Report addresses the entire lifespan of Internet of Thing (IoT) product development by offering security measures for each step.
On November 9, 2020, the European Union Agency for Cybersecurity (ENISA) released its Guidelines for Securing the IoT – Secure Supply Chain for IoT, which covers the entire Internet of Things (IoT) supply chain – hardware, software and services – and builds on the 2019 Good Practices for Security of IoT – Secure Software Development Lifecycle publication by focusing on the actual processes of the supply chain used to develop IoT products. This report complements the Agency’s seminal study on Baseline Security Recommendations for IoT, a highly cited and referenced work that aims to serve as a reference point for IoT security.
Supply chains are currently facing a broad range of threats, from physical threats to cybersecurity threats. Organisations are becoming more dependent than ever before on third parties. As organisations cannot always control the security measures of their supply chain partners, IoT supply chains have become a weak link for cybersecurity. Today, organisations have less visibility and understanding of how the technology they acquire is developed, integrated and deployed than ever before.
EU Agency for Cybersecurity Executive Director Juhan Lepassaar stated: “Securing the supply chain of ICT products and services should be a prerequisite for their further adoption particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT.“
In the context of the development of the Guidelines for Securing the IoT – Secure Supply Chain for IoT, the EU Agency for Cybersecurity has conducted a survey that identifies the existence of untrusted third-party components and vendors, and the vulnerability management of third-party components as the two main threats to the IoT supply chain. The publication analyses the different stages of the development process, explores the most important security considerations, identifies good practices to be taken into account at each stage, and offers readers additional resources from other initiatives, standards and guidelines.
As in most cases pre-prepared products are used to build up an IoT solution, introducing the concept of security by design and security by default is a fundamental building block to protect this emerging technology. The Agency has worked with IoT experts to create specific security guidelines for the whole lifespan of IoT devices. These guidelines to help tackle the complexity of IoT focus on bringing together the key actors in the supply chain to adopt a comprehensive approach to security, leverage existing standards and implement security by design principles.
ENISA’s Work in IoT
The European Union Agency for Cybersecurity has been working on good practices for securing IoT since 2016 by publishing studies that map the corresponding threat landscape and provide targeted security measures. The Agency’s key publications in this arena include Good Practices for Security of IoT – Secure Software Development Lifecycle, Industry 4.0 in the Context of Smart Manufacturing, Smart Cars, Smart Hospitals, Smart Airports, and a dedicated online tool:
Just last month, the EU Agency for Cybersecurity, Europol’s Cybercrime Centre (EC3) and the Computer Emergency Response Team for the EU Institutions, Bodies and Agencies (CERT-EU) launched the 4th Annual IoT Security Conference Series to raise awareness on the security challenges facing the IoT ecosystem across the Union. The conference opened discussions into the trustworthiness of IoT with topics about supply chain integrity, AI deployments, regulations surrounding IoT, and possible cybersecurity certification schemes that could support this effort.