IoT Security: ENISA Publishes Guidelines on Securing the IoT Supply Chain

The European Union Agency for Cybersecurity (ENISA) is releasing its Guidelines for Securing the IoT – Secure Supply Chain for IoT, which covers the entire Internet of Things (IoT) supply chain – hardware, software and services – and builds on the 2019 Good Practices for Security of IoT - Secure Software Development Lifecycle publication by focusing on the actual processes of the supply chain used to develop IoT products. This report complements the Agency’s seminal study on Baseline Security Recommendations for IoT, a highly cited and referenced work that aims to serve as a reference point for IoT security.

Supply chains are currently facing a broad range of threats, from physical threats to cybersecurity threats. Organisations are becoming more dependent than ever before on third parties. As organisations cannot always control the security measures of their supply chain partners, IoT supply chains have become a weak link for cybersecurity. Today, organisations have less visibility and understanding of how the technology they acquire is developed, integrated and deployed than ever before.

In the context of the development of the Guidelines for Securing the IoT – Secure Supply Chain for IoT, the EU Agency for Cybersecurity has conducted a survey that identifies the existence of untrusted third-party components and vendors, and the vulnerability management of third-party components as the two main threats to the IoT supply chain. The publication analyses the different stages of the development process, explores the most important security considerations, identifies good practices to be taken into account at each stage, and offers readers additional resources from other initiatives, standards and guidelines.

As in most cases pre-prepared products are used to build up an IoT solution, introducing the concept of security by design and security by default is a fundamental building block to protect this emerging technology. The Agency has worked with IoT experts to create specific security guidelines for the whole lifespan of IoT devices. These guidelines to help tackle the complexity of IoT focus on bringing together the key actors in the supply chain to adopt a comprehensive approach to security, leverage existing standards and implement security by design principles.