The security challenge in the IoT ecosystem involves all players: device makers, organizations deploying the devices, integrators, regulators, and individual private users. Although each player can improve the security state to some extent, the ability to lead real change stems from the first link in the chain—the device makers.
The device makers’ challenge lies in the supply chain process that lacks visibility into third-party components that their device includes. Moreover, even when aware of insecure components, anticipating third-party providers for fixing their code or responding to a discovered vulnerability may take months to years. Rarely do device makers receive access to code for manually fixing third-party components and even then, it may take a lot of time, resources, and skills. The challenge is even more difficult when dealing with open-source code if the device includes packages that are no longer supported by the community. Device makers must gain visibility into their device components to generate a BOM per device and to make the process of fixing critical security issues quick and scalable. Such a process is fast only when focused on security gap mitigation and hardening based on balanced security requirements prioritization, rather than broad code-fixing that takes a longer time and impacts time to market and IoT adoption as a whole.