The Internet of Things (IoT) has the potential to bring substantial improvements to businesses in many sectors. IoT devices are providing manufacturers and retailers with the ability to track a huge amount of data about components and products passing through geographically distributed supply chains, and use this data to improve operations.
Advanced sensors and software give near real-time information on the location, ownership, and status of physical items and systems. Companies are already implementing IoT technology to drive business performance, for example:
Factories are linking tablets or smart glasses used to plan out a specific manufacturing task with robotic tools that can carry it out,
Tracking systems are generating data that can remotely determine the predictive maintenance schedules and priorities of fleet vehicles, and
Agricultural equipment and crop cycle monitoring tools are enabling highly efficient ‘precision farming.’
However, IoT systems involve integrating a large number of new devices to business networks, which brings an increased cybersecurity risk. The digitization of supply chain information and processes is increasing both automated communication between machines and manual links between organisations, all of which must be secured.
Individual IoT devices (both physical and virtual) with remote control and two-way data exchange represent new nodes on the network, many of which can be accessed by multiple stakeholders, sometimes concurrently. Suppliers also collaborate and transact by interfacing with systems used to manage the flow of goods, components and capital – sensitive information which requires high levels of protection and trust.
IoT machines typically have very specific functionality and little processing capacity, so the data they collect is automatically sent to other systems for storage and use. This increase in machine-to-machine communication results in both the exciting new business capabilities mentioned above, and an exponentially expanding attack space.
Unrecorded component-level fallibilities propagating through the chain,
Counterfeit machines that are not tested, protected or tracked effectively,
Corruption of IoT devices during the transit of goods, or
Incompatibility of hardware and software leading to unsecured workarounds.
Fundamentally the overall security of an IoT-enhanced supply chain relies on the ability to ensure all communication is authenticated. This is achieved by uniquely identifying, securing, and managing each individually-connected machine on an ongoing basis. Further, this capability needs to be trusted, efficient and able to scale rapidly to meet changing business objectives.
Monitoring the full portfolio of connected machines, and their associated authentication certificates, can only be done at scale with a dedicated, automated system. Robust standards and policies also help (for example, take a look at the Venafi guide on best practices for SSH key management), provided businesses in the supply chain commit to enforcing and updating them.
But, as usual, one the most important aspects of ensuring cybersecurity is human judgement.
Companies need to be highly selective when deciding which IoT devices to integrate, ideally opting for machines designed for security. The operations of vendors and partners should be carefully evaluated, as security relies on all of the actors in a supply chain and weak links can break it.
In fact, clearly demonstrating a commitment to supply chain cybersecurity can be positioned as a competitive advantage, even helping to streamline compliance and procurement qualification processes. Companies taking a leading role can more confidently deploy innovative new IoT capabilities and can also stand out as trusted and knowledgeable organisations taking cyber threats seriously.
Through effective and efficient machine identity protection businesses can secure their supply chains today, and safely put the power of new IoT capabilities to work tomorrow.