On November 9, 2020, the European Union Agency for Cybersecurity (ENISA) issued a 50-page Guidelines for Securing the Internet of Things (IoT) (the guidelines). In its report, ENISA provides IoT stakeholders with an overview of the actual IoT supply chain, a review of potential (cyber)threats to it, as well as actual measures that could be put in place to mitigate exposures. ENISA recommends a ‘security by design’ approach ensuring that all stages of the IoT device lifecycle are considered in identifying and addressing potential security issues.

Companies need to build a high level of resilience by investing in security measures to detect and prevent threat across their supply chain. This requires not only to be aware of the actual threats but also to be cognizant of the IoT ecosystem. Extensive use of certified supply chain partners (e.g., ISO 27036 and ISO 28000, or NISTIR 8259) might help, as the implementation of the best practices as laid down in the guidelines. We briefly discuss these topics below.

Systematic Approach to IoT Supply Chain Threat Landscape

Threat identification is, according to the guidelines, the first step of successful risk management. The guidelines approach threats in a systematic way, breaking them down between: (i) traditional physical attacks (sabotage, grey market); (ii) IP loss (IP thefts, reverse engineering); (iii) cyberthreats; and (iv) other abusive practices (counterfeits); but also identify (v) non-compliance with standard or regulatory compliance (or even different interpretation of regulatory thresholds); as well as (vi) user errors, as actual threats that might have significant impacts on the security of the IoT supply chain.

Supply chains in general (IoT ones, in particular) are particularly vulnerable to cyberthreats; this comes from the fact that they include various actors with different security maturity levels and that vulnerabilities of the weaker point might have cascading effects along the chain. Therefore, companies need to map the risk across their supply chain and act according to the threat landscape.

Need to Map Actual IoT’s Supply Chains

The guidelines do a great job of providing both a general supply chain reference model (i.e., presenting an overview of the various phases of a supply chain, with associated threats in mind), but also in mapping with a great degree of detail the activities specific to the stages (including the correlation among each stage) of the IoT supply chain.

The IoT lifespan begins with designing the products and services. At this point, the basic security foundation should be defined and established. Yet, the most critical moment of an IoT lifespan is when products and software are developed. A lack of communication among the different suppliers and no visibility into the different components at that point can create security loopholes that can impact the entire supply chain. IoT devices are very susceptible to malfunctioning components, making the repair and oversight of devices a focus of the supply chain. Lastly, the disposal of IoT devices, at the end of a lifespan, can be particularly challenging. The secure removal of the vast amount of data stored on devices, as well as concerns related to the physical disposal of devices, need to adhere to security standards by adopting harmonized data removal techniques.

Actual Measures to be Considered to Increase Resilience

After establishing an accurate mapping of the threat landscape, the guidelines command companies to develop risk mitigation strategies to address the potential threats along the supply chain. The guidelines provide for a taxonomy of such measures, broken down between actors (ACT), processes (PRO) and technologies (TEC).

  • For actors, the guidelines set expectations on how actors in the supply chain are to think and approach IoT supply chain security. This can take various forms, such as raising awareness and providing continuous risk-based training for their own employees and those of key suppliers, or increasing education of end-users to security risks.
  • For processes, the guidelines are suggesting a variety of measures but at the core they come down to adopting ‘security by design’ principles. That includes minimizing trust assumptions and the creation of supply chain integrity metrics, but also the development of a threats model specific to the IoT supply chain, as well as ongoing (up to at least the end of the warranty time, even if the guidelines are calling for an end-of-support date) security patches, at no additional costs.
  • On technologies, the guidelines call for a set of measures to be applied to predict, detect, and reduce vulnerabilities and threats, but also for the integration of authentication mechanisms into components to increase traceability.

In addition to those sets of good practices, the guidelines suggest that increasing the supply chain resilience should be implemented not only vertically (i.e., between suppliers and customers) but also horizontally by the establishment of industry regulations or common frameworks.

Organizations should navigate and embark into mapping their supply chain ecosystem, and the guidelines may offer good support as a start. Risk assessments and relevant cybersecurity measures can mitigate vulnerabilities, increase users’ trust and, eventually help companies when their practices are being scrutinized by regulators.

“Technology trust is a good thing, but control is a better one.”