By András Vilmos, DOSS Project Coordinator
The Supply Chain Security Challenge
In today’s interconnected world, businesses and individuals increasingly rely on IoT devices, software, and services from a variety of sources, making supply chain security critical. The complexity and opacity of modern supply chains, combined with the implicit trust placed in third-party vendors, leave organizations vulnerable to malicious actors. A single breach can lead to widespread disruptions across industries, underscoring the importance of securing supply chains, particularly those involving IoT technology.
The European Union Agency for Cybersecurity (ENISA) has highlighted how the growing reliance on ICT products and services exposes supply chains to risks like intentional tampering, counterfeit components, and targeted attacks on economies. Current IoT security strategies focus on device hardware, data protection, and access management but often neglect software vulnerabilities, integration challenges, and continuous operation monitoring.
This fragmented approach misses the broader security picture. A comprehensive, interoperable security model is needed to cover the entire IoT value chain. However, there is little consensus on best practices or security standards. As supply chains become more complex and longer, companies struggle to assess the risks posed by their vendors, making it difficult to safeguard against exploitation.
The National Institute of Standards and Technology (NIST) points out the lack of standardized practices in its document Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, highlighting the challenges organizations face when evaluating third-party risks. Closed-source products further complicate security efforts, as independent scrutiny of potential risks is often impossible. Industries like healthcare, finance, critical infrastructure, and national security, which require high-assurance products, are particularly exposed to such vulnerabilities.
To address these challenges, key principles for securing supply chains must include:
- Cryptographic attestation and verification at every stage of the supply chain,
- Explicitly defined trust relationships between all actors,
- Automated security processes to reduce human error,
- Mutual authentication with regular key rotation among all entities in the supply chain.
The DOSS Supply Trust Chain (STC) addresses these principles through a proof-of-concept architecture that integrates product assessment, system modelling, security validation, operational monitoring, and comprehensive integration of these functions.
The Cyber Resilience Act (CRA)
Recognizing the growing threats to supply chains, the European Commission has introduced the Cyber Resilience Act (CRA) to mandate cybersecurity standards for products with digital elements. The CRA fills critical gaps in previous regulations by ensuring that all components of a product’s life cycle—from design and development to deployment—adhere to security requirements. It applies not only to embedded systems but also to non-embedded software, addressing vulnerabilities in such products, which have been the target of frequent cyberattacks.
For DOSS, the CRA’s rules are especially important in three areas:
- Product Placement: The DOSS Device Security Passport (DSP) will reflect the regulatory rules for placing products on the market.
- Product Documentation: The DSP will document the product’s design, development, and production processes to ensure compliance with security requirements.
- Vulnerability Handling: The DSP will track feedback from operations, ensuring that manufacturers handle vulnerabilities and maintain the security of products throughout their life cycle.
By incorporating the principles of the CRA into its architecture, DOSS aims to enhance supply chain security for IoT devices and software, ensuring they remain secure and compliant from development through decommissioning.
The Supply Trust Chain (STC) Concept
A major problem in IoT supply chain security is the lack of transparency and visibility. The longer the supply chain, the less information users have about a product and its journey from the manufacturer to the end-user. While some steps have been taken to make product-related documentation available—such as Software Bill of Materials (SBOM), Hardware Bill of Materials (HBOM), and vulnerability reports—these measures are not yet widely adopted. Moreover, they only provide limited information about a product’s life cycle and supply chain journey.
DOSS proposes a comprehensive solution called the Supply Trust Chain (STC). The STC is designed to monitor the entire supply chain journey of IoT products, providing security verification and transparency throughout their life cycles. It relies on two core components:
- Extensive Security-Related, Machine-Processable Product Information: Continuously updated and accessible to all authorized actors in the supply chain.
- Integrated Security Architecture with Trusted Communication: Facilitates secure interaction and monitoring of devices and software across the entire supply chain, from production to decommissioning.
The foundation of the STC is the Device Security Passport (DSP), a controlled record of product-specific security data. The DSP is created by the manufacturer and stored in a machine-processable format, utilizing the Open Security Controls Assessment Language (OSCAL). The DSP includes documents like SBOM, HBOM, MUD (Manufacturer Usage Description), and VEX (Vulnerability Exploitability eXchange), along with DOSS-defined extensions. By updating continuously with the latest security-related information, the DSP ensures that all actors in the supply chain have access to the most current data. The platform is decentralized, though not based on blockchain technology, it is built on a robust, secure architecture that aligns with the European Digital Product Passport concept.
Enhancing IoT Security
The STC goes beyond ensuring the security of individual IoT devices by addressing security at the system level. IoT devices often operate within larger, interconnected architectures, which can introduce additional vulnerabilities. To mitigate these risks, DOSS uses a Digital Cybersecurity Twin to model and validate IoT operations, identifying weaknesses at the design stage and before updates or modifications are implemented. This proactive approach improves operational security and ensures that the entire IoT ecosystem is hardened against threats.
Additionally, DOSS’s Architecture Security Validator ensures compliance with industry standards and regulatory requirements, further enhancing security throughout the product life cycle. The integration of industry and legal standards into the STC enables organizations to meet both physical security and regulatory requirements.
Automated Onboarding and Continuous Monitoring
Another key benefit of the DOSS STC is its ability to automate the onboarding of new devices or software into the operational environment. Manual onboarding processes are error-prone, time-consuming, and expensive, especially in large-scale environments. Automation not only reduces security risks but also significantly lowers the cost and complexity of integrating new components into the system.
Once onboarded, the STC ensures continuous monitoring of the security environment through tools such as access management, attack detection, malware detection, and honeypots. These tools provide real-time visibility into potential threats and vulnerabilities throughout the product’s life cycle.
The STC also tracks the decommissioning of IoT devices, ensuring that each product is properly retired from the system. This prevents unauthorized reuse, which could pose security risks to manufacturers and future users.
Conclusion
The DOSS Supply Trust Chain provides a comprehensive, end-to-end solution for securing IoT supply chains, from product design through decommissioning. By adhering to the Zero Trust principle—”never trust, always verify”—and incorporating automation and mutual authentication, the STC ensures that only authentic and secure products are integrated into operating environments and that they remain protected throughout their life cycles.
Figure 1 – Current STC concept after multiple iterations
The modular architecture of the STC allows for future adaptation and expansion, making it flexible enough to incorporate new security functions as the IoT landscape evolves. With its focus on transparency, automation, and rigorous security checks, the DOSS STC sets a new standard for IoT supply chain security, ensuring that interconnected devices and systems are better protected against cyber threats.