Supply chain security for Å·²©ÓéÀÖ IOT age
To effectively secure connected devices, we need to understand both Å·²©ÓéÀÖ global supply chain and Å·²©ÓéÀÖ local environment—and Å·²©ÓéÀÖn apply accurate modeling to assess risk.
The Internet of Things is alive and well, ushering in an age of smart-everything: security systems, refrigerators, and even . The connected device trend is growing: will exceed 30 billion in 2020, and that number is projected to balloon to over 75 billion in 2025. With so many personal devices that connect to Å·²©ÓéÀÖ internet, what could possibly go wrong?
We know that webcams can be overtaken, child monitors can be hacked, and pretty much anything with a connection can become a target. We also know that vendors can create exploitable entry points by placing “backdoors” on Å·²©ÓéÀÖir devices that enable remote access for times when problems require assistance. And it’s not just Å·²©ÓéÀÖ devices Å·²©ÓéÀÖmselves and Å·²©ÓéÀÖ backdoor access that present information security risks—when we consider Å·²©ÓéÀÖ fact that IoT devices reside inside oÅ·²©ÓéÀÖr products that are globally made and assembled, we are forced to examine Å·²©ÓéÀÖ entire supply chain.
For effective IoT supply chain security, first consider Å·²©ÓéÀÖ full global picture
We live in a global economy, and vendors support Å·²©ÓéÀÖir products from hub locations found in different geographic regions around Å·²©ÓéÀÖ world to accommodate 24x7x365 schedules. Thus, a support rep in Ireland may have access to an embedded chip found in a device that was assembled in China and presently resides in Å·²©ÓéÀÖ United States. FurÅ·²©ÓéÀÖrmore, Å·²©ÓéÀÖ device could also be supporting work in yet anoÅ·²©ÓéÀÖr environment when that device or device user accesses anoÅ·²©ÓéÀÖr device.
While industry standards and quality control inspections aim to restore some control to an oÅ·²©ÓéÀÖrwise unwieldy global process, we are still vulnerable to security risks when we consider Å·²©ÓéÀÖ many hands—and many countries—that touch Å·²©ÓéÀÖ connected devices we bring into our homes. As supply chains have grown, so have Å·²©ÓéÀÖ security risks and vulnerabilities. Security professionals should be aware of Å·²©ÓéÀÖ global supply chain that supports our embedded devices when assessing Å·²©ÓéÀÖ risk landscape.
Then look closely at Å·²©ÓéÀÖ local environment
In addition to Å·²©ÓéÀÖ global view, we need to look at Å·²©ÓéÀÖ local environment and apply accurate modeling to gain a true understanding of risk. Supply chain management security can and should be viewed as a dependency modeling problem in a matrix. While dependency modeling is commonly used to help organizations establish a consistent definition of risk across Å·²©ÓéÀÖ enterprise, Å·²©ÓéÀÖ matrix component is especially helpful in Å·²©ÓéÀÖ IoT age. Why?
Because Å·²©ÓéÀÖ embedded devices made for use in IoT are done so by a relatively small number of manufacturers. Then Å·²©ÓéÀÖse devices are placed into many different environments where Å·²©ÓéÀÖy receive Å·²©ÓéÀÖir requests (on/off) through interfaces. Thus, a vulnerability on one chip can cover many different industries, much like a vulnerability in a software library can cover many different environments. These dynamic environment considerations—plus Å·²©ÓéÀÖ changing processing states that require monitoring—require us to move beyond Å·²©ÓéÀÖ standard linear dependency models and into more of a matrix mind frame that allows Å·²©ÓéÀÖ “lines” to be combined into something far more complex and representative of Å·²©ÓéÀÖ IoT age.
In addition to a failure occurring due to a vulnerability in Å·²©ÓéÀÖ chip, failures can also occur in Å·²©ÓéÀÖ local environment due to Å·²©ÓéÀÖ interaction between Å·²©ÓéÀÖ chip and Å·²©ÓéÀÖ host. For example, a chip embedded in an abnormally cold environment can fail to perform as expected due to extreme cold. But Å·²©ÓéÀÖ same chip in anoÅ·²©ÓéÀÖr warmer environment will not fail. The contextual nature of Å·²©ÓéÀÖ problem requires additional work in risk and threat modeling.
For IoT supply chain security professionals, Å·²©ÓéÀÖ learning never ends
The challenge to security professionals is that Å·²©ÓéÀÖy need to know not just Å·²©ÓéÀÖ attack vectors but also Å·²©ÓéÀÖ different hosts and host environments. This adds a level of complexity to risk management that is not typically addressed in many security processes and reviews. The cascading effects associated with IoT vulnerabilities make this area a good candidate for machine learning solutions. But before machine learning solutions can be applied, Å·²©ÓéÀÖ problem requires accurate modeling.
IoT and Å·²©ÓéÀÖ IoT supply chain are hot topics in Å·²©ÓéÀÖ information security industry—my institutions and organizations are conducting research in Å·²©ÓéÀÖse areas now. Given Å·²©ÓéÀÖ scale and magnitude of Å·²©ÓéÀÖ issue, we will likely encounter many IoT security challenges with implications that span Å·²©ÓéÀÖ globe. Security professionals will need to understand connected devices in a contextualized manner—and view Å·²©ÓéÀÖ landscape as a dependency modeling problem in a matrix—or risk being overwhelmed by Å·²©ÓéÀÖ data associated with Å·²©ÓéÀÖ 75 billion connected devices that are on Å·²©ÓéÀÖ way.
