Supply chain security for the IoT age

Jun 19, 2019

To effectively secure connected devices, we need to understand both the global supply chain and the local environment—and then apply accurate modeling to assess risk.

The Internet of Things is alive and well, ushering in an age of smart-everything: security systems, refrigerators, and even t-shirts. The connected device trend is growing: the total installed base of IoT-connected devices will exceed 30 billion in 2020, and that number is projected to balloon to over 75 billion in 2025. With so many personal devices that connect to the internet, what could possibly go wrong?

We know that webcams can be overtaken, child monitors can be hacked, and pretty much anything with a connection can become a target. We also know that vendors can create exploitable entry points by placing “backdoors” on their devices that enable remote access for times when problems require assistance. And it’s not just the devices themselves and the backdoor access that present information security risks—when we consider the fact that IoT devices reside inside other products that are globally made and assembled, we are forced to examine the entire supply chain.

For effective IoT supply chain security, first consider the full global picture

We live in a global economy, and vendors support their products from hub locations found in different geographic regions around the world to accommodate 24x7x365 schedules. Thus, a support rep in Ireland may have access to an embedded chip found in a device that was assembled in China and presently resides in the United States. Furthermore, the device could also be supporting work in yet another environment when that device or device user accesses another device.

While industry standards and quality control inspections aim to restore some control to an otherwise unwieldy global process, we are still vulnerable to security risks when we consider the many hands—and many countries—that touch the connected devices we bring into our homes. As supply chains have grown, so have the security risks and vulnerabilities. Security professionals should be aware of the global supply chain that supports our embedded devices when assessing the risk landscape.

Then look closely at the local environment

In addition to the global view, we need to look at the local environment and apply accurate modeling to gain a true understanding of risk. Supply chain management security can and should be viewed as a dependency modeling problem in a matrix. While dependency modeling is commonly used to help organizations establish a consistent definition of risk across the enterprise, the matrix component is especially helpful in the IoT age. Why?

Because the embedded devices made for use in IoT are done so by a relatively small number of manufacturers. Then these devices are placed into many different environments where they receive their requests (on/off) through interfaces. Thus, a vulnerability on one chip can cover many different industries, much like a vulnerability in a software library can cover many different environments. These dynamic environment considerations—plus the changing processing states that require monitoring—require us to move beyond the standard linear dependency models and into more of a matrix mind frame that allows the “lines” to be combined into something far more complex and representative of the IoT age.

In addition to a failure occurring due to a vulnerability in the chip, failures can also occur in the local environment due to the interaction between the chip and the host. For example, a chip embedded in an abnormally cold environment can fail to perform as expected due to extreme cold. But the same chip in another warmer environment will not fail. The contextual nature of the problem requires additional work in risk and threat modeling.

For IoT supply chain security professionals, the learning never ends

The challenge to security professionals is that they need to know not just the attack vectors but also the different hosts and host environments. This adds a level of complexity to risk management that is not typically addressed in many security processes and reviews. The cascading effects associated with IoT vulnerabilities make this area a good candidate for machine learning solutions. But before machine learning solutions can be applied, the problem requires accurate modeling.

IoT and the IoT supply chain are hot topics in the information security industry—my institutions and organizations are conducting research in these areas now. Given the scale and magnitude of the issue, we will likely encounter many IoT security challenges with implications that span the globe. Security professionals will need to understand connected devices in a contextualized manner—and view the landscape as a dependency modeling problem in a matrix—or risk being overwhelmed by the data associated with the 75 billion connected devices that are on the way.

Subscribe to get our latest insights