Editor's note:
Wudun Security is a product manufacturer focusing on the security of the Internet of Things. Its core product "IoTun Security" has landed in many fields such as energy, manufacturing, and transportation, and provides enterprises in these industries with security covering the cloud, pipe, edge, and end of the Internet of Things. Overall solution. "Wu An Shield" integrates Tencent Security Product Scanning (BSCA) products , which further enriches its technical capabilities at the SCA level of software component analysis. Wu Shield is an "expert" in the Internet of Things industry, and Tencent Security is an "expert" in product scanning , "experts" + "experts" together provide a more complete solution for the security of the software supply chain of industrial Internet of Things enterprises.
Supply chain attacks continue to occur frequently. As key infrastructures, the Internet of Things and the industrial Internet industry, due to their massive equipment and complex industrial chains, are easy to become targets of supply chain attacks, and special protection is required. In this issue of industry security experts talk, we invited Tang Xiaodong (hereinafter referred to as Tang Xiaodong), CEO of Wushidun Security, to answer the question of how to deal with the security of the IoT software supply chain.
Tencent Security: What are the thresholds for security products and services of the Industrial Internet of Things?
Tang Xiaodong: The Internet of Things is now playing a very critical role in the entire digital transformation. In fields such as the Internet of Energy, mass transportation, and advanced manufacturing, the Industrial Internet of Things plays a very critical role.
There is a big difference between the security of the Industrial Internet of Things and the traditional security. The biggest change of the Industrial Internet of Things is the promotion of the integration of OT and IT. In this case, the threshold for business is very high when it comes to security. Energy and electricity, new energy vehicles, smart factories, smart water conservancy, etc., these "key" fields, it has a large number of heterogeneous IoT terminals, and at the same time has a relatively complex cloud-side, edge-to-edge, and edge-to-end interaction, and these The application of new technologies in the industry is also relatively fast, and it will connect and drive its upstream and downstream to follow the digital transformation. In fact, these features are very challenging to the entire security construction, which also leads to relatively large security needs. This is a business opportunity of Wushield, and it is also a responsibility of Wushield.
Tencent Security: Can you give an example from a typical customer of Wushidun, what practical difficulties does an IoT company face if it wants to build its own security?
Tang Xiaodong: Take the power industry as an example, because the power Internet of Things is very representative in terms of scale, intelligence, and the criticality of the business it carries. The main difficulties in its security construction are as follows:
The first is that it is difficult to manage a large number of heterogeneous devices. When an enterprise connects a large number of IoT terminals in the production process, the responsibilities and ownership of security management among terminals, networks, and personnel are more complicated. Among them, the visualization requirements are relatively high, which also creates the requirements for the security management of the Internet of Things;
Second, the security of the device terminal body, in fact, the situation is not optimistic now. With the development of business, a large number of terminals are connected to the network. However, when their equipment suppliers design terminals for reasons of cost control and market competitiveness (without considering security issues), the inherent security of many devices It is missing, and security loopholes and risks continue to emerge after the system goes online;
The third point is the lack of security support for maintenance. From the perspective of supply chain security, we found that most of the equipment is only done before going online (safety testing), but in the entire life cycle, for the supply chain, such as software risk, continuous monitoring of firmware, component analysis, etc. , which is missing. Then the absence of customers and equipment manufacturers has led to a difficulty in this sustainable security support.
Tencent Security: Supply chain attacks have occurred frequently in recent years. What are the main reasons?
Tang Xiaodong: First of all, driven by the environment of globalized production and supply chains, modern supply chains usually involve different open source components from organizations in multiple countries and regions, which makes the supply chain very complex and fragile. Attackers One of the weaknesses or loopholes can be exploited to achieve the purpose of penetrating into the system to obtain secrets or implant malicious codes.
The second is based on the dependence of the software supply chain. By relying on various third-party libraries and frameworks, attackers can penetrate the entire system by attacking a component in the software supply chain.
The third is the lack of security awareness of employees, which includes users and suppliers in the supply chain. Attackers can use some means of social engineering to deceive employees, thereby infiltrating into the supply chain or directly infiltrating the supply chain. In the networked network.
Tencent Security: Is supply chain security a more serious challenge for IoT companies?
Tang Xiaodong: At the beginning of the design of IoT devices, it is usually impossible to directly upgrade or update components. At least most of the industrial IoT is currently in this state, which means that any known vulnerabilities may always exist and cannot be fixed. , it is easy to become the target of attacks, which is actually quite different from cloud and office scenarios, because the cost of this upgrade is very high.
Secondly, these devices have no user interface, so it is difficult to configure on-site settings to avoid some security risks, and components provided by multiple suppliers form a complex system, and each supplier may be in the supply chain. Vulnerabilities or problems exist that increase the probability of attacks.
We believe that IoT companies should pay more attention to supply chain security issues, and take corresponding measures to ensure supply chain security.
Tencent Security: How should Internet of Things companies deal with increasingly frequent supply chain security issues?
Tang Xiaodong: It is mainly based on the following five points:
The first point is to establish a security normative system, conduct security audits on all suppliers and partners in the supply chain, including evaluating its security performance, security development process, security awareness, training, etc., to ensure that it provides IoT products and services can meet the security requirements of enterprises;
The second is to strengthen the monitoring system. IoT enterprises should have their own effective security monitoring system, including real-time monitoring of security events, data flow, access control, and application security in the system, as well as supplier partners and third-party service providers. security status;
The third point is technology to strengthen data security. Internet of Things enterprises should first adopt secure data storage and transmission technologies, including encryption, identity verification, authority control, auditing, etc., to ensure data confidentiality, integrity and security. Availability, and take measures such as backup and recovery to deal with the risk of data loss and recovery.
The fourth point is to improve security awareness between upstream and downstream. Whether it is good for employees or suppliers, Internet of Things companies must provide security training to improve their security awareness, strengthen the importance and awareness of supply chain security issues, and help them better identify and respond to security issues. threaten.
The last point is to build a risk management system. IoT companies should establish an effective risk management system, including formulating risk management plans, emergency response plans, etc., and sharing and dispersing risks with suppliers and partners.
Tencent Security: What technical means can better solve software supply chain security issues?
Tang Xiaodong: We understand this issue from several aspects. The first is the management of the security of the infrastructure and applications of the Internet of Things. , Encrypted communication, security authentication and authorization, vulnerability management and other basic work, we must first do it solidly to ensure the security of infrastructure and applications in the supply chain, this is the first point.
The second point is to do a good job in detection and analysis. This can comprehensively utilize multiple data sources including threat intelligence, vulnerability databases, malicious code libraries, etc. to monitor and analyze risks in the software supply chain, and this monitoring And analysis is not one-time, but continuous, online, and real-time, to ensure that there is always such a safe detection and analysis throughout the life cycle of the Internet of Things.
The third point is the credibility verification of the supply chain, which includes establishing a credible supply chain management system, evaluating the safety and performance of suppliers, and establishing a security risk assessment and management mechanism to ensure that all links in the supply chain All meet safety standards and requirements.
The fourth point is independent research and development. We should encourage or consciously promote IoT companies to reduce their dependence on third-party software through independent research and development of some key technologies and software, thereby reducing the risk of supply chain security.
Tencent Security: Which route did Wudun choose, why did you choose this route, and how did you cooperate with Tencent Security?
Tang Xiaodong: The core product of Wudun, "Wuandun", is a platform-level security product for the Internet of Things. Our core capability is to use our super probes on endpoints to build a secure infrastructure layer. Using this infrastructure, we have two capabilities: the first is the ability to detect and analyze endpoints; the second is our Through the network orchestration capability of cloud-edge interaction, on this infrastructure, we can apply some of the things mentioned above, such as IoT security management, terminal detection and analysis, and the reliability of different components in the entire supply chain of the IoT. Reliability verification, which means that we have built the infrastructure, so that different security capabilities can be grafted on it. For example, we cooperate with Tencent Security on the Internet of Things, give full play to our capabilities at the infrastructure level, and combine it with Tencent's security products to finally provide a feasible solution for Internet of Things security. Some fundamental issues with supply chain security.
What customers want is not a single point or a tool, but a systematic solution. Then we improve the security infrastructure of the Internet of Things, and then graft some comprehensive solutions such as component analysis, vulnerability detection, etc., to help customers solve security problems.
Both Wudun and Tencent Security have technological and security advantages in their respective fields. Through complementary advantages, we have achieved a "triple win": customers win, Wudun wins, and Tencent Security wins. In the end, it actually helps us in the industry. Effectively reduce security risks in different scenarios and promote digital transformation.