3 Candymill Lane, Hamilton, ML3 0FD

Security and IoT Supply Chains

Engineer using tablet check and control automation robot arms machine in intelligent factory industrial on monitoring system software. Welding robotics and digital manufacturing operation.

Our unique multi-sensor began testing this week with (so far) a hundred percent pass rate. Soon you’ll be able to see footage from inside the factory as components are printed and heated in a gas oven before being inspected and approved. Sensors are the raw materials of IoT, the building blocks that ensure meaningful data can be extracted from buildings and occupant health and wellness can be guaranteed.

But these small devices contain smaller and more intricate components. And the buyers of these specialist items – manufacturers – are at the end of a long global supply chain that, according to some observers, lacks sufficient transparency and security. A single device can be made from parts that are sourced in a number of different countries around the world, from dozens of component manufacturers, and dozens of resellers. As a recent article in IoT World Today says, in many cases, “it would be a challenge to track the origins of the internal elements that comprise the delivered IIoT devices.”[1]

Security threats could pose a significant risk to supply, meaning that manufacturers would have to either re-source raw material or else risk shutting down production altogether. A recent study, “Finite State Supply Chain Assessment” highlights the “enormous attack surface that exists through the modern, complex hardware and software supply chains that enable modern electronics systems” and offers advice on best practice.[2] It is common for building operators and facilities management suppliers to have only a partial understanding of their device supply chain, and even the devices that exist on their network. Businesses should therefore, as a first step,

Generate an inventory of all the devices they have, and they should work with procurement to understand more about each device and its supply chain.

Testing and reporting would also help to mitigate security concerns. Buyers of expensive digital equipment should exercise leverage here.

Insist on adding language to contracts that allows them to conduct independent security testing of every device and their corresponding security updates.

Buyers and vendors should also open up channels of communication to report findings. Next, buyers should insist on testing equipment (the reason for our factory visit this week):

Especially in critical infrastructure environments, every device should be thoroughly tested before deployment, and more importantly, the firmware should be analyzed using automated analysis software.

Vulnerability testing will reveal possible defects, and firmware testing will go further, revealing how secure software and firmware actually is. Advances in technology have made firmware testing a lot easier, and the report highlights some of the benefits this has brought about. Finally, as the report points out, the interests of buyer and manufacturer are aligned: each wants to ensure that devices are as secure as possible.

Most vulnerabilities identified will be new information to the vendor, so it’s advisable for buyers to try to build a helpful relationship by reporting what they find.

A good relationship between buyer and manufacturer will go some way to ensuring that devices are more reliable and more secure moving forward. It also means that unscrupulous suppliers can be found and eliminated from the supply chain, reducing vulnerabilities in a device and ensuring greater overall security in a network.

[1] https://www.iotworldtoday.com/2021/02/01/iot-supply-chain-vulnerability-poses-threat-to-iiot-security/

[2] https://finitestate.io/wp-content/uploads/2019/06/Finite-State-SCA1-Final.pdf

Leave a comment

FREE DOWNLOAD

 

Enter your details here to receive a copy of our white paper on IoT in the built environment

 

Download

Send download link to:

I confirm that I have read and agree to the Privacy Policy.