Skip to main content

B3-Approach

B2 Approach

Submissions were invited from representatives of IoT users and vendors and categorised into lists of actors, principles, attacks, references, characteristics, assets, objectives, mitigations, and definitions. Using these inputs as an initial guide the working group developed the general characterisation of IoT device supply chains outlined above before proceeding to a threat analysis using the method of attack trees 3 . Security recommendations were developed to address these threats. In parallel, the group surveyed a range of standards and literature for known attacks and existing advice. Both were used to check the completeness of the ab initio analysis4 before the recommendations were mapped into the Framework.

This Appendix (B) was created from a white paper generated by the IoTSF Supply Chain Working Group Our thanks go to

Editor and chair

  • Amyas Phillips, Ambotec Consulting

Working group members

  • Amit Rao, Trusted Objects
  • Anjana Priya, Microchip
  • Michael Richardson, Sandelman Software Works
  • Prof. Paul Dorey, CSO Confidential
  • Rob Brown, Jitsuin

Contributors

  • Alagar Gandhi, FCA
  • Alexandru Suditu, OMV Petrom
  • Andrew Frame, Secure Thingz / IAR Systems
  • Angela Mison, University of South Wales

  1. 1999, Bruce Schneier, Dr Dobb’s Journal, Attack Trees (see https://www.schneier.com/academic/archives/1999/12/attack_trees.html)
  2. A full bibliography is not provided here, however special attention was given to associating actionable recommendations to the principles proposed in ENISA’s 2020 publication “Guidelines for Securing the Internet of Things: Secure Supply Chain for IoT”.