How to Manage Supply Chain Risks in the Fast-Changing World of the Internet of Things (IoT)

The Fourth Industrial Revolution, or Industry 4.0, is transforming manufacturing and industrial processes through the integration of advanced technologies like the Internet of Things (IoT). With IoT devices and systems becoming entrenched into the way we operate our businesses – and manage our lives – what are the implications for third-party risk management? And how can organisations address the vulnerabilities associated with complex IoT supply chains?
‍

Welcome to the IoT-driven industrial revolution 

The World Economic Forum has identified the Fourth Industrial Revolution (or Industry 4.0) as a new chapter in human development and economic progress, enabled by transformational advances in technology akin to those that powered the first, second and third industrial revolutions. Today’s technological advances are enabling the physical, digital and biological worlds to be merged in ways that open up exciting new opportunities for people, organisations and the planet. 

At the heart of this technological revolution is the Internet of things (IoT). The IoT is a vast network of interconnected devices capable of gathering, analysing and sharing data at speed and scale through internet connectivity. 
‍

IoT unlocks automation, efficiency and innovation

IoT devices and systems come in many different forms and perform a vast range of functions. At a personal level, they include fitness trackers, smart speakers, in-car navigation systems, smart metres and gaming consoles. 

On an industrial level, the IoT has been adopted to accelerate automation, innovation and efficiency in many sectors. In transport and logistics, for example, IoT technology is used to track goods and vehicles in real time, to optimise route planning and improve fleet management. In manufacturing, real-time data insights are used for proactive maintenance, efficient resource allocation and predictive analysis to help minimise downtime, maximise productivity and streamline processes. In urban development, IoT systems are being deployed to create smart cities, where networks of sensors are used to optimise traffic management, improve energy efficiency and enhance public safety.

By embracing IoT technologies, organisations are accessing new opportunities for growth, differentiation and sustainability. But the proliferation of these intricately connected devices in every aspect of our lives comes with significant potential risks – not least from cyber attacks.
‍

New cyber security and third-party risks in the IoT landscape

As IoT devices become fundamental to the safe and efficient operation of critical infrastructure, manufacturing processes and logistical operations, as well as our everyday lives, the need for stringent cyber security protection becomes paramount. This is especially true because IoT devices, by their very nature, have to be deeply integrated into organisations’ own networks, and be connected to their own systems.

The problem this poses for security teams, however, is not just to ensure the secure implementation and integration of these devices as well as their secure configuration and management. Security teams must also review and assure the security of the vendors producing and selling these devices as well as of their supply chains. This is especially crucial in today’s rapidly worsening geopolitical environment, since IoT device manufacturers rely heavily on a wide range of suppliers for various components of their final products that are often sourced from around the world, especially from Asia, including:

• Microprocessors and microcontrollers
• Sensors (e.g. temperature, motion, pressure)
• Wireless connectivity modules (e.g. Wi-Fi, Bluetooth, cellular)
• Memory chips
• Batteries
• Printed circuit boards (PCBs)

This means the rapidly expanding IoT landscape and its complex corporate and software supply chains represent a formidable third-party risk management challenge for CISOs as part of the emerging fourth industrial revolution.

Some of the more specific cyber security risks associated with the proliferation of IoT devices include: 

• Expanded attack surface: The sheer number of connected devices now in operation significantly increases the number of potential entry points for malicious attackers anywhere in the supply chain. This raises concerns about the privacy and confidentiality of data handled by IoT networks. These concerns are exacerbated by the fact that the internet-connected interfaces used by IoT devices, such as Bluetooth and Wi-Fi, often provide easy entry points for onward attacks into connected systems, especially if not sufficiently secured.

• Lack of visibility: Given the vast number of devices in daily use throughout any organisation, it’s extremely difficult for IT teams to maintain a complete inventory of IoT devices connected to their networks. That makes it very challenging to track, monitor and secure all endpoints. This lack of visibility also makes it difficult to regularly update and patch devices, leaving them vulnerable to hackers.

• Software supply chain vulnerabilities: Third-party software components, libraries and drivers used in IoT devices may also contain vulnerabilities on their own that can be exploited by hackers. There is currently no common security protocol for IoT technologies, resulting in variable security measures across different devices. Weak security protocols make IoT devices susceptible to data interception and tampering. The European Union Agency for Cyber security (ENISA) has long argued for ‘security by design’ to be weaved into digital products by default, and has called for specific security guidelines to be set for IoT ecosystems. 

• Hardware tampering: Before devices are even brought into a business, criminals can potentially insert malicious code or modify components during manufacturing or distribution – as already alluded to earlier - which could compromise the security of those devices. Many IoT devices also have limited computational power, so they are unable to support robust security measures like strong encryption.

• Shadow IoT: Employees may bring a whole range of personal IoT devices into the workplace and connect them to company networks via the internet. Many IoT devices have weak authentication and authorisation mechanisms, such as default or simple passwords. Any unauthorised, insecure or improperly configured devices used in the workplace could pose security risks to the organisation. 

• Data management: IoT networks generate huge quantities of data, which can be overwhelming for IT teams to manage, store and analyse. If organisations don’t have the infrastructure or security expertise to protect and maintain this data, it can be vulnerable to exploitation. 

• Complex supply chains: IoT supply chains are likely to involve multiple vendors and manufacturers, meaning that assessing cyber security measures throughout the supply chain and ensuring end-to-end security can be challenging. Suppliers may also be located around the world, in countries with different regulatory environments, making it difficult to maintain compliance as data is exchanged between regions. 

If IoT is to support the transformational change envisioned by the World Economic Forum, it must be allowed to fulfil its potential as a fully integrated and interconnected ecosystem. To do that, however, while ensuring the safety of the evolving ecosystem, cyber security must be hardwired into the development and delivery of all IoT solutions. 

In its report Guidelines for Securing the Internet of Things, ENISA emphasises that IoT security needs to be considered at all stages of the supply chain, from early conceptual design to end-user delivery. But until that happens, what cyber security measures can organisations take today to protect themselves and their data?
‍

Adapting TPRM to address IoT supply chain threats 

Meticulous third-party risk management (TPRM) has a leading role to play in addressing many of the risks posed by IoT technologies and networks today. A comprehensive TPRM programme for IoT supply chains should be built around:

1. Vendor assessments. IoT-specific assessment criteria should be developed for third-party vendors, focusing on both the technical aspects of IoT devices and the operational practices of vendors.

2. Continuous monitoring. Real-time monitoring should be implemented for all third-party IoT devices and their producers/vendors, so IT teams can quickly identify security weaknesses or vulnerabilities that could lead to a cyber security breach.
   
   
3. Data protection and privacy. Safeguarding data and confidentiality is one of the greatest challenges associated with managing IoT networks. Organisations should establish clear data-handling and data-protection requirements for all third-party IoT integration and service providers. 

4. Incident response planning. In the event of any cyber security breach, organisations must be able to respond rapidly and effectively to minimise impacts on the business, its customers and suppliers. That means collaborating with key third-party IoT providers to develop and test joint incident response procedures, so they are ready to swing into action if the worst happens. 

5. Contractual safeguards. Companies should establish IoT security and performance standards and incorporate these into all third-party contracts and service level agreements.

6. Trusted relationships. Prioritise working with suppliers that can provide cyber security guarantees, both for their own processes and for the IoT systems they supply or support. Work together with suppliers to develop or adapt existing standards and good practices so they can be applied to the IoT supply chain. 
   ‍

Security first: How to embrace the potential of IoT technologies 

Ultimately, cyber security needs to be embedded into the end-to-end development and deployment of IoT devices and ecosystems, if the full potential of this powerful and far-reaching technology is to be realised. Until that goal is achieved, organisations must take rigorous precautions to protect themselves against the vulnerabilities associated with today’s rapidly expanding IoT supply chains.

For individual organisations, that means implementing robust third-party risk management to combat IoT-related cyber security threats. As IoT networks grow and continue to drive Industry 4.0, organisations must adapt their TPRM strategies to address the specific risks presented by this technological revolution. CISOs and IT risk managers who proactively adapt their approaches today will not only help to minimise the risks to their organisations, but will also better position themselves to harness the full benefits of the intricately connected IoT ecosystems of tomorrow. 

Look out for future articles from Risk Ledger on how third-party risk management can be deployed to protect organisations and supply chain partners in a fast-changing world.