Acuity Brands Forms IoT Product Security Incident Response Team (PSIRT)

Acuity Brands Inc. based in Atlanta, Georgia USA, announced the formation PSIRT, the Product Security Incident Response Team.
Acuity says that PSIRT will supplement existing security programs that coordinate stakeholder interests concerning security issues, which could impact connected products and cloud-based infrastructure.

PSIRT will service all Acuity Brands products containing a software component in their use, maintenance or management. Additionally, the team will manage the receipt, investigation, and notification process with an extended group of collaborators. These collaborators may include other vendors, customers, consultants, security researchers, and academic institutions.

PSIRT Provides Centralized, Proactive Security Issue Response

According to Accuity, PSIRT offers a proactive and centralized approach for security issues arising from the increasingly digital market. The company designed this approach to reduce the response time for releasing patches for security vulnerabilities and to improve the security posture of Acuity’s technology-based products and services.

Luxeon High Power

Acuity Brands outlined the phases of the PSIRT security response process.

First, during the Awareness phase: PSIRT receives information regarding a potential security vulnerability. Then, in the Triage phase, the report is validated, prioritized, and resources identified. Afterward, in the third phase, Analysis, an impact assessment is conducted, and a remediation plan developed.

Later, in the Coordination phase, all collaborators are made aware of the timelines of the remediation plan. During the Remediation step, fixes are released, and cloud-based services are updated. Then in the Notification step, affected customers are notified of the updates.
Finally, in the Feedback phase, post-remediation activities are performed.

“To continually improve our best practices, Acuity Brands has joined the Forum of Incident Response and Security Teams (FIRST), which fosters cooperation and coordination in incident prevention, stimulates rapid reaction to incidents, and promotes information sharing among members and the community at large,” said Mark-David McLaughlin, director of security and risk management, Acuity Brands Lighting. “FIRST’s documentation and the ISO 30111 standard were used as references for the development of the PSIRT program.”

PSIRT will be focused on, but not limited to, the products sold under the brands: AIR, ROAM®, AtriusTM, Dark To Light® (DTL), DGLogik, Distech Controls®, eldoLED®, Fresco™, Holophane®, IOTA®, Lucid®, LC&D™, nLight®, nLight® , Sensor Switch®, Synergy®, and XPoint™ Wireless.

Acuity points out that the enhanced customer communications strategy including security bulletins and a dedicated contact is Integral to this effort. Acuity Brands advised customers to subscribe to its security bulletins to receive timely updates.