In an increasingly digital world, every aspect of product development and delivery is being transformed, facilitated, and made more efficient through automation and integrated intelligence. The supply chain is no exception; today, many firms are extending Internet of Things (IoT) devices into their supply chain to improve productivity and customer service. Sensors, communication devices, analytics engines, and decision-making aids are being employed to improve the efficiency of fleet management services, schedule optimization, routing, and reroutes due to adverse conditions. The IoT provides real-time tracking solutions and instant inventory visibility.
However, as firms use the IoT to expand their reach into the supply chain, so too does it increase their attack vectors and potential loss of proprietary and sensitive data. Cloud computing stores data and passes it between potentially thousands of devices that may have exploitable vulnerabilities; a poorly designed architecture could provide hackers the ability to disrupt, destroy, or steal vast and valuable stores of corporate and personal data. As an example, in October 2016, the IoT botnet Mirai led the largest DDoS attack ever, leading to a large number of popular websites on the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN.
Specific to the supply chain is the issue of Data Leakage, where content becomes visible to cyber “eavesdroppers,” either through malicious or unintended means. A recent Princeton paper demonstrated that popular IoT devices (including Amazon Echo), where the data streams were assumed to be encrypted and therefore not susceptible to direct inspection, were in fact highly revealing merely by looking at the traffic rates of the encrypted data flows. While safeguards can be assumed to be in place within the firm’s “system of record,” or database, data leakage can occur when data is passed between complementary systems unless the same level of data protection is enforced. Within the IoT ecosystem, data can be observed at various points including data at rest, data in-motion between vendors, and data at system boundary endpoints.
It is enormously valuable to malicious actors to observe a firm’s supply chain. Without proper confidentiality controls, actors can spy key relationships, contents, shipping volume, and destination. From these pieces, competitors and market actors can gain undue insight into a company’s business operations and gain advantage.
According E&Y, data leakage is a great concern when deploying IoT technologies (ET Cybersecurity and the Internet of Things), and the associated privacy concerns is among the most significant challenges with IoT security implementation (In the Matter of the Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things, Federal Trade Commission).
To protect against Data Leakage, device security needs to be addressed throughout the system lifecycle, from design to field operations. First, firms need to examine their data governance methodologies to build effective and secure IoT products and services. Corporate policy should drive secure processes, architecture development, device control, and system monitoring. Second, devices need to be configured to automatically identify, locate, and profile supply chain objects; they need to accept patches from known sources, and be cut out of the network if compromised before they can infect others. In many ways, IT and network security protocols need to evolve to an IoT world, with updated methodologies better addressing the requirements of distributed devices.
You need the most expensive collaboration technology in your office. Right? Wrong! This guide walks you through choosing the perfect collaboration technology for your organizationThe Technology Manager’s Guide: Tips for Buying Collaboration Technology
As mentioned, Data Leakage is an ecosystem issue, and all participants must understand where their responsibilities begin and end and what they are responsible to protect. This requires defining standards for interoperability and encryption so all participants can communicate and work together safely and effectively.
Below is an action plan for CIOs that are considering implementing IoT for their supply chain:
- Execute “red team” exercise for deployed IoT devices, where an independent group challenges organization security measures at the application, network, data, and physical layers.
- Sign up for security alerts from the US Computer Emergency Readiness Team (US-CERT).
- Develop a data flow map from vendor systems to show downstream and upstream information flow.
- Coordinate across integrated vendors: require that software and application providers use secure coding practices, and that all vendors including hardware providers test for security readiness—require testing documentation and transparency on secure coding practices in contract language.
- Develop policy and procedures, with executive-level direction and oversight, that focus on security for network-connected devices and address risks inherent in the Internet of Things. These documents should include rules on selecting hardware that incorporate security features, guidelines/schedules for performing penetration tests, as well as end-of-life strategy.
- Create a robust Incident Response Plan (IRP) that prepares the enterprise for disruptive events. Incident Response teams should be trained in their roles and conduct regular tabletop testing for a range of potential scenarios, and customer-facing staff must be trained in understanding which customer-reported incidents need to be escalated to the CISO.
- Assure a defense-in-depth security approach to protect the firm’s most valuable assets by implementing layered defenses against cybersecurity threats.
There’s little question that the Internet of Things is extremely enabling across product manufacturing, the supply chain, and within product functionality itself. Yet, it’s essential to understand that new connected devices bring new risks and learn to both understand and mitigate them, so that the full promise of the technology can be extracted while minimizing potential downsides. In cybersecurity, we understand that risk can’t be eliminated, but it can be minimized and proactively managed. The goal of each company integrating the IoT into the supply chain should be to fully understand and deploy strategies to bring risk to acceptable levels.