IoT. The Internet of Things. An incredibly hot topic, especially in the supply chain world. IoT devices refer to small, internet connected sensors placed in strategic points throughout the supply chain, and despite the overhype, truly do have the potential to change the way we ship and store goods.
This technology, however, does not come without its downsides. Most notable? Security. Every device that you connect to your network adds a new vector of attack for potential bad actors. Even if you are working with a reputable, highly security-conscious vendor, the sheer number of connected devices in a typical supply chain IoT deployment makes an erroneous configuration all too easy to miss.
So how can we take advantage of this revolutionary technology while also staying safe? Read on to find out.
I find it helpful to start with a concrete definition of what we’re talking about here, especially given the fact that the Internet of Things has become such a buzzword these days.
Simply put, as I mentioned above, an IoT device is any small internet connected device. We’ve seen an explosion of IoT devices for the home - video cameras, refrigerators, even coffee pots you can talk to with Alexa - but in the supply chain, IoT devices typically take the form of sensors that can track and report data on specific conditions in your warehouse or logistics operation.
For example, IoT temperature sensors are becoming increasingly commonplace in the foodservice distribution industry. Temperature devices are placed throughout a truck, and constantly monitor the temperature of the load to ensure food safety and compliance. “But wait?” you say, “we’ve had temperature sensors for decades!”. While true, the key differentiator between legacy devices and IoT devices is that IoT devices are constantly connected and can report data in real time.
So, to continue the temperature sensor example, in the old world, each temperature sensor would have to be plugged into a computer on the dock upon receiving a load, the data then sent to the WMS and analyzed, and only then do you find out if the load was in temp and can be accepted. This model can result in an entire truckload of wasted food, as you are not finding out about the temperature issue until it is too late to do anything.
In the IoT world, those temperature sensors are connected to your other systems in real time (either over the public internet or a private network - we address networking more in the security section below). This means that your systems can send real time alerts to your associates and drivers, directing them to make corrective changes on the fly and thereby saving that load from spoilage.
I know what you’re thinking. This sounds great, but let’s address the elephant in the room: security. The title of this article, after all, calls out IoT devices as hackable - which can be true - but with appropriate security protocols in place, you can greatly reduce the exposure and risk your organization faces when deploying connected devices.
Let’s get something straight first though: supply chain organizations have always been extremely open and easy targets for hackers, and it’s a miracle that more supply chains don’t get attacked (it only takes a quick Google search to find recent headlines of major hacks involving supply chain organizations).
Why do I say this about supply chains being so hackable? For just one example, think about the number of RF devices in one of your warehouses. These are very similar to IoT devices in that they are connected access points to your network. Sure, most warehouses implement security measures to control physical access, but as pen testers prove over and over again it is all too easy to simply follow someone through a door to gain entry to a secure space (a practice called “tailgating”). And once a hacker gets their hands on an RF device, it only takes one or two misconfigurations to expose the larger systems in your network (an astonishing 95% of cyber attacks result from human errors like misconfigurations).
So in some ways, implementing IoT devices can strengthen your company’s security, as it gives your organization the chance to bring your security practices up to today’s standards.
Specifically for Internet of Things connected devices, what are some of the specific security practices you should implement? I’m glad you asked.
It is best to only allow your devices and systems to operate on a private network. As opposed to opening your servers and endpoints to the larger public internet, your network should be configured to only allow internal traffic. But how do you let internet connected IoT devices access a private network? Virtual private networks, or VPNs, are the most common and recommended way for client devices to access your internal network, and yes, it is possible for IoT devices to connect to a VPN.
Another way to protect your network and systems is to implement network segregation and gating. Set up a dedicated, internal network that all your IoT devices connect to, separate from the network your core systems run on. Then, implement a single gateway, or access point, between the two networks. All of your IoT traffic is routed through this single gateway and inspected before being allowed to connect through to the core systems. This gives you a single point to monitor for security, and it is much easier to maintain a single access point than monitoring thousands of devices all connecting individually.
Many advancements have also been made in the device management solutions available. Modern systems are available to monitor and deploy all of your connected devices from a single application. One interface is used to maintain and update device configurations, and the device management solution handles pushing those updates to the individual devices. In this way, similar to a gated network, you only have one place maintain device settings, making it easier to avoid misconfigurations.
Implementing single endpoint APIs is also a good security practice (can you see there’s a theme here?). Not just on your network, but ideally your internal systems should only expose a single endpoint to process requests. For example, at PorterLogic we expose our internal core API for our clients, and we have a single endpoint (currently /api/v1) that processes all requests. In this way, we have a single place to maintain security and monitor traffic, and we control how we handle that traffic completely internally (at the time of writing, we use Google Cloud’s API Gateway to manage our traffic).
Finally, if you’re getting into the world of IoT devices, we recommend you work with a cloud integration provider that knows and understands the new world of security. While it is possible to integrate IoT devices with your existing, legacy integration platforms, those systems were simply designed before IoT existed, and are just not designed to handle the modern networking and security landscape. Working with an integration partner that operates a cloud-native platform helps ensure all of your data is securely passed between your systems without interruption.
We hope this article has shed some light on the buzzword that is “IoT”. With proper practices, the Internet of Things is poised to change the logistics industry for the better. And with modern, workflow-based cloud integration providers that allow systems to be extended without code, the opportunities are limitless with what you can do with your supply chain.