The proliferation of the IoT supply chain has been one of the defining technology success stories of our time. Across multiple sectors, the IoT has become the operational bedrock behind many systems and processes.
However, there is still lingering doubt about the security of these devices, one that has resurfaced in recent months after the discovery of the Ripple20 flaws – a collection of 19 hackable bugs in a code module used across hundreds of millions of IoT devices, ranging from sensors in power grids to medical infusion pumps. While many of the affected vendors released software updates to mitigate the vulnerabilities, these did not provide a full ‘fix’ in any way, leaving affected IoT devices in various sectors unable to be updated or patched.
The Ripple20 story is unfortunately not an isolated one, but a microcosm of the IoT supply chain landscape. Device digital identity authentication is very rudimentary, often relying on intuitive or reused passwords that are never changed. In addition, because modern supply chains are so complex and multi-staged, security flaws can be in place without the OEM’s knowledge.
In simple terms, far too many IoT devices have no built-in security protections or are shipped with default credentials that are widely available across the internet, often as a result of cutting security corners to reduce costs.
Another challenge is the complexity of the supply chain for IoT devices. The reason Ripple20 affects so many devices is that the code containing the vulnerabilities was developed by a third party, not the device manufacturer, as is common across supply chains. This means that the vulnerabilities do not just affect an isolated manufacturer, but every manufacturer that uses this code.
The complexity and lack of visibility across the supply chain leave many devices with a mix-and-match of code from different providers, and no way to ensure that all software elements are updated. Furthermore, many devices lack the Public Key Infrastructure (PKI) and authentication technologies needed to be secure.
As a result, supply chains that utilize vulnerable IoT components are themselves vulnerable.
To make IoT devices secure, manufacturers must build in security starting on the assembly line. Devices must have a strong identity programmed into the device during manufacturing using an automated and secure PKI solution. Also essential to strong IoT security is ensuring that the components used in each device do not have security flaws and that a mechanism is provided to securely update firmware once the device is in the field. If a device is secure from this initial stage, PKI is in place and secure updates are enabled, then it will be possible to ensure the security of the device throughout its lifecycle and across the supply chain.
Effective security relies on a combination of hardware, specifically hardware secure elements such as Trusted Platform Module (TPM) chips and digital security certificates. Once a TPM chip is in-built, it provides protection for a wide range of currently known attacks, making the supply chain that it operates across more secure by design.
Ultimately, supply chains are convoluted and IoT security is an ongoing challenge. Supply chains that leverage multiple suppliers in building IoT devices are at even greater risk. This complex ecosystem demands a security-by-design approach, so that manufacturers can be assured that the device is secure from the point of creation and security remains in place throughout the device’s lifecycle.
All organizations and businesses are exposed to a variety of risks via their supply chains, including financial, commercial, legal, compliance and information security.
The following are some of the key recent risks (focusing on confidentiality, integrity and availability) that have affected numerous businesses across their supply chains, ultimately impacting their customers, with some best practices for mitigation also outlined.
The first is the loss of key internal or third party resources – where a critical person or business that provides goods or services can no longer do so. A mitigation strategy would be to implement processes to identify critical suppliers and a plan to alleviate them or find a suitable alternative.
Next is the capacity of technology services to meet a spike in home working leading to an impact on internet, cloud, infrastructure services and communications (areas with poor mobile phone reception).
To address this risk, organizations should research alternative internet service providers, and if working from home is mandatory, offer the workforce some form of contribution towards upgrading their broadband or mobile internet.
Third-party access to key applications and online services is also an important factor to consider. Enforce multi-factor authentication and look into virtual desktop environments with data loss prevention controls or advanced encryption capabilities.
Then there is the issue surrounding data protection amidst the supply chain journey. It is vital to maintain a list of all third-party providers, including their names, type of service and contact details. This allows you to identify them and prevent any scam calls/instructions. Organizations can also implement client verification procedures to correctly verify the identity of a third party.
Lastly, what about the current situation impacting the ability to hold face-to-face meetings with key suppliers and third parties? Businesses must be willing and able to move to virtual meetings with security front of mind – enforce the secure use of pin entry for any virtual meetings so you can confidently know who your participants are.
With all of the above, it is important to ensure procedures, standards and guidelines are written and widely communicated to ensure business continuity/resilience planning. Success will be a result of strong planning and anticipation, rather than scrambling for an answer when things are already failing.
Every enterprise increasingly deals with suppliers that have access to corporate networks, sensitive corporate information or run critical business processes for them. It is no longer adequate to secure just your infrastructure because security issues within a supplier network can directly impact you. Recent security incidents at high profile outsourcing organizations have made it clear that enterprises need to carefully understand and manage their supplier risks.
Supplier risks are enterprise risks – that is, you should use the same risk classifications for suppliers as you do for internal processes. For example, there may be operational risks from outsourcing a key process, there may be reputational risk from a data exposure at a supplier, or there may be industrial risk due to the location of a supplier’s office.
Most companies implement a tiered model for evaluating supplier data security risk. An example of a three-tier model could be:
- Tier A: Third party has direct access to the enterprise network, access to bulk sensitive data or is performing a completely outsourced service
- Tier B: Third party has indirect access – e.g. uses virtual desktop infrastructure (VDI) – to the enterprise network or access to bulk data
- Tier C: All other engagements
A tiered model allows you to prioritize the riskiest suppliers and perform more detailed assessments of their security, because, to be clear, you will always have a resource constraint while running a supplier risk management program.
Once completed, suppliers are assessed for their current security practices (for example, by showing evidence of a completed audit or by completing a questionnaire with attestation). Keep in mind that these are point-in-time assessments.
Contractual terms are then built into engagements to provide strong governance (for example, limiting liability for the company, requirements to report data breaches and privacy guarantees).
Finally, some sort of ongoing monitoring of higher risk suppliers is implemented (for example, annual reviews of Tier A vendors). I recommend the following process flow to ensure that supplier risk is minimized.
- Centrally procure suppliers – this reduces ‘supplier-creep’ and ensures a single point of control for security (and privacy, compliance, payment, etc.)
- Use a single tool to manage security assessments
- Use an appropriate tier method to group equivalent risk suppliers into groups so you can apply consistent controls on them
- Use technologies such as VDI, anonymization and test data sets. These technologies minimize data exposure risks and also reduce your network’s visibility to the supplier network
- Use standard security contract language in all your engagements (note: this is harder than it seems because your suppliers want to use their standard security contract language as well)
- Consider implementing some variation of continuous control monitoring with suppliers. There are tools available in the industry, but use them with care. A tool that scans the internet-facing IP addresses of a supplier does not give any indication of your risk if the supplier has a private connection to you. While tools can be useful, make sure they’re solving the right problem for you
- Consider performing detailed audits of your most critical suppliers – independent certifications and self-assessments can only give you so much comfort
- Make the hard choices – disallow suppliers with weak security and force a company executive to understand and accept the risk if necessary