Securing the IoT Supply Chain

January 7, 2021

In November 2020, the European Union Agency for Cybersecurity released guidelines on securing the IoT supply chain. This can be a difficult task as all stages need to be considered, along with supply partners.

Concept Stage

In this stage of the supply chain, products are designed conceptually. The foundation of supply chain security starts here. It’s important to consider and identify potential threats to both the supply chain and the product at this early stage so proper attack prevention can be undertaken at every forward stage.

  • Create a catalogue of potential threats.
  • Ensure software libraries, cryptography and other building blocks are up to date.
  • Ensure visibility of security requirements to engineers and stakeholders.
  • Define both hardware and software security measures.
  • Create a recovery plan for future stages.

Development Stage

This stage involves the creation of a physical product, including semiconductor fabrication, component manufacturing and assembly, platform development, software embedding and device programming. This can be a difficult stage to secure due to the various tasks and teams involved.

  • Create a hardware root of trust as a secure foundation for cryptographic operations.
  • Use authenticated and tested parts to avoid security threats from fraudulent or faulty components.
  • Control access to firmware for updates and maintenance operations.
  • Use end-to-end robust provisioning mechanisms to guarantee the security of credentials and cryptographic information.
  • Review processes to ensure tampering has not occurred and security requirements have been met.

Production Stage

This stage involves mass production and ensuring the product reaches the end user. As IoT devices are usually composed of components and services from different vendors, this can be the most difficult stage to secure.

  • Certify IoT services offered by third parties to mitigate security risks.
  • Adopt security measures to reduce the risk of property theft.
  • Create a device identity for device fabrication tracking.

Utilization Stage

This stage involves bringing a device to full operation, including initialization, account set-up, network set-up and cloud service enrollment. In this stage, security practices are first implemented by the set-up technician but must be maintained the end user.

  • Manage access permissions of devices and platforms.
  • Balance user convenience with stringent security measures.
  • Provide security training to IoT service operators.
  • Provide technical support throughout the life cycle of the product.
  • Encourage adoption of optional security features by end users.

Support Stage

This stage involves continuous updates during the life cycle of a device for maintenance and attack prevention. Support can be performed locally or remotely.

  • Secure remote maintenance and update mechanisms using the chain of trust.
  • Implement security patches to mitigate emerging threats.

Retirement Stage

This stage involves the end of a device’s life cycle where it is scrapped or repurposed. Software may be erased or mined for data retrieval and archiving. Hardware may be destroyed or recycled.

  • Adopt secure data removal techniques to avoid sensitive information remaining on the device.


To truly secure the supply chain, security must be viewed as a continuous process. Transparency should be encouraged between stakeholders at all levels of the supply chain to reinforce trust and provide a framework for security guarantees. Workers and end users should be trained in best security practices.