IoT supply-chain vulnerability poses threat to IIoT security

Most companies that construct products with the aid of IIoT-based operations are likely to keep close tabs on the supply chain that provides a predictable stream of raw materials and services that allows them to crank out products and keep the business humming.

But a second, underlying supply chain receives less scrutiny. And if the security of that supply chain is somehow compromised, business could grind to a halt.

That overlooked supply chain delivers the components that build out an IIoT infrastructure. The purchaser of those devices is at the end of the supply chain that — from a security perspective — lacks sufficient transparency into the chain. In fact, it would be a challenge to track the origins of the internal elements that comprise the delivered IIoT devices.

As a result, it’s not uncommon for IIoT-bound components to ship with exploitable security vulnerabilities. The complexity and global reach of the IIoT supply chain only compounds the problem — a single device may be made from parts supplied by dozens of component manufacturers.

“Dozens of components made from companies around the world bounce through multiple layers of suppliers and integrators until they are placed on a board, tested and packaged by the OEM,” as noted in “Finite State Supply Chain Assessment,” a 2019 report from Finite State, an IoT cybersecurity company.

The Risks to IIoT Infrastructures Are Real and Many

Most network operators recognize IIoT supply chain risks, but specific vulnerabilities are difficult to isolate. These deployments are often far reaching, extending beyond a manufacturer’s walls to shippers, merchants and other commerce partners. And as the network extends and includes additional integration points, the risk that a piece of dicey bit of malicious code will replicate only increases. Indeed the code itself may not be malicious but can present an open port that can compromise systems.

“Just seeing firsthand how many vulnerabilities tend to be in embedded systems—that’s where the asset owners don’t realize that those vulnerabilities exist in their systems,” noted Matt Wyckhouse, CEO of Finite State.

Once an IIoT environment is breached, malicious actors may use it as an entrée to burrow further into corporate systems. Industrial control systems (ICS) and other production systems may be at risk, but if interlopers can evade security roadblocks and delve even deeper, key corporate applications and related data might also be exposed. This is all attributable to questionable firmware that made its way into the supply chain that produces sensors, actuators and other operational IIoT.

To read the complete article, visit IoT World Today.