June 2020

The report can be downloaded for free from IoTSF’s publications page

The IoT Security Foundation (IoTSF) is pleased to announce a new member-generated publication titled ‘Securing the Internet of Things Supply Chain‘. The white paper is an output from the Supply Chain Project team which has more than 40 expert contributors and reviewers. Whilst much has been written about software supply chains, hardware supply chains and cybersecurity in recent times, this paper considers the key combinations that make up the IoT cybersecurity supply network, in finer detail.

Supply chain attacks have been increasing in recent years as they are high value targets that attract the interests of adversaries with varying intent. For example, they might be motivated by cash – i.e. ransomware. They might be motivated by corporate advantage – industrial espionage or intellectual property (IP) theft. They may also have more sinister intentions – that of a rogue nation state. Recent attacks include AcidRain, Kaseya, Solarwinds, Shadowhammer, CCleaner, NotPetya, Kingslayer, XCodeGhost and more.

Regardless of the intent, it is socially and economically important that the technology industry and businesses ensure the security of their supply networks. With globalisation, IoT products and services have an expansive attack surface. It is therefore essential that manufacturers and purchasers of connected products have an understanding of the risk associated with supply. Is the supply chain transparent or opaque? Is it well managed or not at all? 

In this paper we break the IoT security supply chain down and bring greater clarity to each of the elements; we look at the big picture, and we also look at the anatomy of a connected device (IoT) – including the hardware(s), the software(s), roots of trust, cryptographic functions, production data, software keys, certificates and more. If you are creating products or managing risk within your organisation we recommend this report to you – it will help you determine your own threat model.

The recommendations of the report have been integrated into IoTSF’s popular IoT Security Assurance Framework (from release 3) View Publications .

Thank you to our members

The IoT Security Foundation would like to thank our expert members for producing the whitepaper in support of our mission to ‘make it safe to connect’.

Securing the Internet of Things

The recommendations of the report have been integrated into the IoT Security Assurance Framework (from release 3). The Securing the Internet of Things Supply Chain white paper and the Assurance Framework are free downloads and can found on the Publications page.