Punt for the Win
The most valuable thing a consultant can offer isn't always the work they do — sometimes it's the work they choose not to do. Knowing when an existing solution outperforms an independent one, and knowing how to secure it on the client's terms, is a discipline in its own right.
The System
A manufacturer of precision agricultural instrumentation was developing a grain moisture analysis device. This wasn’t their first such device, but it was a major improvement over their previous one. The competition in the market was heating up. They were developing their new product for the international market, and cybersecurity would be a big factor with respect to which markets they could enter.
The moisture content of grain has a large effect on its weight; so wetting down a truckload is one way that someone might “put their thumb on the scale” before a sale. It can also be affected by accidental factors in storage or transport, even just the ambient humidity. Cybersecurity concerns exist because someone might want to alter the moisture analyzer result in order to secure advantageous results.
The toughest regulatory standard they faced for the first release was from Brazil’s regulatory body, INMETRO. In order to offer the device for sale in Brazil’s lucrative agricultural marketplace, they would need to conform to the INMETRO standard for metrology devices.
The Challenge
SafeCode's consultant was playing a major role in the INMETRO compliance. For past devices, the client had not been concerned with device cybersecurity, but this one was an internet-connected instrument, and they were taking it very seriously. The consultant had full responsibility for establishing requirements, adapting the software architecture, and developing C# packages that implemented security. In addition to this, both of the processor boards contained within the device would need to be outfitted with secure boot functionality.
The Approach
With respect to secure boot, after evaluating various open-source solutions that might give the work a jump-start, the consultant estimated that he could get both boards done in a 6-week timeframe. This seemed reasonable, and the client was onboard. Still, the consultant thought that it might be in the client’s interest to do a little more investigating.
He reached out to a well-regarded embedded security firm for some information. As it happened, the firm had already implemented secure boot for processors in the same family as the client's hardware. Adapting it would require only minor work. Initial negotiations opened at $20,000 for a turnkey solution with full ongoing vendor support, delivered in two weeks' time.
The consultant noted that the program had some schedule flexibility and offered the firm a more relaxed delivery window in exchange for a lower price. They agreed to $10,000 for the same package. The recommendation was straightforward. Client management was ecstatic.
The Outcome
The client received a professionally supported, vendor-delivered secure boot implementation at a cost that was a fraction of what independent development would have cost. As it was being developed, SafeCode’s consultant was able to keep his focus on other security-related work. It is a principle SafeCode holds consistently: the best solution for the client is not always the one the consultant builds. Sometimes the right answer is knowing what already exists, who can deliver it, and how to negotiate the right arrangement. The client’s best interest is always a top priority.