CIRI researchers improve the resilience, security of IoT supply chain

CIRI researchers Nasir Memon and Quanyan Zhu, computer science professors at New York University, are seeking to understand how a disruption in one device connected to the Internet of Things (IoT) can cascade through the entire supply chain. As Memon explains, “Going forward, everything is becoming digital. Your car, refrigerator, and toothbrush may soon be connected.” While this connectivity provides many benefits, it also introduces new risks, making security at the IoT-system level a necessity.

One critical component of IoT security is ensuring that all of the parts supplied by vendors are trustworthy, so that one bad agent doesn't compromise an entire system. This can literally have life-or-death implications, especially when considering self-driving vehicles, health care devices such as pacemakers, etc.

“It’s not just defective software that one has to worry about, but also where the devices are coming from. Oftentimes, corporations make decisions largely on functionality of the devices, completely disregarding the risks posed due to malicious or untrustworthy suppliers," Zhu said. “Devices may have backdoor channels that might be exploited by hackers to sabotage their operation resulting in breakdowns and system failures.”

Memon and Zhu intend to create a decision-support tool that will allow companies to assess the risks associated with supply chains into their overall risk calculation of the system. This risk assessment tool would examine the suppliers, asking: How credible of a source are they and are there potential linkages between the vendors? While it is impossible to eliminate all risk, the goal should be to decrease risk to an acceptable level. 

At New York University, Memon and Zhu are investigating how relatively simple IoT systems such as those used to control heating and cooling in buildings may be attacked by hackers to create a surge in power potentially overloading the power grid leading to failures. Such a situation illustrates the type of cascading effects that may occur in the IoT. 

The idea is to approach risk in a holistic manner - to address the entire supply chain web in the hopes of improving the resilience of IoT-enabled critical infrastructure.