Concerns with supply chain security have steadily increased over the past several years. Economics has “shrunk” the world and most supply chains now include, at some point, components (hardware/software) that are sourced from various suppliers around the globe. Governments are no longer the only ones worried about their critical infrastructure – news coverage of hacks and attacks exploiting component vulnerabilities have increased awareness of this threat, spreading it into every industry sector. No industry is more acutely aware of the cybersecurity risks than the information and communications technology (ICT) sector.
A secure supply chain is the basis for providing security in any ICT product or service. OMA Specworks’ members who work on products and services within the Internet of Things (IoT) marketplace take an active role to ensure that the Lightweight Machine-to-Machine (LwM2M) specifications contribute to IoT security. So, in November 2020, when the European Union Agency for Cybersecurity (ENISA) published their Guidelines for Securing the Internet of Things (IoT) – Secure Supply Chain for IoT, the group was curious what the role LwM2M, our standardized IoT device management protocol, has in enabling security in the supply chain.

The group used this document to analyze how its LwM2M met these guidelines. Our intention was not only to improve the security of the IoT supply chain in general but to improve security in the development of LwM2M. The ENISA document addresses the entire supply chain across the IoT ecosystem, within which the LwM2M protocol operates. In the analysis, we address the stages of the supply chain reference model as well as applying those stages to the development cycle of a standardized protocol. Some areas of the reference model were a better fit than others, but the intent was to leverage ENISA’s work to the fullest extent possible – not only to give the LwM2M development community and users a view of LwM2M security but also to identify areas for potential improvement in LwM2M’s security and usefulness.

Our findings are that the use of LwM2M provides security benefits through all supply chain stages. It is worthwhile to note that distinctions need to be made between the specification defining the LwM2M protocol, the implementation of the LwM2M protocol in IoT devices and in a device management platform, and the use of the implementation in a specific deployment environment. The white paper containing the result of our investigation can be found at PDFWebsite.