NIS2 COMPLIANT CYBER SECURITY

SECURE DEVELOPMENT LIFE CYCLE PROCESS

Honeywell has developed a robust system for considering security at the outset of product conception and during development, as well as responding to potential vulnerabilities in existing products. This system, Honeywell’s Secure Software Development Lifecycle (SSDLC) initiative, has evolved and grown even more robust over the past few years.

Honeywell takes product security seriously. Our products go through a robust and comprehensive penetration testing regimen. In some cases, additional independent security testing is conducted. The criteria for this additional testing as well as which products or offerings are selected for this are closely held proprietary information.

We have a robust and comprehensive Secure Development Life Cycle (SDLC) based on best practices and industry standards that includes the following:

• Security Risk Assessment based on the threat environment faced by a particular product or offering as well as the technical features and customer needs

• Security Requirements and security controls based on industry standards and guidelines such as BSIMM, ISA/IEC 99/62443, ISO 27001, PCI DSS, GDPR, OWASP, applicable local laws and regulations, and others depending on the product or offering and the Security Risk Assessment

• Privacy Impact Assessments

• Threat Modeling

• Secure by Design, Privacy by Design and Secure Coding standards and practices

• Static Application Security Testing (SAST, also known as source code scanning) to enforce secure design and coding practices. We scan for OWASP Top 10 and SANS Top 25 vulnerabilities as well as for language-specific quality measures. Current SAST tools include SonarQube and Coverity depending on product and language needs.

• Binary scanning to identify open source usage and potential vulnerabilities.

• A formal Risk Management Policy that requires specific mitigation timelines based on severity

• Review and approval of cybersecurity by senior leadership prior to product shipment

• Lifecycle support and customer notification for security updates.

An audit team of Honeywell performs checks to ensure that security deliverables required under Honeywell’s Secure Development Life Cycle processes are completed.

Honeywell completes training programs for its employees on the company’s security process and on specific cybersecurity concerns and solutions.

All software engineers in Honeywell receive formal training on the Secure Development Life Cycle process and general cyber/product security topics.

HONEYWELL CYBERSECURITY REPORTING POLICY

The goal of our Product Security Incident Response Team (PSIRT) is to minimize customers’ risk associated with security vulnerabilities by providing timely information, guidance and remediation of vulnerabilities in our products, including software and applications, hardware and devices, services and solutions. This team manages the receipt, investigation, internal coordination, remediation and disclosure of security vulnerability information related to Honeywell products.

PSIRT coordinates the response and disclosure of all externally identified product vulnerabilities.

REPORTING A POTENTIAL SECURITY VULNERABILITY

We welcome reports from independent researchers, industry organizations, vendors and customers concerned with product security.

To find out more information on how to report a potential vulnerability, please visit the Vulnerability Reporting webpage at https://www.honeywell.com/us/en/product-security#vulnerability-reporting

COORDINATED VULNERABILITY DISCLOSURE (CVD)

We strive to follow Coordinated Vulnerability Disclosure (CVD). This process allows independent reporters who discover a vulnerability contact Honeywell directly and allow us the opportunity to investigate and remediate the vulnerability before the reporter discloses the information to the public.

The PSIRT will coordinate with the reporter throughout the vulnerability investigation and will provide them with updates on progress as appropriate. With their agreement, the PSIRT may recognize the reporter on our acknowledgments for finding a valid product vulnerability and privately reporting the issue. After an update or mitigation information is publicly released by Honeywell, the reporter is welcome to discuss the vulnerability publicly.

Following the CVD allows us to protect our customers and at the same time coordinate public disclosures and appropriately acknowledge the reporter for their finding. If a reported vulnerability involves a vendor product, the PSIRT will notify the vendor directly, coordinate with the reporter or engage a third-party coordination center.

Please refer to https://www.honeywell.com/us/en/product-security for further information.