ENISA issues guidelines on securing the IoT supply chain

On 9 November 2020, the European Union Agency for Cybersecurity (ENISA) published its guidelines for securing the Internet of Things (IoT) supply chain (see the full report here). The report is relevant to all those developing, selling and using IoT devices - it provides a thorough analysis of the key security threats facing the IoT supply chain (from early conceptual design to end user delivery and maintenance), and recommends good practices for IoT stakeholders to implement across each stage of their supply chain to ensure security.

In particular, the guidelines:

1. highlight the importance of IoT stakeholders systematically mapping the threat landscape across their IoT supply chain before attempting to identify appropriate security measures to deal with such threats. To help with this, the guidelines present a useful threat taxonomy which classifies key threats affecting IoT supply chains under the following high-level categories: (i) physical attacks (e.g. sabotage and grey markets); (ii) IP loss (e.g. IP theft and reverse engineering); (iii) nefarious activity/abuse (e.g. malware insertion and counterfeits); (iv) non-compliance with security standards and regulations; and (v) unintentional damage or loss of information (e.g. user errors and disruptions in cloud services);

2. make best practice recommendations around: (i) actions that ‘actors’ (i.e. IoT stakeholders, including developers, engineers, manufactures, suppliers and customers) can take to improve security; (ii) processes that can be used when an IoT project is designed, developed, deployed and maintained; and (iii) possible technical measures (including hardware and software components and emerging technologies) that can be applied in order to predict, detect and reduce vulnerabilities and threats; and

3. remind all IoT stakeholders of the importance of ‘security by design’ - security experts and legal departments should be involved in the early conceptual design discussions and security should not be an afterthought.

This is not the only guidance in this space. These guidelines build on ENISA’s 2019 ‘Good Practices for Security of IoT – Secure Software Development Lifecycle’publication, and complement the Agency’s other IoT-related reports, including its original study on Baseline Security Recommendations for IoT. Also, in the UK, the Department for Digital, Culture, Media and Sport has issued a Code of Practice for Consumer IoT Security in partnership with the National Cyber Security Centre.

Comment

With IoT supply chains widely considered the weak link in cybersecurity, these guidelines will undoubtedly be welcomed by IoT customers and relevant regulators. Many of the recommendations (e.g. mapping risks, taking a ‘security by design’ approach and addressing security issues up-front) are messages we have heard before. While ENISA’s guidelines will therefore provide a useful springboard for improving IoT supply chain security, there are a number of factors relating to today’s IoT industry and supply chains which may make it difficult to implement the guidelines in practice. For instance:

(i) the IoT security threat landscape is wide and complex (due to the many actors involved, the convoluted interactions across the supply chain and the frequent use of globally distributed third party suppliers), making it difficult for stakeholders to achieve end-to-end security throughout the entire supply chain;

(ii) the IoT market is still relatively immature and competitive, resulting in fast innovations, short product development life cycles and often companies looking to make a quick profit, all of which does not necessarily support good security practices; and

(iii) many IoT supply chains are using existing infrastructures / equipment that stakeholders cannot easily upgrade (or, in the case of enterprises with limited resources, do not want to upgrade). 

Successful IoT security risk management will require stakeholders to overcome these challenges.