Full Report
The European Union Agency for Cybersecurity (ENISA) has published its guidelines for securing the internet of things supply chain. Kaspersky ICS CERT experts were among the contributors to the development effort.
Analysis Summary
# Best Practices: Securing the IoT Supply Chain
## Overview
These practices address the security vulnerabilities and systemic risks inherent in the Internet of Things (IoT) ecosystem. They focus on securing the entire lifecycle of an IoT product—from design and manufacturing to deployment and maintenance—ensuring that third-party components and software updates do not introduce threats into the organizational network.
## Key Recommendations
### Immediate Actions
1. **Inventory Assets and Vendors:** Catalog all IoT devices currently on the network and identify the manufacturers and service providers associated with them.
2. **Change Default Credentials:** Immediately rotate all factory-default passwords for existing IoT devices to unique, complex alternatives.
3. **Network Segmentation:** Use VLANs or firewalls to isolate IoT devices from critical business systems and sensitive data.
4. **Disable Unused Services:** Turn off non-essential protocols (e.g., Telnet, UPnP) on existing devices to reduce the attack surface.
### Short-term Improvements (1-3 months)
1. **Establish Secure Procurement Policies:** Update procurement contracts to include mandatory security requirements (e.g., hardware root of trust, encrypted communications).
2. **Vulnerability Monitoring:** Set up automated alerts for CVEs (Common Vulnerabilities and Exposures) related to used hardware and software components.
3. **Patch Management Process:** Standardize a workflow for testing and deploying IoT firmware updates in a controlled environment before rolling them out.
4. **Vendor Risk Assessments:** Evaluate the security posture of key IoT suppliers using standardized questionnaires and audits.
### Long-term Strategy (3+ months)
1. **Supply Chain Transparency (SBOM):** Require a Software Bill of Materials (SBOM) from all vendors to gain visibility into open-source and third-party libraries used in their code.
2. **Secure Development Lifecycle (SDLC):** For organizations developing their own IoT solutions, integrate security testing (SAST/DAST) into every stage of the build process.
3. **Zero Trust Architecture:** Implement continuous authentication and authorization for all IoT devices, moving away from perimeter-only security models.
4. **Product EOL Management:** Create an end-of-life strategy to replace or decommission legacy IoT devices that no longer receive security security updates.
## Implementation Guidance
### For Small Organizations
- **Prioritize Visibility:** Use free network scanning tools to know what is connected.
- **Security by Default:** Buy "Enterprise-grade" IoT devices which are more likely to have support for modern security protocols than consumer-grade items.
### For Medium Organizations
- **Automated Management:** Implement IoT Discovery solutions to automate asset tracking.
- **Contractual Enforcement:** Work with legal teams to ensure vendors are contractually obligated to provide security updates for a defined period.
### For Large Enterprises
- **Dedicated IoT Security Team:** Establish a cross-functional group (IT, OT, and Security) to manage specific IoT risks.
- **Hardware Testing:** Conduct in-house or third-party penetration testing on new IoT hardware before approving it for the global "Gold Image" or deployment list.
## Configuration Examples
- **Protocol Hardening:** Configure IoT devices to use MQTT with TLS 1.3 for messaging and HTTPS for web interfaces.
- **Access Control:** Use 802.1X authentication to ensure only authorized IoT devices can join the corporate network via MAC address filtering or digital certificates.
## Compliance Alignment
- **NIST SP 800-213:** IoT Device Cybersecurity Guidance for the Federal Government.
- **ISO/IEC 27402:** Cybersecurity and privacy — Device baseline requirements.
- **ETSI EN 303 645:** Cyber Security for Consumer Internet of Things.
- **CIS Controls:** Particularly Control 01 (Inventory and Control of Enterprise Assets).
## Common Pitfalls to Avoid
- **Set-and-Forget Mentality:** Assuming IoT devices are secure once installed; they require ongoing maintenance and monitoring.
- **Shadow IoT:** Employees connecting unauthorized devices (smart bulbs, coffee makers) to the main corporate Wi-Fi.
- **Ignoring Physical Security:** Failing to protect physical access points (USB ports, local debugging pins like UART/JTAG) on IoT hardware deployed in public areas.
## Resources
- **ENISA IoT Security Guidelines:** hXXps://www.enisa.europa.eu/publications/guidelines-for-securing-the-iot-supply-chain
- **Kaspersky ICS CERT:** hXXps://ics-cert.kaspersky.com/
- **OWASP IoT Top 10:** hXXps://owasp.org/www-project-iot-top-10/
- **CISA Information on SBOM:** hXXps://www.cisa.gov/sbom