When it comes to the Internet of Things, traditional cybersecurity approaches are difficult to integrate and can’t keep operational devices secure. Many embedded device approaches isolate systems, offering only partial protection, and only against known attack vectors. Could all of our IoT security issues be resolved through a simple tweak to the supply chain?
In my mind, yes, if we start thinking about it as the IoT Supply Chain of Trust. The IoT Security Foundation coined the idea in May 2016, that IoT security has no single owner and all vendors are have a duty to care for their direct customers and the wider ecosystem.
Let’s think about it in a slightly more practical manner. If you are a manufacturer, the Supply Chain of Trust is knowing from where you’re sourcing software or hardware and understanding the security inside of whatever it is you’re sourcing. It boils down to taking ownership for each layer of security.
The problem
With more than 8 billion IoT devices expected to be used worldwide in 2017 – up from 6 billion in 2016 – according to Gartner, the promise of exponential growth is eminent. It’s gotten to the point where every company, no matter their business, thinks they need to create an internet-connected product.
The problem is that these companies are focused solely on the manufacturing of their widget, and not the parts and pieces that make up that widget. Thus the need for the IoT Supply Chain of Trust.
For example, say a company wants to make a shiny new widget with Wi-Fi capability. They typically won’t create a Wi-Fi chip from scratch; they’ll purchase a chip from a company that has already produced millions of these chips.
But this widget-producing company that doesn’t specialize in security, doesn’t take the time to understand and test the security protocols of the chip manufacturer. If they don’t take the time to understand where the chip is coming from, the firmware required to run that chip and the susceptibility of that chip to be hacked then they’re building a very unsecure technology into their prototype.
Think about all of the components that are built by third parties that end up in the final widget. An IoT device is only as secure as its weakest layer.
Sure, we could blame it on the pressure on companies to get IoT products to market, but sadly, I think it still stems from a deficiency of good cybersecurity governance. Everyone is happy to talk about their cyber posture, but we still lack regulated security standards and widespread adoption of existing industry best practices for IoT manufacturing. We want to point fingers and only cover our own risk.
What’s the solution?
The long-term solution: a certification process. While many industry groups are working on these efforts, we can’t wait for these standards.
In the short-term, there are two approaches.
First, if you’re purchasing IoT devices for yourself or your enterprise, take the time to do your research. There are many options from reputable companies with good security track records. When examining costs, factor in funds required if your business suffers a breach from letting an unsecured device onto your network.
Second, if you’re manufacturing IoT devices, consider the security of each piece of hardware you build into your device. One company that does a great job of this is Taser, a developer, manufacturer and distributor of conducted electrical weapons, body cameras and digital evidence management solutions. Taser creates an internal team of hardware, software and security experts to vet all products before they go to market. This diverse group considers how the product will integrate into the existing product mix, ensures security exists and conducts penetration testing. The company’s upfront investment ensures the supply chain of any new device is considered.
Until we have organizations stamping IoT devices “good” or “bad,” businesses need to be diligent about baking in security at every layer.