Latest from Network Reliability/Testing & Assurance/Cybersecurity/Safety

Photo 104387296 © Michael Borgers | Dreamstime.com
Dreamstime Xl 104387296 653028b96a08d

Big, Vast, and Complicated: IoT, Cybersecurity, and the Global Supply Chain

Dec. 18, 2023
Industry standards can address IoT cybersecurity concerns in the context of the global supply chain.

Industry standards and systems reduce risk in the deep complexities of global supply chains.

The scope of the Internet of Things (IoT) is expanding across network infrastructures, with millions of connected devices deployed in all kinds of environments for a wide range of business, industrial, and consumer use cases across all sectors. A new Worldwide Internet of Things Spending Guide released by International Data Corporation (IDC) estimates that investments in IoT will surpass $1 trillion in 2026.

As service providers and network operators expand broadband connectivity to homes, businesses, and cities nationwide, they support this ever-expanding IoT ecosystem and ensure the reliable transmission of substantial amounts of diverse and often critical IoT data. The proliferation of IoT also provides an opportunity for them to expand their offerings and reap new revenue streams.

Despite the significant benefits of IoT, widespread adoption demands that service providers and network operators ensure a high level of security—especially given the rise in frequency and sophistication of cyberattacks and the vulnerability of IoT devices. These efforts must start with securing the global supply chain and aligning with emerging global government and industry initiatives through straightforward, technology-agnostic baseline requirements.

“The global smart home market is projected to grow from $93.98 billion in 2023 to $338.28 billion by 2030.”

IoT Brings New Opportunities for Service Providers

IoT is everywhere and continues to expand with more connected systems, devices, and sensors from an ever-increasing number of suppliers across commercial, industrial, and consumer sectors. As emerging technologies like artificial intelligence (AI) and machine learning (ML) mature, more IoT devices that produce substantial data will be deployed. 

In the consumer market, smart home IoT devices are becoming popular. According to Fortune Business Insights, the global smart home market is projected to grow from $93.98 billion in 2023 to $338.28 billion by 2030, with an estimated 94 million U.S. households using smart home devices in the next four years. These devices include smart doorbell cams, thermostats, locks, detectors, outlets, lights, and appliances—to name a few. A study from Parks Associates found that 71% of U.S. broadband households also own connected entertainment devices, such as smart TVs, virtual reality headsets, and gaming consoles.

The growth of consumer IoT opens many opportunities for service providers and network operators to expand their offerings—everything from installation, setup, and technical support to data management and gateways for device connectivity.

Smart cities increasingly leverage IoT for applications related to public safety, energy management, smart lighting, smart traffic and parking, electrical vehicle charging, waste handling, air pollution monitoring, crowd monitoring, and more. Many service providers are unlocking new revenue streams by rolling out IoT solutions for municipalities. Nokia, AT&T, Verizon, and others have launched IoT smart city platforms for connecting, integrating, and orchestrating smart city operations.

IoT is also entering critical infrastructure sectors, including healthcare, manufacturing, transportation, telecommunications, finance, energy, water and wastewater, agriculture, and defense. Many of these applications fall under the government's definition of critical infrastructure, including connected IoT sensors and control devices used in critical pipelines. Critical infrastructure operation is increasingly contracted to service providers and network operators that can effectively aggregate data assets at the edge and enable transmission to cloud-based platforms.

Healthcare is one critical sector experiencing rapid IoT adoption that relies heavily on broadband connectivity. With increased healthcare costs and the growing shortage of physicians, healthcare providers are turning to remote telehealth experiences using connected cameras, speakers, and IoT devices for health monitoring and prevention of chronic conditions. These include connected stethoscopes, insulin pumps, and consumer wearables such as pulse oximeters, heart monitors, and blood pressure monitors, making medical care increasingly possible from patient homes.

“Critical infrastructure operation is increasingly contracted to service providers and network operators that can effectively aggregate data assets at the edge and enable transmission to cloud-based platforms.”

Cybersecurity Is the Greatest Concern

While ever-increasing IoT applications deliver significant benefits across all sectors and provide opportunities for service providers and network operators to enhance their offerings, cybercrime is expanding along with technology, global unrest, rising geopolitical tensions, and economic uncertainty.

IoT devices have become a key target due to their vulnerability. They are typically customized for specific functions with limited computational ability, which can inhibit ensuring adequate security measures. Vendors in the competitive IoT market also rely heavily on open-source software to keep prices down and improve speed to market. Highly distributed and ubiquitous open-source software is also often co-created and available for anyone to access and modify, increasing the potential for poorly written or undermanaged code that cybercriminals can easily exploit.

Consumer IoT devices add another layer of vulnerability due to a lack of consumer awareness, insecure home networks, weak passwords, and outdated software. According to a 2023 report by Check Point Research, high-risk vulnerabilities in IoT-related code bases jumped 130% over the past five years, and the first two months of 2023 saw a 41% increase in attacks targeting IoT devices compared to 2022.

Securing IoT devices against attacks that target critical infrastructure is paramount. If not properly secured, IoT devices in critical infrastructure risk unauthorized access that can wipe out services, damage the economy, and threaten public safety. One example is the 2021 breach where a computer hacker gained access to a Florida city water system and tried to pump in a dangerous amount of a chemical. Another is the famous ransomware attack that halted all pipeline operations of the Colonial Pipeline Company that carries fuel to the Southeastern U.S., causing significant gasoline price increases.

Cloud-based solutions that support IoT are also becoming a target. These solutions increasingly leverage open-source code to enable integration across diverse workloads, handle storage of large data sets, and provide broad access via public-facing applications. According to a 2023 Thales Global Cloud Security Study, cloud exploitation cases grew by 95% in 2022. While emerging technologies like AI/ML are helping cloud providers identify anomalies to detect malicious activity, cybercriminals also leverage these technologies to scan for vulnerabilities, automate malware, crack passwords, analyze stolen data, and formulate content used in social engineering attacks.

“The first two months of 2023 saw a 41% increase in attacks targeting IoT devices compared to 2022.”

New Regulations Help Address the Issue

Recent global government and industry initiatives aim to address IoT security, several of which directly impact service providers and network operators. The 2020 U.S. IoT Cybersecurity Improvement Act sets minimum security standards for IoT devices used by the federal government and prohibits agencies from procuring or using IoT devices considered "non-compliant" with standards developed by the National Institute of Standards and Technology (NIST). In September 2022, the Office of Management and Budget (OMB) issued Memorandum M-22-18, requiring federal agencies to comply with NIST guidance. In partnership with national security and counterintelligence agencies, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released the Enduring Security Framework that provides guidelines for software vendors on implementing secure development processes. As a result of these efforts, federal government stakeholders and partners must attest that they have an acceptable cybersecurity and supply chain risk management (C/SCRM) plan in place. That includes all eligible entities and sub-grantees of the Broadband Equity, Access, and Deployment (BEAD) Program. 

In 2021, Executive Order (EO) 14028 directed NIST to initiate pilot programs to educate the public and identify IoT cybersecurity criteria for consumer labeling. NISTIR 8425, Profile of the IoT Core Baseline for Consumer IoT Products, is the foundation for the U.S. Cyber Trust Mark program that supports this labeling requirement and is expected to be up and running in 2024. The program applies a distinct mark to consumer devices that meet established cybersecurity criteria, including smart home appliances and devices, entertainment devices, wearables, and more. Several manufacturers and retailers have announced their commitment to the program, including Amazon, Best Buy, Google, LG, Logitech, and Samsung.

Critical infrastructure and sectors vital to the economy and national security must also comply with the NIST Framework for Improving Critical Infrastructure Cybersecurity. Federal law requires anyone operating in critical infrastructure sectors—including service providers—to report any cybersecurity incidents or ransomware per the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. Several other regulations and standards cover cybersecurity for specific sectors, such as the Consolidated Appropriations Act of 2023, which requires FDA-approved connected medical devices to meet certain cybersecurity requirements.

Securing the Global Supply Chain is Vital 

While global government and industry initiatives boost defenses in the public sector, many regulations focus on a specific industry or technology or only address apparent vulnerabilities. However, IoT systems and devices comprise hardware and software components and subcomponents from thousands of suppliers and locations worldwide across a vast, complex supply chain serving the private sector. Even reputable vendors may not be aware of vulnerabilities deep within open-source code and other subcomponents, especially if a device functions as expected.

Service providers must ensure that all components comprising their networks and IoT solutions are secure—from switches and routers to customer gateways and the IoT devices they connect. That means verifying that all equipment and device vendors have prioritized security across hardware and software development life cycles, including components and subcomponents such as open-source software.

A Supply Chain Industry Standard

To address these concerns, the SCS 9001TM Supply Chain Security Management System from the Telecommunications Industry Association (TIA) provides the level of detail and required processes needed to address cybersecurity deep within the supply chain. It’s a straightforward, technology-agnostic means to verify that networks and their supporting hardware and software components and subcomponents meet critical security benchmarks to mitigate the risk of cybersecurity attacks. It provides operational process criteria to ensure vendor corporate policies and procedures inherently deliver secure products and services. The recent SCS 9001 Release 2.0 is updated and expanded to ensure alignment with the latest global government policies and industry initiatives, while providing a simple, unified architecture with baseline requirements that apply to any technology, including emerging IoT and cloud-based applications.

While no single standard is sufficient for securing all components and applications, specifying vendor compliance to SCS 9001 allows network operators, service providers, system integrators, manufacturers, buyers, suppliers, and consumers to gain trust and confidence that network equipment, systems, devices, and sensors have been assessed for risk—providing a secure foundation for unlocking new business opportunities in IoT.

About the Author

Mike Regan | VP Business Performance, Telecommunications Industry Association (TIA)

Mike Regan is VP Business Performance at Telecommunications Industry Association (TIA). He has more than 30 years’ experience in Product Development and Supply Chain Security. For more information, email [email protected] or visit www.tiaonline.org. You can also follow TIA on Twitter, LinkedIn, and Facebook.