In an increasingly digital world, every aspect of product development and delivery is being transformed, facilitated, and made more efficient through automation and integrated intelligence. The supply chain is no exception; today, many firms are extending Internet of Things (IoT) devices into their supply chain to improve productivity and customer service. Sensors, communication devices, analytics engines, and decision-making aids are being employed to improve the efficiency of fleet management services, schedule optimization, routing, and reroutes due to adverse conditions. The IoT provides real-time tracking solutions and instant inventory visibility.
However, as firms use the IoT to expand their reach into the supply chain, so too does it increase their attack vectors and potential loss of proprietary and sensitive data. Cloud computing stores data and passes it between potentially thousands of devices that may have exploitable vulnerabilities; a poorly designed architecture could provide hackers the ability to disrupt, destroy, or steal vast and valuable stores of corporate and personal data. As an example, in October 2016, the IoT botnet Mirai led the largest DDoS attack ever, leading to a large number of popular websites on the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN.
Abel Sussman is a Director for Cyber Risk Advisory at Coalfire. He is responsible for helping clients advance security program strategy, meet legislative compliance, and implement cyber-security programs. He is a leader and recognized industry expert on Cloud Computing, Security, and federal compliance
Specific to the supply chain is the issue of Data Leakage, where content becomes visible to cyber “eavesdroppers,” either through malicious or unintended means. A recent Princeton paper demonstrated that popular IoT devices (including Amazon Echo), where the data streams were assumed to be encrypted and therefore not susceptible to direct inspection, were in fact highly revealing merely by looking at the traffic rates of the encrypted data flows. While safeguards can be assumed to be in place within the firm’s “system of record,” or database, data leakage can occur when data is passed between complementary systems unless the same level of data protection is enforced. Within the IoT ecosystem, data can be observed at various points including data at rest, data in-motion between vendors, and data at system boundary endpoints.
It is enormously valuable to malicious actors to observe a firm’s supply chain. Without proper confidentiality controls, actors can spy key relationships, contents, shipping volume, and destination. From these pieces, competitors and market actors can gain undue insight into a company’s business operations and gain advantage.
According E&Y, data leakage is a great concern when deploying IoT technologies (ET Cybersecurity and the Internet of Things), and the associated privacy concerns is among the most significant challenges with IoT security implementation (In the Matter of the Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things, Federal Trade Commission).
To protect against Data Leakage, device security needs to be addressed throughout the system lifecycle, from design to field operations. First, firms need to examine their data governance methodologies to build effective and secure IoT products and services. Corporate policy should drive secure processes, architecture development, device control, and system monitoring. Second, devices need to be configured to automatically identify, locate, and profile supply chain objects; they need to accept patches from known sources, and be cut out of the network if compromised before they can infect others. In many ways, IT and network security protocols need to evolve to an IoT world, with updated methodologies better addressing the requirements of distributed devices.
You need the most expensive collaboration technology in your office. Right? Wrong! This guide walks you through choosing the perfect collaboration technology for your organization
The Technology Manager’s Guide: Tips for Buying Collaboration TechnologyAs mentioned, Data Leakage is an ecosystem issue, and all participants must understand where their responsibilities begin and end and what they are responsible to protect. This requires defining standards for interoperability and encryption so all participants can communicate and work together safely and effectively.
Below is an action plan for CIOs that are considering implementing IoT for their supply chain:
- Execute “red team” exercise for deployed IoT devices, where an independent group challenges organization security measures at the application, network, data, and physical layers.
- Sign up for security alerts from the US Computer Emergency Readiness Team (US-CERT).
- Develop a data flow map from vendor systems to show downstream and upstream information flow.
- Coordinate across integrated vendors: require that software and application providers use secure coding practices, and that all vendors including hardware providers test for security readiness—require testing documentation and transparency on secure coding practices in contract language.
- Develop policy and procedures, with executive-level direction and oversight, that focus on security for network-connected devices and address risks inherent in the Internet of Things. These documents should include rules on selecting hardware that incorporate security features, guidelines/schedules for performing penetration tests, as well as end-of-life strategy.
- Create a robust Incident Response Plan (IRP) that prepares the enterprise for disruptive events. Incident Response teams should be trained in their roles and conduct regular tabletop testing for a range of potential scenarios, and customer-facing staff must be trained in understanding which customer-reported incidents need to be escalated to the CISO.
- Assure a defense-in-depth security approach to protect the firm’s most valuable assets by implementing layered defenses against cybersecurity threats.
There’s little question that the Internet of Things is extremely enabling across product manufacturing, the supply chain, and within product functionality itself. Yet, it’s essential to understand that new connected devices bring new risks and learn to both understand and mitigate them, so that the full promise of the technology can be extracted while minimizing potential downsides. In cybersecurity, we understand that risk can’t be eliminated, but it can be minimized and proactively managed. The goal of each company integrating the IoT into the supply chain should be to fully understand and deploy strategies to bring risk to acceptable levels.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Excellent thoughts on the need to increase Privacy concepts in IoT
Along with IoT, AI can significantly help to improve performance without human intervention, and allows for constant analysis of performance data, which enables machines to improve over time; whether this is a robot installed in a factory or a distribution warehouse.
Internet of thing is one of the most emerging field. Thanks for sharing this valuable information on Internet of things.
There are so many companies who are adopting the Internet of things to improve their productivity as well as the customer services. They are using the Internet of things to connect devices and hence making the supply chain,
hi thanks for the information
The technology which is having the perfect way to ensure the internet of things while supply chain that enables it for the perfection to keep the work part completely to have the valuable part
Great post! Thanks for sharing the knowledge and keep up the good work.
Thank you so much for sharing an insightful post on IOT. It’s helpful
Since IOT is a quite new field. A considerable amount of research work needs to be done, to sort out various flaws in its structure and policies.
While it stands to bring efficiencies and conveniences we’ve never before seen, thereby improving lives, streamlining business and helping the planet, the IoT can only be a powerful force for good if it is secure. The intersection of the physical world with the always-on Internet culture means that now, for example, a hacked Facebook account can leave vulnerable not only personal information, but also home security systems, appliances, cars and more.
And about that personal information – the amount of it in the IoT, from consumers’ locations to their desires and purchasing habits, is staggering. Each smart device and connected app gathers data, and each smart device and connected application risks exposing this data. Companies promising amazing experiences through their IoT-connected products and services must back those promises up with unsurpassed security. Otherwise consumers’ risks of fraud, identity theft and other damage through the IoT remain too high.