a severity rating, along with the temporal score and environmental score. Again, these are all calculated automatically on the backend as you define your threat vectors. And the reason I like capturing all of these attributes here in Jama Connect is it makes the assumptions explicit. Stakeholders can review the score, disagree with it, and adjust it, but we’re not hand-waving severity. And because it’s all on the same system as our requirements and validations, the cybersecurity story stays connected.

THIS IS A PREVIEW OF OUR WEBINAR, WATCH IT IN ITS ENTIRETY:
[Webinar Recap] Engineering for the Cyber Resilience Act: Navigating Compliance Across the Product Lifecycle

The post [Webinar Recap] Engineering for the Cyber Resilience Act: Navigating Compliance Across the Product Lifecycle appeared first on Jama Software.

The European Union’s Cyber Resilience Act (CRA) is a landmark piece of legislation set to redefine cybersecurity standards for products with digital elements. Adopted in March 2024, the CRA establishes a new baseline for security, requiring companies to embed cybersecurity practices throughout the entire product lifecycle. For product developers, this means shifting from a reactive stance to a proactive “secure by design” philosophy. Understanding the CRA’s requirements is the first step toward compliance and avoiding significant penalties.

This blog post will guide you through the key aspects of the CRA, including its core requirements, the costs of non-compliance, and how you can leverage powerful tools to streamline your journey to compliance.

What is the EU Cyber Resilience Act?

The CRA is the first horizontal EU legislation that mandates cybersecurity for any product with digital components sold within its market. This includes everything from industrial machinery and robotics platforms to smart home devices and consumer electronics. The legislation aims to protect consumers and businesses by ensuring that products are secure from the moment they are designed until the end of their support lifecycle.

Key timelines to remember:

• Reporting Obligations: Mandatory reporting of identified vulnerabilities and severe incidents become legally enforceable in September 2026.
• General Obligations: Requirements around secure-by-design, full documentation, and conformity assessments, and more are planned to go into effect by December 2027.

The CRA also categorizes products into four risk classes (Class I to III, plus Critical Products). This classification determines the level of scrutiny and evidence required to prove compliance, ranging from basic documentation to a full third-party conformity assessment.

RELATED: BrightInsight Drives Efficiency Using Jama Connect

Key CRA Requirements for Product Developers

The CRA is not a simple checklist; it demands a comprehensive, lifecycle-based approach to security. Product developers must integrate several key practices into their workflows to meet the new standards.

Conduct Cybersecurity Risk Assessments

You must systematically identify and evaluate potential cybersecurity threats, intended uses, and foreseeable misuse of your product. This forms the foundation of your security strategy.

Define and Document Security Requirements

Based on your risk assessment, you need to define and document specific security requirements. These requirements must be traced to design controls, verification activities, and even source code to demonstrate how you are mitigating identified risks.

Maintain a Software Bill of Materials (SBOM)

An SBOM is a detailed inventory of all software components, libraries, and modules within your product. This list is crucial for tracking components and managing their associated vulnerabilities effectively.

Implement Secure Development and Vulnerability Handling

The CRA requires you to establish and maintain secure development processes. This includes having a structured process for identifying, managing, and patching vulnerabilities discovered after the product is on the market.

Prepare Technical Documentation

You must compile a comprehensive Technical Documentation Package that can be presented to regulators on demand. This package serves as the complete record of your product’s security posture and compliance efforts. It should include:

• The cybersecurity risk assessment.
• Documented and traceable security requirements, design controls, and test results.
• Traceability to implementation tasks and code
• Evidence of your secure design and development process.
• The SBOM.
• Details of your vulnerability handling workflow.
• A lifecycle maintenance plan.

The High Cost of Non-Compliance

Ignoring the CRA is not an option. The penalties for failing to meet its obligations are severe and can have a lasting impact on your business. These include:

• Fines of up to €15 million or 2.5% of your company’s global annual turnover.
• The authority for EU regulators to withdraw or recall non-compliant products from the market.
• Mandatory reporting of incidents and vulnerabilities.
• Increased liability for damages caused by insecure products.

Beyond the direct financial penalties, the reputational damage and loss of market access can be devastating.

Navigating Compliance with Standards and Traceability

While the CRA is principles-based and doesn’t mandate one specific cybersecurity standard, it aligns with several established international frameworks. Adopting one of these can provide a structured path to compliance. Relevant standards include:

• ISO/IEC 62443 for industrial automation and control systems.
• ETSI EN 303 645 for consumer Internet of Things (IoT) devices.
• ISO/IEC 27001 for security controls and information security management.
• ISO/IEC 81001-1 for health software security.

Regardless of the standard you follow, the core principle is demonstrating traceability. Regulators will want to see a clear, auditable link from an identified threat to a risk assessment, through to the security requirement, its implementation as a control, and the verification test that proves it works.

RELATED: Jama Connect Enables DevSecOps Through Robust API and Integrations That Connect All Activity to Requirements

How Jama Connect^® helps to achieve CRA Compliance

This is where a dedicated requirements management platform like Jama Connect becomes a strategic asset. It provides the structure and capabilities needed to build a compliant and traceable development process. Each step of the CRA’s required workflow—from threat identification to documentation—can be mapped directly into Jama Connect as item types within a traceability model.

This means that when a regulator asks, “Show me how you mitigated this vulnerability,” you can instantly generate a report that traces the entire lifecycle of the mitigation. You can show the risk, the requirement it generated, the control that was implemented, the test case that validated it, and all the associated evidence.

Jama Connect offers new and upcoming solutions specifically designed to help you prepare for the CRA:

• Consolidated Frameworks: Pre-configured project templates for consumer electronics and industrial machinery are available. These include the necessary item types and traceability models to align with CRA requirements and standards like SAFe.
• CVSS Templates: To support advanced threat analysis, templates for Common Vulnerability Scoring System (CVSS) versions 2.0, 3.1, and 4.0 are available. These integrate with Excel functions to automate score calculations directly within the platform.

Get Ready for the Cyber Resilience Act

The clock is ticking on the Cyber Resilience Act. While the deadlines may seem distant, building a compliant, secure-by-design development process takes time. The key is to start now. By updating your information models and leveraging tools like Jama Connect, you can build the traceability and documentation needed to meet CRA obligations confidently. Incorporating these practices not only ensures compliance but also results in more secure, resilient, and trustworthy products for your customers.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Patrick Garman and Mario Maldari.

The post Cybersecurity by Design: Preparing for the Cyber Resilience Act appeared first on Jama Software.

In this blog, we recap our recent eBook, “Navigating IEC 62443: Strengthening Cybersecurity in Industrial Automation & Control Systems.”

Navigating IEC 62443: Strengthening Cybersecurity in Industrial Automation & Control Systems

Understanding IEC 62443

IEC 62443 is a comprehensive set of standards aimed at securing Industrial Automation and Control Systems (IACS) against cybersecurity threats. It provides guidelines for designing, implementing, and maintaining secure industrial automation systems, ensuring the integrity, availability, and confidentiality of these critical infrastructures.

Structure

This IEC series is organized into several parts, each focusing on different aspects of IACS security:

1. General: Introduces fundamental concepts, models, and terminology related to security.
2. Policies and Procedures: Focuses on establishing and managing security
3. Components and Requirements: Specifies technical security requirements for IACS components and secure product development practices.
4. Profiles: Defines industry-specific cybersecurity requirements and provides a structured approach to implementing measures based on cybersecurity profiles.
5. Evaluation: Describes assessment methodologies to ensure consistent and reproducible evaluation results concerning the requirements of individual parts.

RELATED: Mastering ISO/IEC 27001: A Guide to Information Security Management

Key Components

1. IEC 62443-1-1: Covers terminology, concepts, and models, laying the foundation for understanding the standards.
2. IEC 62443-2-1: Provides guidance on establishing security programs for asset owners, aligning with standards like ISO/IEC 27001.
3. IEC 62443-3-3: Specifies system security requirements and security levels, detailing technical requirements for systems
4. IEC 62443-4-1: Focuses on secure product development lifecycle requirements, outlining how to develop secure products.
5. IEC 62443-4-2: Defines technical security requirements for IACS components, ensuring components meet specific security standards.

Recent Developments

This IEC series is continually evolving to address emerging cybersecurity challenges. Recent updates include:

1. IEC 62443-1-5: Introduced in September 2023, this technical specification outlines the scheme for IEC 62443 security profiles, providing a structured approach to implementing cybersecurity measures based on defined profiles.
2. IEC 62443-2-1: The second edition, released in August 2024, updates the security program requirements for IACS asset owners, aligning with evolving industry practices and emerging threats.
3. IEC 62443-2-4: The second edition, published in December 2023, revises the requirements for IACS service providers, ensuring that integrators meet current cybersecurity capabilities across various domains.
4. IEC 62443-6-1: Released in March 2024, this technical specification introduces a security evaluation methodology for IEC 62443-2-4, aiming to ensure consistent and reproducible assessment results.consistent and reproducible assessment results.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Impact on Industrial Automation

This standard has a significant impact on industrial automation by establishing a structured framework for cybersecurity in industrial control systems (ICS) and operational technology (OT) environments. Here’s how it influences the industry:

1. Enhances Cybersecurity in Industrial Automation: IEC 62443 provides comprehensive guidelines to protect industrial networks, control systems, and automation components from cyber threats. It helps in mitigating risks associated with unauthorized access, malware attacks, and insider threats.
2. Establishes a Risk-Based Approach: The standard encourages risk assessment and mitigation strategies based on the specific threats and vulnerabilities of an automation system. This ensures tailored security measures rather than a one-size-fits-all approach.
3. Defines Roles & Responsibilities: IEC 62443 categorizes the responsibilities of different stakeholders in industrial automation, including:
   1. Asset owners (e.g., manufacturing plants, energy companies)
   2. System integrators (those designing and configuring industrial systems)
   3. Product suppliers (hardware and software vendors) Each entity must implement security controls based on its role in the automation.
4. Promotes Secure System Development & Lifecycle Management: The standard provides guidance on secure development, configuration, and maintenance of industrial automation components, ensuring security is embedded from design to decommissioning.
5. Improves Compliance & Regulatory Alignment: Many governments and industries are aligning cybersecurity regulations with IEC 62443, making it essential for organizations to adopt the standard to stay compliant with industry best practices and legal requirements.
6. Encourages Interoperability & Secure Communication: By enforcing secure communication protocols and access controls, IEC 62443 ensures that automation systems can safely interact with IT networks, cloud services, and IIoT (Industrial Internet of Things) applications without compromising security.
7. Supports Business Continuity & Resilience: A strong cybersecurity framework reduces downtime caused by cyber incidents, ensuring uninterrupted industrial operations and minimizing financial losses.

THIS HAS BEEN A PREVIEW – TO READ THIS EBOOK IN ITS ENTIRETY, VISIT:
Navigating IEC 62443: Strengthening Cybersecurity in Industrial Automation & Control Systems

The post Navigating IEC 62443: Strengthening Cybersecurity in Industrial Automation & Control Systems appeared first on Jama Software.

Cybersecurity in Unregulated Industries: Proactive Strategies for Mitigating Risk

In today’s modern, digital landscape, cybersecurity threats are not limited to heavily regulated industries like aerospace, automotive, and medical devices. While government mandates drive compliance in regulated sectors, industries without strict cybersecurity oversight for specific products — such as consumer electronics, financial services, insurance, industrial manufacturing, and software development — are increasingly taking proactive steps to address cybersecurity risks. With cyberattacks growing in frequency and sophistication, companies in these industries must prioritize security to protect intellectual property, maintain customer trust, and prevent costly disruptions.

RELATED: Integrate Cybersecurity and Safety Risk Management in Jama Connect^® to Simplify and Accelerate Medical Device Development.

Cybersecurity Challenges in Unregulated Industries

Unlike regulated markets, where adherence to standards such as ISO 21434 (for automotive) or DO-326A (for Aerospace & Defense) is required, many industries operate without formal cybersecurity frameworks. However, recent high-profile breaches have underscored the need for stronger security measures:

• Consumer Electronics: A leading smart home device manufacturer recently faced scrutiny after vulnerabilities in its IoT ecosystem allowed hackers to access users’ security cameras. Without strict regulatory oversight, companies must self-impose cybersecurity best practices to safeguard consumer data.
• Industrial Manufacturing: A ransomware attack on a global industrial equipment provider disrupted production lines and resulted in significant financial losses. As manufacturers embrace Industry 4.0 and connected systems, cybersecurity must become a core consideration.
• Software Development: Open-source software dependencies have become a major target for cybercriminals. The recent exploitation of a widely used software library demonstrated how vulnerabilities in third-party components can create widespread security risks.
• Insurance: A major insurance provider suffered a data breach when cybercriminals exploited weaknesses in its cloud-based claims processing system. The breach exposed sensitive policyholder information, including Social Security numbers and financial details, highlighting the need for robust encryption and access controls in an industry handling vast amounts of personal data.
• Financial Services: A global investment firm fell victim to a sophisticated phishing attack that compromised employee login credentials, allowing attackers to execute fraudulent transactions. As financial institutions increasingly rely on digital banking and AI-driven trading, strengthening identity verification and fraud detection measures is critical to mitigating cybersecurity threats.

Even without formal regulations, companies in these industries recognize that cybersecurity is a business imperative – and also crucial to remaining trusted and respected in the market. Many are implementing best practices, such as adopting secure development methodologies, integrating threat modeling, and enhancing collaboration between security and development teams.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

How Jama Connect^® Supports Cybersecurity in Unregulated Industries

While unregulated industries may not face the same compliance pressures as sectors like automotive, medical devices, or aerospace & defense, they still need robust cybersecurity risk management. Jama Connect provides the tools necessary to build a strong cybersecurity foundation by:

• Embedding Security into Development Processes: Jama Connect enables teams to integrate cybersecurity considerations throughout product, project, and program development, ensuring that security is addressed from the earliest stages.
• Enhancing Collaboration and Risk Visibility: With real-time collaboration and traceability, teams can proactively identify, assess, and mitigate security risks before they escalate.
• Facilitating Secure Software Development: By providing structured frameworks for security requirements and risk assessments, Jama Connect helps organizations adopt secure coding practices and threat modeling techniques.
• Supporting Industry-Specific Best Practices: Even without formal regulatory requirements, Jama Connect allows organizations to implement cybersecurity frameworks aligned with industry standards such as NIST Cybersecurity Framework and Secure Software Development Lifecycle (SSDLC).

As cyber threats continue to evolve, companies in unregulated industries must take proactive steps to secure their products and operations. By leveraging Jama Connect, organizations can establish a structured, security-first approach that reduces vulnerabilities and builds resilience against emerging cyber risks.

Want to learn about how to mitigate cybersecurity risks in regulated markets? Check out this blog post.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Mario Maldari, Brian Morrisroe, and Kenzie Ingram.

The post Cybersecurity in Unregulated Industries: Proactive Strategies for Mitigating Risk appeared first on Jama Software.

Strengthening Cybersecurity in Regulated Markets: How Jama Connect^® Enhances Risk Management in Product Development

Discover how Jama Connect^® empowers product development teams in regulated markets like aerospace, automotive, and medical devices to integrate cybersecurity and safety risk management with requirements management

In today’s connected world, cybersecurity is a critical concern for product development in regulated markets. According to a recent report by Cybersecurity Ventures, cybercrime is predicted to cost the world $10.5 trillion annually by 2025, underscoring the growing risks facing industries that rely on connected products.

As products become increasingly software-driven and connected, they present new vulnerabilities that require robust security measures. Industries such as aerospace, automotive, and medical devices must navigate complex cybersecurity regulations to protect sensitive data, ensure product safety, and maintain compliance with evolving standards. Failure to address cybersecurity risks not only jeopardizes user safety but can also lead to costly delays, recalls, regulatory penalties, and reputational damage.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

The Importance of Cybersecurity in Regulated Markets

Regulated markets operate under strict guidelines to protect data, ensure operational integrity, and maintain public trust. Cybersecurity compliance involves adhering to laws, standards, and regulatory requirements established by governments and industry authorities to safeguard digital information and systems from threats like unauthorized access, data breaches, and cyberattacks.

Recent incidents underscore the urgency of robust cybersecurity measures:

• Medical Devices: The U.S. Food and Drug Administration (FDA) issued updated guidance requiring medical device manufacturers to submit cybersecurity plans as part of their premarket submissions. This move follows increasing concerns about vulnerabilities in connected medical devices that could jeopardize patient safety and data security.
• Automotive Industry: A notable cybersecurity breach involving a major automaker demonstrated how connected vehicles can be remotely accessed and controlled. This incident has accelerated the push for stricter compliance with ISO 21434, the international standard for automotive cybersecurity risk management.
• Aerospace & Defense: Cyberattacks targeting defense contractors have highlighted the need for stringent cybersecurity protocols. The implementation of DO-326A and other cybersecurity standards is becoming increasingly critical to protect sensitive information and ensure the safety of airborne systems.

RELATED: Jama Connect Enables DevSecOps Through Robust API and Integrations That Connect All Activity to Requirements

Jama Software’s Approach to Cybersecurity in Regulated Markets

Jama Software recognizes the critical importance of cybersecurity in regulated industries and has integrated out-of-the-box cybersecurity risk management capabilities into its industry-specific frameworks for Jama Connect. This integration facilitates a proactive approach to cybersecurity across various sectors, including airborne systems, automotive, and medical devices.

Aerospace & Defense

Aircraft, system, and subsystem manufacturers and their suppliers benefit from a customizable solution with a robust REST API aligning all cybersecurity activity with an integrated DevSecOps CI/CD pipeline, easy collaboration and reviews involving internal and external teams, and customizable reports to demonstrate compliance with the “Airworthiness Security Process Specification” (DO-326A). Jama Connect for Airborne Systems provides a framework to identify potential cyber threats, assess vulnerabilities, and implement security measures.

Automotive Industry

The shift towards software-defined vehicles has introduced new cybersecurity challenges. Jama Connect for Automotive offers OEMs and suppliers the capability to develop necessary work products that comply with ISO 21434 for cybersecurity management. It offers comprehensive cybersecurity diagnostics including Threat Analysis and Risk Assessment (TARA) templates and reports, as well as case management, progress monitoring, and reporting features to demonstrate compliance. By facilitating collaborative planning, validation, and alignment, it reduces risks through enhanced collaboration among specialized teams, removes guesswork from threat analysis, and accelerates project launches through efficient reuse of components.

Medical Device Industry

For medical device manufacturers, managing cybersecurity risk under standards like ANSI/AAMI SW96:2023 is complex. Jama Connect for Medical Devices harmonizes cybersecurity and safety risk management, simplifying complex risk evaluations and accelerating responses to threats. This integration reduces complexity, increases efficiency in managing risks, and ensures comprehensive documentation of traceability, which is crucial for regulatory compliance and patient safety. By embedding cybersecurity risk management into its industry-specific frameworks for Jama Connect, Jama Software empowers organizations to integrate cybersecurity risk management into product development processes for efficient and proactive identification, evaluation, and mitigation of cybersecurity risks, compliance with regulatory standards, and enhanced overall security posture of their products.

As cybersecurity threats continue to evolve, regulated industries must take proactive steps to safeguard their products, data, and users. The growing complexity of cybersecurity regulations highlights the need for robust risk management frameworks that integrate security into every stage of the product development lifecycle. By leveraging Jama Connect’s industry-specific cybersecurity capabilities, organizations can streamline compliance efforts, enhance collaboration, and mitigate risks more effectively. Investing in secure-by-design practices today ensures a safer and more resilient future for the products and industries that shape our world.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Mario Maldari and McKenzie Jonsson.

The post Strengthening Cybersecurity in Regulated Markets: How Jama Connect® Enhances Risk Management in Product Development appeared first on Jama Software.

Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article from IndustryWeek, titled “With Hacks on the Rise, Manufacturers Hone Their Cybersecurity Smarts”, written by Stephen Gold.

With Hacks on the Rise, Manufacturers Hone Their Cybersecurity Smarts

Cyber-maturity is finally catching up to digital transformation, a new Manufacturers Alliance study finds.

A chief information security officer, a chief information officer and a chief manufacturing officer walk into a bar. Unfortunately, this isn’t the opening line of a joke – they’re in the bar because they need a stiff drink. These are harrowing times for manufacturing professionals who, in an era of Industry 4.0, are trying to integrate their information technology and operational technology while defending against the dramatically rising threat of cyber criminals.

It’s not like they have a choice on whether to integrate their IT with OT such as machine automation, industrial control systems (ICS), robotics, programmable logistics controllers (PLCs) and building management systems (BMS). Successful IT/OT collaboration is critical to modern manufacturers’ digital strategies. Unfortunately, it’s also the portal where cyber criminals gain entry to the lifeblood of the company: factory operations.

In fact, IBM’s X-Force Threat Intelligence reported that in 2021, manufacturing surpassed finance and insurance as the top targeted sector of cyber bad actors. Today, 1 out of every 4 cyber-attacks on business are against manufacturers. And no wonder: Despite FBI guidance, manufacturers pay the requested ransom more often than other industries – and at typically higher rates.

The biggest challenge? Cybercriminals with a track record of innovation set the pace of change. But manufacturers aren’t simply circling the wagons. Just the opposite – they’re meeting the challenge head on.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Catching Up Quickly

Manufacturers Alliance partnered with Fortinet recently to update a joint 2020 study on IT/OT convergence. They found that American manufacturers’ level of cyber maturity is catching up to their accelerated pace of digital transformation. This is vital because, while financial extortion related to data theft is a serious risk, infiltration of operating systems with the intent to sabotage or even shut them down poses an existential threat to manufacturers. (The cyber-attack on Clorox this August, which paralyzed manufacturing operations for weeks and led to shortages of Clorox products in stores across the country, is the most recent poster child for the risk that factories face.)

The Alliance-Fortinet survey of 155 U.S.-based mid-cap to large-cap industrial companies showed that a growing percentage of manufacturers are well on their journey with advanced anti-cybercrime programs and policies yielding impressive results. That journey, of course, starts with a large dose of reality. When asked to rank cybersecurity as a business risk, 80% put it in the top five, 10 percentage points higher than three years ago. And no wonder: that same percentage experienced at least one breach resulting in unauthorized access to data in the previous 12 months.

Thirty-six percent of respondents fell victim to a ransomware attack, up from 23% in our 2020 survey. And more specifically, the impact of OT breaches has significantly increased over the past three years. While 43% of manufacturers in both 2020 and 2023 said they experienced cybersecurity-related operational outages affecting productivity –

• 29% saw operational outages that affected revenue in 2023, a jump of 10 percentage points from 2020
• 26% saw a loss of business-critical data, 14 percentage points higher than in 2020
• 21% experienced a loss of IP, a jump of 10 percentage points in three years

So, how can manufacturers come out ahead of cybercriminals? Strategies are changing quickly. For starters, more than 90% of manufacturers say they’re focused on implementing new solutions to address risks specifically affecting OT, more than twice the percentage of just three years ago. Roughly the same percentage of manufacturers are now subjecting OT equipment to IT or cyber review prior to procurement. Among that group, many are deploying network access controls, including quarantining new devices until approved by the internal cyber team.

RELATED: Requirements Traceability Diagnostic

Finding Cybersecurity Talent Is Tough

Even with growing sophistication on managing OT threats, manufacturers face one primary obstacle to ultimate success: finding in-house expertise to oversee the cyber threat, a high hurdle considering the broader skilled talent shortage being experienced. In our recent survey, roughly 8 out of 10 manufacturers pointed to scarcity of talent and expertise as a key barrier to effective breach response within the last year.

Of course, manufacturers are in the business of making stuff, not securing networks. So given the scope of OT cybersecurity, from vetting new equipment to responding to breaches, fewer than 10% of companies handle all aspects with in-house resources. Two-thirds combine in-house and external expertise, and about 20% rely on third-party service providers for most of their security needs.

Remember the CIO, CISO and chief manufacturing officer walking into a bar? A decade ago they would never have been seen together. Today, their collaboration, and the smooth and rapid integration of IT and OT, is the key to a successful and safe implementation of Industry 4.0.

The post With Hacks on the Rise, Manufacturers Hone Their Cybersecurity Smarts appeared first on Jama Software.

In the ever-evolving landscape of cybersecurity, staying ahead of emerging threats and regulations is crucial for organizations worldwide. One such regulatory framework making waves in the cybersecurity community is UN155. This post aims to shed light on UN155 and its significance in cybersecurity management.

What is UN155?

UN155 is a regulatory framework established by the United Nations to enhance cybersecurity practices across various sectors. The framework sets forth comprehensive guidelines and standards for organizations to protect their information systems, data, and infrastructure from cyber threats. It emphasizes a proactive approach to cybersecurity, encouraging organizations to implement robust security measures and continuously monitor and adapt to the evolving threat landscape.

RELATED: Jama Connect^® for Automotive

Key Components of UN155

UN155 encompasses several critical components designed to strengthen cybersecurity management:

1. Risk Assessment and Management: Organizations are required to conduct regular risk assessments to identify potential vulnerabilities and threats. This involves evaluating the likelihood and impact of various cyber risks and implementing appropriate mitigation strategies.
2. Incident Response and Reporting: UN155 mandates the establishment of incident response plans to swiftly address and mitigate cybersecurity incidents. Organizations must also report significant incidents to relevant authorities, ensuring transparency and accountability.
3. Data Protection and Privacy: Protecting sensitive data is a cornerstone of UN155. Organizations must implement stringent data protection measures, including encryption, access controls, and data minimization, to safeguard personal and sensitive information.
4. Continuous Monitoring and Improvement: UN155 emphasizes the importance of continuous monitoring and improvement of cybersecurity practices. Organizations are encouraged to regularly review and update their security measures in response to new threats and vulnerabilities.
5. Training and Awareness: Educating employees about cybersecurity risks and best practices is crucial. UN155 requires organizations to conduct regular training and awareness programs to ensure that staff members are equipped to recognize and respond to cyber threats.

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution for Automotive

The Impact of UN155 on Cybersecurity Management

The implementation of UN155 has significant implications for cybersecurity management:

1. Enhanced Security Posture: By adhering to the guidelines set forth by UN155, organizations can significantly enhance their security posture. Proactive risk assessments, robust incident response plans, and continuous monitoring contribute to a more resilient cybersecurity framework.
2. Regulatory Compliance: Compliance with UN155 is not just a best practice; it is often a legal requirement. Organizations that fail to comply with the framework may face legal penalties, reputational damage, and financial losses.
3. Improved Incident Response: With established incident response plans, organizations can respond more effectively to cybersecurity incidents. This minimizes the impact of breaches and ensures a quicker recovery, reducing downtime and financial losses.
4. Increased Stakeholder Confidence: Demonstrating compliance with UN155 can enhance stakeholder confidence. Clients, partners, and investors are more likely to trust organizations that prioritize cybersecurity and adhere to recognized standards.
5. Global Harmonization: UN155 promotes a standardized approach to cybersecurity, fostering global harmonization of security practices. This is particularly important for multinational organizations operating in diverse regulatory environments.

UN155 represents a significant step forward in the global effort to enhance cybersecurity management. By adopting the framework’s guidelines and principles, organizations can bolster their defenses against cyber threats, ensure regulatory compliance, and build trust with stakeholders. As the cybersecurity landscape continues to evolve, frameworks like UN155 play a pivotal role in shaping a secure and resilient digital future.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by McKenzie Jonsson and Matt Mickle.

The post Understanding UN155 and Its Impact on Cybersecurity Management appeared first on Jama Software.

Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from AECMagazine, titled “Cyberattacks: safeguarding contractors” – originally published on May 22, 2024, and written by Ben Wallbank.

Cyberattacks: Safeguarding Contractors

It’s every construction firm’s biggest nightmare: criminals taking control of their data and holding them to ransom. Ben Wallbank, Trimble, shares some best practices to mitigate cyberattacks

Cybersecurity and cybercrime often conjure up images of hackers in dark hoodies, sneaking in the digital back door. In reality, nearly 90% of corporate cybercrime, such as phishing or ransomware attacks, is a result of employee error.

The UK construction industry is no exception and could be an even greater target than other industries. Protecting massive amounts of data, including warranty and latent defect remediation periods, makes contractors attractive to cyber criminals. Cybersecurity is so crucial to construction that the National Cyber Security Centre produced a construction industry-specific guide, along with the Chartered Institute of Building (CIOB).

Cybercriminals who target the construction industry usually do so by accessing, copying, and sharing data illegally or by installing malware on a company’s computers and network, taking control of files, and holding them for ransom. It’s called ransomware, and it’s probably the most common and one of the most debilitating types of cybersecurity breaches in the construction world.

Each year, we hear of new cyberattacks, taking critical infrastructure offline and crippling construction businesses worldwide, including many here in Europe. These attacks cost billions of pounds a year and can cause whole cities, businesses, and services to grind to a halt.

UK contractors should follow these best practices to safeguard against cyberattacks and improve outcomes in case of an attack.

Create a business continuity plan

Preparing for the worst puts your business in the best position moving forward because you can act quickly and have more control of the outcome. A solid cyber security disaster plan can get quite detailed. It should be consistently reviewed, practiced, and updated to net the best results in case of an incident. At a minimum, a business continuity plan should include the following:

• Name of a leader to act as a central resource to manage disaster recovery across multiple departments.
• A communication plan for sharing key messages and managing crises with employees, clients, and additional project stakeholders.
• A maintenance plan for a continually updated (and backed up) list of employee contact information and asset inventory.

RELATED: Six Key Challenges in the Architecture, Engineering, Construction, and Operations (AECO) Industry and How to Solve Them with Jama Connect^®

Backup all data

A crucial aspect of any good cyber security plan is to make sure that everything is backed up, preferably on the cloud or physically on an offsite server that’s not on your network. Backups should be frequent and automated, so ask your IT provider to set them up so that they either happen in real-time (if you’re backing up to the cloud) or that they run daily after everyone has left the office.

Secure mobile devices

Mobile devices are more challenging to secure than other data systems, but just as critical. Utilizing an enterprise management platform, such as Cisco Meraki, allows you to maintain enterprise-level control over all of your devices. These kinds of platforms ensure that individual devices are still managed centrally, and contractors can limit software installation, track devices using GPS, disable devices, and more.

Protect software and servers

When it comes to software and security risks in construction, contractors should choose platforms and software providers that take security seriously. Granular permissions, user-friendly management systems, and multi-factor authentication, for instance, are all must-haves in any construction software.

By using cloud-based, connected construction software, contractors shift the responsibility of maintaining servers, ensuring SOC 2 Type II compliance, and data backup and storage. Project and business data backups happen automatically, providing daily protection, with costs often included or rolled into users’ subscription costs. New software features and security functionality are also rolled out automatically.

By coupling the backups with cybersecurity protections, cloud vendors use the latest technologies to thwart cybercriminals and provide an extra level of protection not otherwise achieved through in-house backups. When shopping for business software, make security one of your first discussion points.

Additionally, your web and email servers need to be properly protected to avoid online attacks. Physical network servers need to be secured, and you need to ensure that any cloud-based solutions you’re using also implement rigorous security protocols.

RELATED: Jama Connect^® Amazon Web Service (AWS) GovCloud US Hosting

Assure employee buy-in

Cybersecurity protection in construction requires every employee at every level to be fully engaged and actively vigilant. There are several steps to take to make that happen:

• Ensure all employees receive regular cybersecurity training, especially if online workflows or procedures change.
• Welcome feedback from team members and update cybersecurity policies and processes as needed.
• Counsel employees on everyday things to look for before opening email, like spelling and grammar errors, verifying sender’s email address, and never opening unexpected attachments.

Take the first step: get started

The most important step is the first one. The UK government offers two certifications – Cyber Essentials and Cyber Essentials Plus – that are crash courses in the basics to keep businesses safer from cybercrime. While they don’t replace a cybersecurity risk assessment, they will show you how to do one and how to select the security measures your business needs.

Anywhere your data is stored or used is a potential entry point into your company’s digital existence. It only takes one slip to allow malicious code or ransomware in, and once it’s there, it can cause millions of pounds worth of damage.

The post Cyberattacks: Safeguarding Contractors appeared first on Jama Software.

In this blog, we recap our webinar, “Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety” – Click HERE to watch it in its entirety.

Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety

Welcome to our Expert Perspectives Series, where we showcase insights from leading experts in complex product, systems, and software development. Covering industries from medical devices to aerospace and defense, we feature thought leaders who are shaping the future of their fields.

With more than 30 years of experience and a mission to elevate knowledge and proficiency in medical device risk management, Bijan Elahi has worked with both startups, and some of the largest medical device companies worldwide.

In this presentation on Risk Management and Designing for Cybersecurity & Patient Safety, Bijan covers:

• Significance of a comprehensive risk management approach, including safety & security, for medical devices
• Interfaces between safety and security risk management processes, and how they interact/complement each other
• Upcoming industry trends that impact risk management (safety, security) like AI/ML, rise in connected devices, wearables devices

Below is a preview of our webinar. Click HERE to watch it in its entirety.

The following is an abbreviated transcript of our webinar.

Kenzie Jonsson: Welcome to our Expert Perspective series where we showcase insights from leading experts in complex product, systems, and software development. Covering industries from medical devices to aerospace and defense, we feature thought leaders who are shaping the future of their fields. I’m Kenzie your host, and today I’m excited to welcome Bijan Elahi, a world-renowned expert on safety risk management for medical technology. With more than 30 years of experience and the mission to elevate knowledge and proficiency in medical device risk management, Bijan has worked with both startups and some of the world’s largest medical device companies. Without further ado, I’d like to welcome Bijan who’ll be presenting on risk management and designing for cybersecurity and patient safety.

Bijan Elahi: Hello. My name is Bijan Elahi. I’m delighted to be speaking to you about cybersecurity and medical device risk management. Before I start, I’ll briefly introduce myself. I am a technical fellow, a professor, and the founder of MedTech Safety, an education and advisory company. To give you a little background about myself, I come from the industry and have been a medical device product developer for most of my career. Most of the products that I have developed have been class III implantable devices such as pacemakers, defibrillators, and deep brain simulators. Now I’ve also developed a kidney dialysis system, which includes disposables. I’m based in Florida, but I teach and advise worldwide. Risk management is my passion. I have trained over 10,000 individuals worldwide in the latest knowledge and best practices in risk management.

RELATED: Jama Connect^® for Medical Device & Life Sciences Development Datasheet

Elahi: The companies that have benefited from my training range from small start-ups to the largest MedTech companies in the world. And here’s the sampling. I am also active in academia, for example, at Delft University of Technology and Eindhoven University of Technology in the Netherlands where I teach a graduate course to doctoral students in engineering. I am also an affiliate professor at Drexel University Graduate School of Biomedical Engineering and Health Science, where I teach safety risk management for medical devices. And lastly, I’m a contributor to the standard ISO 14971, and the author of two very popular books on medical device risk management published by Elsevier Publishing in the UK under the label of academic press. My publisher tells me that my books are bestsellers in the genre of medical books for them, and they’re available at all major booksellers such as Amazon.

So now let’s talk about cybersecurity and safety risk management. The threat of cybersecurity on medical devices is a rising concern as there’s an ever-increasing interconnectivity, interoperability, and reliance on digital technologies. Medical devices such as pacemakers, insulin pumps, and imaging systems often contain sensitive patient data and are integral to patient care. Cyber attacks on these devices can lead to severe consequences, including tampering with the device functions, unauthorized access to patient information, and destruction of critical healthcare services. The potential for harm is significant. For example, incorrect diagnosis, treatment delays, or even direct physical harm to patients. As cyber threats become more sophisticated, we need robust security measures, smart designs, and continuous monitoring to protect these vital components of modern healthcare systems. The safety impact of cybersecurity exploits must be considered in the overall residual safety risk of medical devices.

Safety risk management is distinguished from cybersecurity risk management. Safety risk management is primarily concerned with the safety of patients, users, and the performance of medical devices. This involves identifying, evaluating, and controlling the risks of harm to patients or users due to device malfunctions, use errors, or adverse interactions with the human body. The focus is on ensuring that the device functions safety and effectively under normal and fault conditions. On the other hand, cybersecurity risk management is focused on protecting the device and its data from malicious cyber-attacks and unauthorized access, which may have nothing to do with safety. Many hospital systems are currently under ransomware attacks with the intention of financial exploitation. Security risk management involves implementing measures to protect the data confidentiality, integrity, and availability of healthcare systems. Although these topics are distinct, there is an overlap between them.

RELATED: Mastering ISO/IEC 27001: A Guide to Information Security Management

Elahi: As mentioned before, there are different exploits that cyber attackers seek. Some are not safety-related. For example, private patient data, software codes or algorithms, financial data, money, et cetera. A famous example is the WannaCry cyber attack, which unfolded in May of 2017 causing widespread disruption across the globe. It all started on the 12th of May 2017 when many organizations began to notice that their computer systems were being encrypted and locked by ransomware demanding payment in Bitcoin to unlock them. The ransomware known as WannaCry exploited invulnerability in Microsoft Windows. The attack affected hundreds of thousands of computers in over 150 countries. Major organizations and institutions were hit, including the UK’s National Health Service, also known as NHS, FedEx, and many others. The impact on the NHS was particularly severe because medical staff were unable to access patient records leading to significant disruptions in healthcare services.

As you can see, this was a cyber attack with the intention of financial exploitation, but it ended up having a patient safety impact as well. A comprehensive risk management strategy for medical devices must integrate both safety and security measures. This ensures not only that devices are safe from operational risks, but also that they are protected against growing threats of cyber attacks, thereby safeguarding patient health and data integrity in a holistic manner. An interesting side note to the WannaCry story is that this vulnerability was known by Microsoft and they had released a security patch in March of 2017, two months before the cyber attack, but many hospitals and organizations have not applied the patch and remain vulnerable. This is a common issue even today, and many medical devices and healthcare systems remain vulnerable despite the available protections.

CLICK HERE TO WATCH THIS WEBINAR IN ITS ENTIRETY:
Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety

The post Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety appeared first on Jama Software.