IoT security is a mess. These guidelines could help fix that
The supply chain around the Internet of Things (IoT) has become the weak link in cybersecurity, potentially leaving organisations open to cyber attacks via vulnerabilities they’re not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.
The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities which can arise when building connected things.
One of the key recommendations is that cybersecurity expertise should be further integrated into all layers of organisations, including engineering, management, marketing and others so anyone involved in any part of the supply chain has the ability to identify potential risks – hopefully spotting and addressing them at an early stage of the product development cycle and preventing them from becoming a major issue.
It’s also recommended that ‘Security by Design‘ is adopted at every stage of the IoT development process, focusing on careful planning and risk management to ensure that any potential security issues with devices are caught early.
“Early decisions made during the design phase usually have impactful implications on later stages, especially during maintenance,” said the report.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Another recommendation that organisations throughout the product development and deployment cycle should forge better relationships in order to address security loopholes which may arise when there’s no communication between those involved.
These include errors in design due to lack of visibility in the supply chain of components – something which can happen when there’s misunderstandings or lack of coordination between parts manufacturers and the IoT vendor.
However, not all responsibility should rely with IoT manufacturers, the paper also recommends that customers and end-user organisations need to play a role in supply chain implementation and can “benefit greatly from dedicating resources to studying the current landscape and adapting the existing best practices to their particular case”.
“Securing the supply chain of ICT products and services should be a prerequisite for their further adoption particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT,” said Juhan Lepassaar, executive director or ENISA.
READ MORE ON CYBERSECURITY
