Even though IoT cybersecurity risks are on the rise, becoming more severe as well as more frequent, organizations still don’t do enough to address them. For example, one of the main weaknesses in the process of developing any new IoT device or technology is still largely unregulated, which allows it to persist.

Of course, we are talking about the vulnerabilities of the supply chain and how difficult it is to ensure its security. While organizations themselves develop good cybersecurity practices, they are still vulnerable to the risks posed by the individual components provided by their suppliers. Let’s have a closer look at the issue of supply chain vulnerabilities:

Unfortunately, many possible vulnerabilities are coming from supply chains and no unified standard that would help avoid them as of yet. Some regulations like GDPR and the Cybersecurity Act are expected to help a lot by making organizations to take a more serious look at implementing cybersecurity. However, until now, most of the effort to ensure security is still on the client companies themselves — and suppliers could be doing more.

It’s easy to see why if we take statistics into account: the costs of data breaches are rising, and they are occurring more and more frequently from vulnerabilities of industrial equipment. In fighting this issue, it’s crucial for client companies and suppliers to become more aware of the dangers of lousy cybersecurity practices.

It’s difficult to assure the security of all supplied components when there is no standardized security assurance framework. All kinds of problems may arise from not being able to trace issues through a supply chain, or eliminate counterfeiting and ensure transparency.

Client organizations tend to rely on suppliers to ensure the minimal amount of security protection to be built in components, and guess what, that is not always the case. Adopting best practices of safety-critical industries as a good example that eventually lead to a standardized cybersecurity practice that all suppliers and manufacturers would have to adhere to. However, to cover cybersecurity, companies still can and should help to manage supply chain vulnerabilities and eliminate them.

Organizations need to contribute to managing supply chain vulnerabilities by setting up procurement security requirements insisting on assuring the provenance and identity of every single product and component that their supply chain provides. Demanding ‘secure by default’ products and parts from the suppliers is a good practice that would do wonders in assuring that the overall security risks are low.

Some companies are already taking action, but it’s vital that these actions are adopted more widely. For example, some organizations like Google and Apple have developed their cybersecurity risk management processes that deal with supply chain vulnerabilities if there are any. It sets an excellent standard for other companies and industries, which should improve their commitment to addressing cybersecurity concerns.

Supply chain vulnerabilities may pose significant cybersecurity risks for businesses and even large organizations. Without an adapted cybersecurity assurance framework, it’s difficult for organizations to ensure the security of the components they use.

They can start doing it by setting procurement requirements to enforce manufacturers and distributors ensuring all products are secure by default, or by adopting a Cybersecurity Assurance Framework. This framework must guarantee the following 4 goals:

1. Simplify cybersecurity risk identification process and involve business lines
2. Negotiate with OEMs/Manufacturers based on Security Profiles
3. Cover all relevant Standards/Qualifications
4. Implement « Security Assurance » activities