IoT security is a mess. These guidelines could help fix that

New guidelines from ENISA recommend that all stages of the IoT device lifecycle need to be considered to help ensure devices are secure.

Cybersecurity: Why supply chain weaknesses make you easy pickings for hackers

The supply chain around the Internet of Things (IoT) has become the weak link in cybersecurity, potentially leaving organisations open to cyberattacks via vulnerabilities they're not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.

The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities that can arise when building connected things.

One of the key recommendations is that cybersecurity expertise should be further integrated into all layers of organisations, including engineering, management, marketing and others so anyone involved in any part of the supply chain has the ability to identify potential risks – hopefully spotting and addressing them at an early stage of the product development cycle and preventing them from becoming a major issue.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

It's also recommended that 'Security by Design' is adopted at every stage of the IoT development process, focusing on careful planning and risk management to ensure that any potential security issues with devices are caught early.

"Early decisions made during the design phase usually have impactful implications on later stages, especially during maintenance," said the report.

Another recommendation is that organisations throughout the product development and deployment cycle should forge better relationships in order to address security loopholes that may arise when there's no communication between those involved.

These include errors in design due to lack of visibility in the supply chain of components – something that can happen when there's misunderstandings or lack of coordination between parts manufacturers and the IoT vendor.

However, not all responsibility should reside with IoT manufacturers. The paper also recommends that customers and end-user organisations need to play a role in supply-chain implementation and can "benefit greatly from dedicating resources to studying the current landscape and adapting the existing best practices to their particular case".

"Securing the supply chain of ICT products and services should be a prerequisite for their further adoption particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT," said Juhan Lepassaar, executive director or ENISA.

MORE ON CYBERSECURITY