IIoT security: How to establish a supply chain of trust
There are security vulnerabilities throughout the IoT supply chain, stretching right back to sourcing components. Enterprise users, particularly those engaged in industrial operations and critical operations, should review and monitor their IoT suppliers, and work with trusted and reputable partners.
“The largest challenge for IoT manufacturers is ensuring their suppliers are providing the level of security in their OEM solutions as an organization takes when building their own solution,” explains David Dufour, vice president of engineering and cyber-security at Webroot. “A breakdown in security with a supplier has a ripple affect up the supply chain.”
Indeed, devices are considered the weakest link for security in the IoT development chain. IoT providers and customers must watch their device partners closely, says Jason Collins, vice president of IoT marketing at Nokia. “You need to ask these questions of your device manufacturers – to pressure them to tighten down, and enable identity management and over-the-air update, at least.”
But this chain of trust must reach all aspects of the complex IoT ecosystem. “That said, it’s not just about the device, but about the whole set-up,” adds Collins.
Peter Aldworth, director of systems technology in the IoT services group at UK microchip designer Arm, considers the practicalities for enterprises deploying IoT solutions. “Security cannot be solved at a single point; it must be pervasive and be able to evolve over time,” he says. He recommends a simple checklist to ensure trust is maintained between components in an industrial IoT setting.
This includes initial set-up and connectivity, LAN security, WAN connectivity with remote gateways / servers, and usage of secure protocols like DTLS. He also urges review of application protocol design, to avoid replay attacks. Other considerations include protection from local threats, and security of IT or device management cloud systems.
Common security failures, such as with default password settings, should be checked off too. “You should not implement a web server on each device with the same access credentials across an entire deployment,” says Aldworth. He also recommends use of the OMA Lightweight M2M protocol and the ACE Oauth2 open authorization standard as a matter of course so devices can be managed remotely via more robust mechanisms.
“Security also depends on specific risks associated with particular applications. For example, a deployment of actuators to control a nuclear reactor that must operate correctly for over 50 years will have a much different set of vulnerabilities compared to a small NFC device used to identify a consumable product with a short lifespan,” says Aldworth.