365mesh leads the way in IoT security

06/11/2024

365mesh pioneers IoT security by implementing strict, end-to-end protections throughout the supply chain, ensuring security and reliability for critical infrastructure applications.

Original equipment manufacturers for IoT devices are gradually paying more attention to the security of their devices in the field employing basic best practices. Some are additionally paying due attention to the security of their onboarding process. But overall, the IoT OEM community has more to do before being truly trustworthy for the role they fill in the critical infrastructure of our agriculture, schools, cities, and industries.

365mesh not only leads in adherence to best practices for secure onboarding and for operations in the field, but we are taking additional critical steps by ensuring we maintain a secure software supply chain. From the creation of code on the desktops of our firmware engineers, through the cloud compilation process and onward manufacturing and over-the-air (OTA) updates, we maintain the sort of tight security we would hope all OEMs embrace.

In December 2020, the IT world was shaken by the SolarWinds exploit. This was a novel new attack on the software used in SolarWinds network security appliances. The exploit did not directly attack devices in the field, or the source code stored in the SolarWinds codebase. The bad actors attacked the build process and injected their malware during the compilation process. The tools used to build software images had been breached. No amount of reviewing the source code would catch the exploit, and the malware was not easily detected at rest in the compiled code.

The IT industry already knew it had to ensure the security of its source code and the trustworthiness of the third-party libraries that is used with that code. But what SolarWinds taught us is that our compiled images and our devices in the field are not secure unless our build and distribution processes are too.

Our commitment to supply-chain security

365mesh is first in class when it comes to securing the firmware and devices we deliver into critical infrastructure roles. We ensure the security of our manufacturing pipeline through:

Source Code Integrity
Source code is stored securely and protected from unauthorised changes. 365mesh is committed to continuous compliance with ISO 27001 standards for secure information management, including our source code and firmware products.

Supply Chain Traceability
We maintain a software bill-of-materials for each component we use to build our code, trace the origin of each component, and continuously monitor the security standing of each component.

Secure Development Practices
We employ a strict code review process, maintain coding standards, and employ static and dynamic analysis tools. We employ an automated build process employing signed and verified cloud build tools.

Firmware Signing and Encryption
Firmware produced and used by 365mesh is signed and encrypted while in transit and while at rest to prevent modification. Additionally, whenever possible, we use chip sets like the STM32U5X5 that support secure enclaves for the storage of certificates and sensitive code. Firmware signatures are verified during device flashing and re-verified with each device boot. Firmware is always delivered through secure distribution channels, such as encrypted OTA downlinks.

Vulnerability Management
365mesh supports the ability to update devices in the field with the secure delivery of patches whenever there is an opportunity to improve our security standing.

Our commitment to secure operation in the field

365mesh is committed to the highest standards for the secure and reliable operation of our devices in the field. Some of the measures we take to ensure the security and reliability of devices include:

Secure communication channels for uplink and downlink of data and firmware updates.

Secure onboarding of new devices into our network to ensure the integrity of the device inventory in the field.

Signed and/or encrypted external storage to prevent unauthorised settings changes or electronic exfiltration of sensitive data from devices.

Signed and encrypted firmware updates, as part of the earlier mentioned supply chain security measures.
Anti-tamper and anti-theft measures built into many of our devices.

Best-in-class IoT hardware for critical infrastructure applications

365mesh manufactures the most reliable, functional, and well-integrated IoT hardware for your critical infrastructure applications. We also integrate top-quality, third-party IoT hardware into our best-in-class services and dashboards, and we select those based on their security as well as functionality. We encourage the third-party providers on our supported-devices list to adopt security practices like those we have adopted and require them to meet our standards for security in the field. We are also sharing our practices to inform and inspire the broader industry to adopt secure software supply chains.

The 365mesh end-to-end IoT platform provides the required solution components for a mature and secure IoT capability. 365mesh offers industry solutions with use cases and applied AI tailored for unique business needs. Learn more or reach out to the 365mesh team to continue the conversation.

Get in touch with us to learn more

"*" indicates required fields