The proliferation of the IoT supply chain has been one of the defining technology success stories of our time. Across multiple sectors, the IoT has become the operational bedrock behind many systems and processes.

However, there is still lingering doubt about the security of these devices, one that has resurfaced in recent months after the discovery of the Ripple20 flaws – a collection of 19 hackable bugs in a code module used across hundreds of millions of IoT devices, ranging from sensors in power grids to medical infusion pumps. While many of the affected vendors released software updates to mitigate the vulnerabilities, these did not provide a full ‘fix’ in any way, leaving affected IoT devices in various sectors unable to be updated or patched.

The Ripple20 story is unfortunately not an isolated one, but a microcosm of the IoT supply chain landscape. Device digital identity authentication is very rudimentary, often relying on intuitive or reused passwords that are never changed. In addition, because modern supply chains are so complex and multi-staged, security flaws can be in place without the OEM’s knowledge.

In simple terms, far too many IoT devices have no built-in security protections or are shipped with default credentials that are widely available across the internet, often as a result of cutting security corners to reduce costs.

Another challenge is the complexity of the supply chain for IoT devices. The reason Ripple20 affects so many devices is that the code containing the vulnerabilities was developed by a third party, not the device manufacturer, as is common across supply chains. This means that the vulnerabilities do not just affect an isolated manufacturer, but every manufacturer that uses this code.

The complexity and lack of visibility across the supply chain leave many devices with a mix-and-match of code from different providers, and no way to ensure that all software elements are updated. Furthermore, many devices lack the Public Key Infrastructure (PKI) and authentication technologies needed to be secure.

As a result, supply chains that utilize vulnerable IoT components are themselves vulnerable.

To make IoT devices secure, manufacturers must build in security starting on the assembly line. Devices must have a strong identity programmed into the device during manufacturing using an automated and secure PKI solution. Also essential to strong IoT security is ensuring that the components used in each device do not have security flaws and that a mechanism is provided to securely update firmware once the device is in the field. If a device is secure from this initial stage, PKI is in place and secure updates are enabled, then it will be possible to ensure the security of the device throughout its lifecycle and across the supply chain.

Effective security relies on a combination of hardware, specifically hardware secure elements such as Trusted Platform Module (TPM) chips and digital security certificates. Once a TPM chip is in-built, it provides protection for a wide range of currently known attacks, making the supply chain that it operates across more secure by design.

Ultimately, supply chains are convoluted and IoT security is an ongoing challenge. Supply chains that leverage multiple suppliers in building IoT devices are at even greater risk. This complex ecosystem demands a security-by-design approach, so that manufacturers can be assured that the device is secure from the point of creation and security remains in place throughout the device’s lifecycle.