Threats to the IoT Device Production Processes – A Blind Spot in the Product Security Lifecycle

Threats to the IoT Device Production Processes – A Blind Spot in the Product Security Lifecycle

연구 분야: Software Development

학회: IFIP International Internet of Things Conference

The production of embedded and constrained IoT devices is a security-critical but often neglected step in the product security lifecycle. The secure development of devices has become empowered over the last decade via the implementation of DevOps processes. However, the transmission of created artifacts into the production site and onto the device itself is a regularly overlooked procedure in the security assessment. This study shows the complexity and proposes a production model that is split into four stages for analysis. The four stages comprise (1) the transmission of artifacts, (2) the management of artifacts, (3) programming of the device, and (4) provisioning of the IoT device. Assets and threat actors are defined, and critical scenarios are introduced to explain their impact on IoT device production. Concluding, the discussion presents possible approaches and their limitations based on the given variety. In the future, this will facilitate the protection of critical and valuable phases of production, thereby enhancing the security and trustworthiness of IoT devices.