TIA Invites Leading Organizations to Join the Global Effort to Strengthen IoT Supply Chain Security

Arlington, VA (March 7, 2024) – The Telecommunications Industry Association—the trusted industry association for the connected world— today announced that its Supply Chain Security Working Group within the QuEST Forum community has issued an open call for global organizations to join the group to collaboratively work to enhance the TIA SCS 9001 standard to include Internet of Things (IoT) supply chain security. SCS 9001 is the first-ever Supply Chain Security Management System that tackles the growing threat of supply chain cyber-attacks head-on. TIA is seeking stakeholders within the IoT ecosystem to join this group and lend their experience and expertise to help define and enhance SCS 9001 in the area of IoT supply chain security.

“The lack of a single, universally accepted standard for IoT supply chain security risk management is a major challenge for organizations.” said Dave Stehlin, CEO, TIA. “Equipment and service providers, software and cyber security firms, IT and OT organizations, e-commerce companies and others are welcome to participate in this critical work group. Their valuable input and expertise will be key to helping us to deliver a comprehensive global standard designed to ensure the rapidly growing IoT supply chain is trusted and secure.”

“Building on the success of our recently introduced SCS 9001 cyber/supply chain risk management standard, and more than 80 years of creating and managing technical standards for the ICT industry, TIA is well positioned to bring the same trust and value to the IOT workgroup.”

The exponential growth of connected devices worldwide is projected to exceed 29 billion by 2027, a significant surge from the 16.7 billion sensors in 2023. These devices are utilized in a multitude of scenarios, ranging from consumer applications such as smart appliances to environment sensors in factories to connected medical devices in hospitals, and smart TVs or whiteboards in corporate meeting rooms. The lack of an industry-wide security standard for IoT operating systems and devices is a concerning issue, especially with 80% of companies incorporating IoT into their operations.

The emergence of IoT devices presents new cybersecurity challenges for organizations around the world to address. Safeguarding enterprise infrastructure is already a complex task, as highlighted by a 2023 IBM report stating that it takes an average of 207 days to detect a data breach and results in an average cost of more than $4 million. Over the past year, several industries, including manufacturing, services firms and energy companies have experienced a surge in cyberattacks. For example, Johnson Controls International recently experienced a ransomware attack where malicious actors stole more than 27 terabytes of data in the attack, costing the company $27M. Given the abundance of intellectual property and proprietary designs in manufacturing, these firms are prime targets for financially motivated cybercriminals looking to sell confidential information to foreign entities.

With the proliferation of connected devices on the rise, governments and industry leaders worldwide are intensifying their efforts to safeguard consumers. In 2024, the new voluntary U.S. Cyber Trust Mark program is set to launch to help consumers identify and choose less vulnerable products by certifying and labeling IoT devices that meet National Institute of Standards and Technology (NIST) cybersecurity criteria. The UK Product Security and Telecommunications Infrastructure (PSTI) Regulation, which takes effect on April 29, 2024, will mandate manufacturers, importers and retailers to comply with cybersecurity protocols before introducing products to the market. Additionally, the EU Cyber Resilience Act (CRA) is on the horizon this year, aiming to regulate cybersecurity for all digital and connected products available in the EU.

While ongoing government initiatives play a crucial role in enhancing IoT security, many initiatives concentrate on enhancing consumer awareness and mitigating common vulnerabilities such as passwords and software updates. However, these efforts often lack the depth needed to tackle the core of IoT technology within the intricate supply chain encompassing billions of hardware, software components, and subcomponents from a growing number of global suppliers. TIA’s SCS 9001 standard distinguishes itself with building assurance of a network operator or vendor’s supply chain practices.

“Complying with the various regulations on cybersecurity using different standards and processes can significantly delay precious time to market, especially in today’s digital global economy,” said Mike Regan, Vice President of Business Performance, TIA. “A global standard like SCS 9001 that can apply to the IoT industry and work in concert with other established measures would streamline time to market. Furthermore, without embedding robust security measures into product designs, IoT devices will remain susceptible to cyber threats, posing significant risks to consumers and businesses.”

Given the escalating risk landscape, addressing IoT security at the supply chain level is essential. Several global organizations, ranging from communications network operators and equipment manufacturers to edge device manufacturers, retailers, and software developers, have already committed to participating in the work group.

Stakeholders may include but are not limited to subject matter experts from: equipment manufacturers, software providers, network operators, service providers, consultants and retailers.

For questions or more information about SCS 9001 and how to participate in the supply chain work group, contact supplychainsecurity@tiaonline.org.