IoT Supply Chains: Where Risks AboundENISA Releases Guidance on Reducing IoT Supply Chain Risk
IoT devices are like sausages: They're full of components of varying quality, and it's invariably disturbing to think about their origins.
But the parts that make up the whole are important for the overall security of the devices. As IoT products are increasingly used in homes and enterprises, there's rising concern over the supply chain, which comprises everything from open-source software to semiconductors.
In a continuing series of IoT best practices and recommendations, the European Union Agency for Cybersecurity, also known as ENISA, has a released a 52-page guide addressing the cybersecurity challenges in the supply chain.
"A significant percentage of IoT devices use multiple units from different vendors and thus require a wide, and often complex, supply chain," according to the report. "This usually leads to a multifaceted logistic challenge, where keeping track of all the stages and sources is not an easy task."
Three Categories of Risk
ENISA breaks down its recommendations into three categories: actors, which refers to how manufacturers and suppliers should work with each other; processes and technology.
Working with suppliers means there's an inherent threat because one party doesn't have control over another's security measures, according to the report.
But those risks can be managed if suppliers are transparent about how they approach cybersecurity. A positive sign, the report says, is when a potential partner abides by industry standards, such as ISO/IEC 27036, ISO 28000 or NISTIR 8259.
Trust models can also help, particularly if an original device manufacturer won't share source code binaries.
"Trust models define a framework to provide formal guarantees about the behavior of the different parties and enhance security," ENISA writes. "An approach based on consistent risk evaluation would allow organizations to evaluate the business impact to apply the proper technical measures and contractual obligations (e.g. audits)."
The top recommendation for processes is using "security by design" principles to ensure security is baked in during product development rather than tacked on afterward. Security tests and vulnerability scanning should occur as components are designed while privacy considerations are taken into account, the report states (see: 'Privacy by Design': Building Better Apps).
Also important is enforcing a security baseline, which includes core elements such as detection, protection and incident response. These can help prevent mistakes by the dangerous wild-card element of software design: humans making decisions.
"Human factors must also be taken into account at the design stage. Best practices must be enforced and followed rigorously to avoid undermined security because of poor user decisions," ENISA writes.
The use of third-party software is also a potential risk. ENISA recommends that organizations figure out what kinds of software are in an IoT device by using OWASP's Dependency-Track, a platform for analyzing supply chain components using a software bill of materials.
Roots of Trust
ENISA's technology recommendations are centered around management and ensuring trust.
The report stresses improving the planning around device upgradeability and obsolescence, especially as organizations collect several generations of IoT devices and software.
"The update of IoT devices is difficult since the products are usually based on various packages from different sources and using different tools and third-party components," the report says. "The planning and management of these updates is something very important to consider."
Before buying a product, organizations should ensure that service-level agreements call for a vendor to commit to secure boot and firmware signing, ENISA says. When a device boots, the entire chain of software components that take part in booting must start "from an immutable root of trust," the report states.
Tamper-resistant hardware components can also help with an integrated root of trust, which has been implemented in products such as Microsoft's Azure Sphere IoT platform.
There's also a big role for identity management. Devices that can be easily taken over remotely are targets for botnets, and botnet operators have seized on egregious identity mistakes in products - such as easily guessed or default credentials. Integrating identity management can also help with uniquely identifying devices on a network, ENISA says.
"Identity management systems should be integrated into the supply chain to provide these unique identifiers," according to the report. "These are usually included in the wider context of identity and access management systems that regulate the lifecycle of the device identity and provide authentication and authorization services."