“IoT supply chain security: challenges and impacts”

IoT Day Roundtable –  8. April 2024

Online roundtable with the participation of ENISA, NIST, EUROSMART, ECSO, BEUC, TUVIT, and EY.

The DOSS – Secure-By-Design IoT Operation With Supply Chain Control – project aims to improve the security and reliability of IoT operations by introducing an integrated monitoring and validation framework to IoT Supply Chains, including all the relevant stakeholders. DOSS elaborates on a secure-by-design methodology and implements related technology based on formalized data exchange, component testing, and architecture modeling.

The DOSS project establishes a “Supply Trust Chain” by integrating key stages of the IoT supply chain into a digital communication loop to facilitate security-related information exchange. The technology includes security verification of all hardware and software components of the modelled architecture. A new “Device Security Passport” will be defined, containing security-relevant information for hardware devices and their components. 3rd party software, open-source applications, as well as in-house developments will be tested and assessed. The centrepiece of the proposed solution is a flexibly configurable Digital Cybersecurity Twin, able to simulate diverse IoT architectures. It will employ AI for modelling complex attack scenarios, discovering attack surfaces, and elaborating the necessary protective measures. The digital twin will provide input for a configurable, automated Architecture Security Validator module which will assess and provide pre-certification for the modelled IoT architecture with respect of relevant, selectable security standards and KPIs. To also ensure adequate coverage for the back end of the supply chain the operation of the architecture will also be protected by secure device onboarding, diverse security and monitoring technologies and a feedback loop to the digital twin and actors of the supply chain, sharing security-relevant information.

The procedures and technology will be validated in three IoT domains: automotive, energy and smart home.