Security management

Our commitment to security management

At u-blox, we are committed to ensuring and continually improving the security of our information assets (including assets shared by customers or suppliers), products, sites and services to protect them from cyberattacks, and we ensure full compliance with requirements from cybersecurity and data protection laws, regulations and standards that apply to our business.

To achieve these commitments, we have established an integrated Management System for Security, Business Continuity and Enterprise Risk Management:

We have a cross-functional security organization led by the Chief Security Officer, focusing on information security, product and service security, site security, supply chain security, and business continuity management. This team includes security experts in IT, product centers, and local sites.

Quarterly management review and steering are executed by the Executive Committee, reviewed by the Audit Committee and identified cybersecurity risks are quarterly reported to the Executive Committee and Board of Directors.

We conduct regular internal security audits and engage external testing labs for certifications and a selective bug bounty program with BugCrowd to identify vulnerabilities in our products, services, and IT infrastructure. 

Protecting our and our partners’ Information, IT Infrastructure and Systems

The u-blox Information Security Management System (ISMS) is certified against ISO 27001:2022. Security controls we implement to protect our Information, IT infrastructure, and Systems are selected based on common security principles (including four-eye approval for business-critical security decisions and actions, least privilege access, secure-by-default IT systems) and based on relevant industry standards and guidelines (e. g., ISO 27002, NIST).

To ensure we detect and stop cyberattacks, our Information Security Team is reinforced by an external Security Operation Center and a comprehensive security monitoring toolchain.

To enable our employees to help achieve our security goals, we are continuously working to establish and maintain a Security Culture at u-blox:

• Protecting us and our customers from cyber-attacks is one of the principles in our Code of Conduct, which every employee is trained on annually and must adhere to.
• Every u-blox employee must attend the mandatory annual Security Policy- and Awareness e-learning program and we conduct security awareness exercises, like phishing simulation.
• Our security experts maintain and expand their security skills with external certifications and training, and we also run a “Security Champions” program, enabling non-security employees to build security skills.

Ensuring Business Continuity

To ensure continued product and service delivery to our customers, we proactively identify threats to our business continuity and adequately prepare to address these scenarios.

Our business continuity management program, aligned with ISO 22301, aims to prepare us for foreseeable disasters and ensure that we can continue to supply products and provide services to our customers during times of crisis.

Providing secure products and services

At u-blox, we are committed to providing secure products and services for our customers. Furthermore, we acknowledge and actively contribute to addressing cybersecurity risks in our target markets, such as in automotive solutions, industrial OT, or consumer IoT. To protect our customers – and the users of their products – against the many and varied threats their devices and data face in the connected world, it is our focus to create secure products. IoT security is complex, fast-moving, and multifaceted. To address this challenge, u-blox has established product standards based on industry requirements and best practices for the secure design and production of products and services, to form a foundation for building new generations of secure devices.

We are continuously monitoring security requirements in critical markets such as Operational Technology (OT) and automotive. Furthermore, we monitor and adopt requirements from mandatory regulations, such as UN ECE R.155, the updated Radio Equipment Directive (RED) with cybersecurity requirements, and relevant industry standards.

Cybersecurity information sharing with customers, suppliers, and industry peers

We also acknowledge the importance of our vendors in achieving our security and business continuity goals. Therefore, we strive to ensure security throughout our supply chain, and we always seek to establish a close and constructive collaboration with our suppliers and subcontractors.

To achieve this, we integrate Security and Business Continuity requirements in the supplier lifecycle. Depending on the supplier type and criticality, our Security Experts assess the Security and Business Continuity posture of suppliers based on our internal and external standards and ensure with the Sourcing department that respective requirements are considered during supplier selection and contract negotiation.

Furthermore, to stay up to date regarding the latest threats, vulnerabilities, and best practices, our Security Experts maintain close ties with standardization organizations such as the GSM Association, the Bluetooth Special Interest Group, and local and international industry peer groups through membership and collaboration in various working groups.

How we handle security issues?

Through our Cybersecurity Management System, we strive to find and fix vulnerabilities in our products and services before they are being released to our customers. Whenever we discover or get notified about vulnerabilities in already released products, we trigger our Security Issue Handling process to ensure that we understand the vulnerability’s impact, and that we fix the vulnerability (where warranted and technically feasible) or offer our customers an alternative solution that addresses their security risks.

If you are a customer and have discovered a vulnerability in our product, please raise a support ticket here.