2.4.14 Secure Supply Chain Production
This section's intended audience is for those personnel who are responsible for the security of the IoT Product or Services' Supply Chain and Production.
Req No | Requirement | Compliance Class And Applicability | Primary Keyword | Secondary Keyword |
---|---|---|---|---|
2.4.14.1 | Ensure the entire production test and calibration software used during manufacture is removed or secured before the product is dispatched from the factory. This is to prevent alteration of the product post manufacture when using authorised production software, for example hacking of the RF characteristics for greater RF ERP. Where such functionality is required in a service centre, it shall be removed upon completion of any servicing activities. | Mandatory for Class 2 and above | System | Software |
2.4.14.2 | Any hardware design files, software source code and final production software images with full descriptive annotations are stored encrypted in off-site locations or by a 3rd party Escrow service. | Advisory for all classes | Business | Process |
2.4.14.3 | In manufacture, all the devices are logged by the product vendor, utilizing unique tamper resistant identifiers such as serial number so that cloned or duplicated devices can be identified and either disabled or prevented from being used with the system. | Mandatory for Class 1 and above | Business | Process |
2.4.14.4 | The production system for a device has a process to ensure that any devices with duplicate serial numbers are not shipped and are either reprogrammed or destroyed. | Mandatory for Class 1 and above | Business | Process |
2.4.14.5 | Where a product includes a trusted Secure Boot process, the entire production test and any related calibration is executed with the processor system operating in its secured boot, authenticated software mode. | Advisory for all classes | Business | Process |
2.4.14.6 | A securely controlled area and process shall be used for device provisioning where the production facility is untrusted. | Advisory for all classes | Business | Process |
2.4.14.7 | A cryptographic protected ownership proof shall be transferred along the supply chain and extended if a new owner is added in the chain. This process shall be based on open standards such as Enhanced Privacy ID, Certificates per definition in ISO 20008/20009 [ref 42]1. | Mandatory for Class 1 and above | Business | Process |
2.4.14.8 | An auditable manifest of all libraries used within the product (open source, etc.) is maintained to inform vulnerability management throughout the device lifecycle and whole of the support period. | Advisory for all classes | Business | Process |
2.4.14.9 | In manufacture, all encryption keys that are unique to each device are either securely and truly randomly internally generated or securely programmed into each device in accordance with industry standard FIPS140-2 [ref 5]2 or equivalent. Any secret key programmed into a product at manufacture is unique to that individual device, i.e. no global secret key is shared between multiple devices, unless this is required by a licensing authority. | Mandatory for Class 2 and above | Business | Process |
2.4.14.10 | An authorised actor in physical possession of a device can discover and authenticate its ROT-backed logical identity e.g. for inspection, verification of devices being onboarded (this may need electrical connection). | Mandatory for Class 2 and above | Business | Process |
2.4.14.11 | Devices are shipped with readily-accessible physical identifiers derived from their ROT-backed IDs. This is to facilitate both tracking through the supply chain and for the user to identify the device-type/model and SKU throughout the support period. | Mandatory for Class 1 and above | Business | Process |
2.4.14.12 | IoT devices' RoT-backed logical identity is used to identify them in logs of their physical chain of custody. This is to facilitate tracking through the supply chain. | Mandatory for Class 2 and above | Business | Process |
2.4.14.13 | Products ship with information (documents or URL) about their operations and normal behaviour e.g. domains contacted, volume of messaging, Manufacturer Usage Description (MUD). | Mandatory for Class 2 and above | Business | Process |
2.4.14.14 | Procedures for proper disposal of scrap product exist at manufacturing facilities, and compliance is monitored. This to prevent scrap entering grey markets. | Mandatory for Class 2 and above | Business | Process |
2.4.14.15 | Production assets are encrypted during transport to the intended production facility, area or system, or delivered via private channel. Examples of production assets include firmware images, device certificate CA keys, onboarding credentials, production tools and manufacturing files. | Mandatory for Class 2 and above | Business | Process |
2.4.14.16 | Device firmware images and configuration data are secured against unauthorised modification in manufacturing environments, including during programming. If IP protection is required then the images and data need to be protected against unauthorised access. | Mandatory for Class 2 and above | Business | Process |
2.4.14.17 | Steps have been taken to prevent inauthentic devices from being programmed with confidential firmware images and configuration data. This is to prevent IP theft and reverse engineering. | Mandatory for Class 2 and above | Business | Process |
2.4.14.18 | Steps have been taken to prevent inauthentic devices from being signed into certificate chains of trust or otherwise onboarded. For example, a policy or checklist describing which devices may be onboarded exists and is followed. | Mandatory for Class 2 and above | Business | Process |
2.4.14.19 | Device certificate signing keys and other onboarding credentials are secured against unauthorised access. For example, they may be stored encrypted and managed or created by an HSM and delivered by the secure signing process. | Mandatory for Class 2 and above | Business | Process |
2.4.14.20 | If time critical delivery of products is needed, availability of production resources accessed in real time over the Internet is assured, by providing them with alternative access channels not susceptible to DOS attacks. | Mandatory for all classes | Business | Process |
2.4.14.21 | Operators of production servers, computers and network equipment keep their software up to date and monitor them for signs of compromise e.g. unusual activity. | Mandatory for Class 2 and above | Business | Process |
2.4.14.22 | The OEM retains authorisation of secure production control methods to prevent a third party manufacturer (CEM etc.) from producing overproduction and/or unauthorised devices. | Mandatory for Class 2 and above | Business | Process |
2.4.14.23 | The supplier or manufacturer of any devices and/or services shall provide information about how the device(s) removal and/or disposal or replacement shall be carried out to maintain the end user’s privacy and security, including deletion of all personal information from the device and any associated services. | Mandatory for Class 2 and above | Business | Process |
2.4.14.24 | An end of life disposal process shall be provided to ensure that retired devices are permanently disconnected from their cloud services and that any confidential user data is securely erased from both the device and the cloud services. | Mandatory for Class 1 and above | Business | Process |
2.4.14.25 | Where contractual supply arrangements and software licence agreements allow, a software bill of materials (SBOM) shall be available and notified (URL) to customers with product documentation. | Mandatory for Class 2 and above | Business | Process |
Footnotes
-
EU ENISA guidance of Cyber Security Risk Management [https://www.enisa.europa.eu/topics/threat-risk-management/risk-management] ↩
-
FIPS PUB 140-2, Security Requirements for Cryptographic Modules, May 2001. [http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf] ↩