The European Union Agency for Cybersecurity (ENISA) recently published its Guidelines for Securing the IoT Secure Supply Chain for IoT. The guidelines covered the entire Internet of Things (IoT) supply chain, including software, hardware, and services.
ENISA’s report was based on the 2019 Good Practices for Security of IoT - Secure Software Development Lifecycle and zeroed in on the actual processes of the supply chain utilized to develop IoT products. It also complimented the agency’s Baseline Security Recommendations for IoT a highly cited study aiming to serve as a reference for IoT security.
Because supply chains have been facing threats from physical ones to cybersecurity threats, more and more organizations have relied on third parties. As organizations could not always dictate the security measures of their supply chain partners, IoT supply chains have started becoming a weak link for cybersecurity.
“Securing the supply chain of ICT products and services should be a prerequisite for their further adoption, particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT”, said EU Agency for Cybersecurity Executive Director Juhan Lepassar.
Better security for IoT supply chain
The guideline was developed to assist IoT manufactures, developers, integrators, and all stakeholders involved in the supply chain of IoT to make better security decisions when constructing, deploying, or evaluating IoT technologies.
ENISA conducted a survey determining the existence of untrusted third-party components and vendors. The survey also aimed to identify the vulnerability management of third-party components as the two main threats to the IoT supply chain. The guideline then analyzed the various stages of the development process, explored the most important considerations, and identified good practices to be considered at each stage. It also contained additional resources from other initiatives, standards, and guidelines.
Some of the guidelines of the report conclude on the need to create better relationships between actors, further promote cybersecurity expertise, and adopt security by design principles. The report also indicated the need to take a comprehensive and explicit approach to security and leverage current standards and good practices.
Last October, the agency, together with Europol’s Cybercrime Centre (EC3), and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU), launched the 4th Annual IoT Security Conference Series to raise awareness on the security challenges facing the IoT ecosystem across EU. Since 2016, ENISA has been working on good practices for securing IoT. The agency has published studies mapping the corresponding threat landscape, providing targeting security measures.
Author: Ericka Pingol