Vaisala’s Indigo500 series of transmitters are host devices for the company’s range of stand-alone smart probes, which measure parameters like carbon dioxide, humidity, dew points and temperatures in demanding applications. The transmitters are used globally in a wide range of locations, from pharmaceutical plants and malthouses to agricultural facilities and maritime environments.

Vaisala’s Lead Software Engineer, Veli-Pekka Peltola and Product Owner, Arto Kiiskinen, both work closely with the Indigo500 series, which has been in development for seven years and in production for over four. They both agree that being able to assure customers that Indigo500 transmitters are secure from hacks and attacks is a key part of the product’s offering.

Vaisala has an in-house security team that’s in charge of coordinating company-level security requirements and platform-level development, and helping each product team ensure the products they develop are secure. But the product teams, each with its own “security champion,” handle things like regular threat modeling and security testing.

Vaisala made the decision to partner with the team from WithSecure Consulting to conduct a new security assessment for the Indigo500 series based largely on our reputation in the field. As the Indigo500 series has evolved, Kiiskinen and Peltola were both focused on keeping the components up to date and catching any vulnerabilities that may have been present. “We regularly like to bring in outside insight to keep the device security at a top level.”

Vaisala’s Security Chief shortlisted three potential cyber security partners, knowing that expertise and the desire to get the assessment done on a tight schedule would both be big factors in choosing the right partner. “WithSecure Consulting exceeded our expectations from the first contact, and it was an easy decision because of their reputation as an industry leader and ability to deliver within our timeline,” Kiiskinen explains.

How did WithSecure Consulting help?

To begin, our team worked with Vaisala to first define the security assessment’s scope; we had to understand how Indigo500 transmitters are used and the emphasis that customers put on security. Most customers connect their device to an internal network, which means it has to be as secure as possible from hacks or other attacks. Some also take advantage of remote monitoring through the cloud.

Together, we decided to exclude physical access from the scope of the investigation, which is something customers themselves need to maintain and focused the scope on available wired connections to the device.

Small fixes, significant impact

Since it had been four years since the Indigo500’s first security assessment, the product team was pleasantly surprised that this one turned up just a few issues that were quick and easy to fix. “The main benefit for us is that we can now say with confidence that the security of the Indigo500 series of transmitters is very high,” Peltola adds.

Both agree that regular external security assessments are a good way to keep the product security at a confirmed high level. And the successful partnership with our team at WithSecure Consulting has them thinking about further expanding the threat horizon in future assessments.

Lastly, Kiiskinen says that WithSecure Consulting’s reputation as a leader in the cyber security space also reflects well on them. “By partnering with WithSecure Consulting, we’re able to show our customers they can trust that Vaisala is always on top of ensuring the security of this and all of our devices.”

And that is a great example of a partnership built on trust.