IoT Security Starts with Securing the Entire Supply Chain

data breach

The frequency of cyber threats continues to exponentially increase, and bad actors are launching new attacks all the time, with no network or network-attached device being immune. With the rapid growth of the deployment of the Internet of Things (IoT), the attack surface has increased dramatically, and governments are starting to recognize and address the problem.

In a press release issued by The White House on July 18, 2023[1],  Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel announced the new “U.S. Cyber Trust Mark” program. This labeling program is expected to be implemented in late 2024 with an initial goal to “raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more”. Additional work is anticipated targeting home networking devices, such as modems and Wi-Fi routers.

The U.S. Cyber Trust Mark program aims to improve the cybersecurity and resilience of network-attached consumer devices with a set of baseline requirements such as strong password protections, data encryption, event logging and the ability to perform software updates, as examples.  Other publications, best practice recommendations and standards from government agencies and independent Standards Development Organizations have had a similar focus.

TIA strongly supports these initiatives and recognizes their importance to improving the security of IoT devices. As noted in this week’s White House announcement, Deputy National Security Advisor for Cyber Anne Neuberger said, “One of the most effective ways we sought for doing this is to bake cyber security into products from the beginning.” TIA strongly agrees with this statement and believes that key development operational processes must be built into product and system designs.

This is the exact intent of TIA’s cyber/supply chain risk management standard, SCS 9001, which was initially introduced in 2022. Version 2.0 of SCS 9001 is expected to be released in the coming weeks and TIA will soon open a working group to address building secure IoT devices.

This global standard, which was developed by subject matter experts from leading global communications organizations, is network, device and technology agnostic and designed for the demanding and ever-changing needs of the ICT industry.

SCS 9001 is a comprehensive, powerful and independently certifiable standard developed to help evaluate and provide higher assurance that suppliers:

  • operate their businesses with integrity, transparency and are trustworthy,
  • conduct all aspects of operations with a high level of security consideration,
  • develop products and services with security built in from conception through the entire product lifecycle,
  • have the required controls to manage the security of their supply chains and hold their own vendors to a higher standard, and
  • have made requisite investments to support products through their operational lifetime including the ability to identify, mitigate and resolve vulnerabilities found post-deployment more quickly.

The U.S. Cyber Trust Mark program and SCS 9001 can be used together effectively to provide a higher level of security and resilience for the IoT consumer device industry and the networks they utilize.

TIA recently published a position paper that outlines the issues and describes the opportunities for significant IoT security improvements by first systematically addressing design processes from trusted suppliers. Click here to read the position paper.

Additionally, TIA will soon issue an open call to industry to participate in a new work group that will further enhance SCS 9001 for the evolving needs of the IoT industry. We hope that you will join us in this important endeavor.

Click here to learn more about SCS 9001 or contact us at supplychainsecurity@tiaonline.org.

 

[1] The press release is available at:  https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/

About Mike Regan

Mike Regan leads the activities of the Telecommunication Industry Association’s (TIA) QuEST Forum with a focus on business performance improvement standards and associated activities. Prior to joining TIA, Mike completed a successful 30+ year career as a senior engineering leader. He has led large development organizations delivering complex communications and networking products deployed in the business-critical production networks of premier public service providers, global cloud platforms, large enterprises and customer engagement centers. He has had a diversity of experiences from being a founding team and early-stage member of multiple VC-backed start-up companies up to billion-dollar enterprises. His responsibilities have included all aspects of product development: strategy and roadmap, technology assessment, architecture, development, maintenance, quality assurance, test automation, DevSecOps, systems integration, compliance, security, project management, product management, tooling, operations, technical publications, and vendor / partner management. Mike leverages his personal experiences in progressing the initiatives of the TIA QuEST Forum by working with industry participants, network operators and government agencies in the development and adoption of new standards for the Information and Communications Technology industry with a focus on product quality, software development, cyber-security and supply chain security. Mike holds a B.S.E.E. from Northeastern University, Boston.