How blockchain can secure IoT devices in the supply chain

This series of papers addresses blockchain technology from a supply chain perspective. So far, we’ve explored typical supply chain challenges, and how blockchain might be used to tackle them. We’ve also looked at traceability; at how blockchain can enhance transparency and accountability; and at procure-to-pay (P2P) processes.

In this paper, we’re going to consider the role of Internet of Things (IoT) devices in the supply chain, and how blockchain can ensure their security.

Thierry Batut, Head of IoT Business Line, Capgemini DEMS
Thierry Batut, Head of IoT Business Line, Capgemini DEMS

Nafissatou Diarra
Nafissatou Diarra, IoT & Blockchain, Capgemini DEMS

The IoT value chain

In any business application, and in supply chain management in particular, the key IoT elements are as follows:

  • The IoT sensors themselves – the remote devices attached to assets in the field that are programmed to harness data
  • Connectivity – the medium, such as WiFi or Bluetooth, which is used to communicate this data to…
  • … the IoT edge – these outlying hubs aggregate local data and conduct primary analytics
  • Network infrastructure – this brings together data gathered from the edge, and provides it to…
  • … the IoT data management platform – the central hub, which monitors sensor activity and health, and processes the data being gathered
  • Analytics – the suite of tools that interprets all the data and extracts its value.

It’s clear that, right across this value chain, security is a prerequisite. This security needs to be guaranteed at several levels: at the device level (for instance, to manage the device’s identity and lifecycle); at the data level (to guarantee its integrity and origin, and manage access to it); and at the level of information exchange (such as authentication between devices and gateways).

However, at the same time, the value chain needs to be agnostic, so as to accommodate a variety of third-party devices.

How can blockchain help?

In previous papers in this series, we’ve seen how blockchain technology can address many of the issues that regularly arise in supply chain management, and IoT-based systems are another case in point.

In the boxed text in this article (see ‘IoT in action: tracking valuable assets’), you’ll see a range of issues that IoT devices can address, and security is implicit in all of them. Blockchain technology, which, as we have noted, has been defined as “an open, distributed ledger that can record transactions between two parties efficiently, and in a verifiable and permanent way,”[1] could potentially provide a solution to these issues, and more.

For instance, IoT architectures are often centralized, whereas blockchain can sometimes enable a move to distributed and decentralized models, thereby improving fault tolerance.

Fraud is reduced because of real-time incident alerts and better tracking. Product traceability is significantly enhanced, because of the verifiable levels of identification inherent in the system. A shared source of trust is established between stakeholders. The time and cost involved in monitoring shipments is reduced. Also, overall security is improved, because individual IoT devices are incorporated in the blockchain, enabling all goods to be authenticated before they have even left the manufacturing site and entered the supply chain.

Blockchain security at device level

Centralized IoT solutions don’t just compromise fault tolerance, as mentioned above. They also contribute to a higher cost of use. What’s more, many of those solutions are optimized for use only with designated device types.

A further challenge is that many such solutions are unable to distinguish between different use case cases, and the different security issues they present. For instance, a home video surveillance system, involving a few domestic devices, will not have the same security needs as a robotic production line, where the impersonation of one of the main robots could turn out to be devastating for the concerned company.

This is why it is important to have a blockchain-based solution that can not only adapt to the capabilities of devices, but that can also offer various levels of security or of identification, according to the circumstances of the use case, and that can, in addition, incorporate an authentication method and effective access management.

Blockchain can help significantly in achieving the goal of securing IoT devices. In addition to the immutable nature of its ledger, the fact it is able to use a permissioned option such as Hyperledger Fabric, R3 Corda or Quorum makes it possible to involve all the players of the device ecosystem, including the manufacturer and the customer, in the process of validating transactions, and therefore verifying and validating the identities of devices, and enhancing trust between all supply chain participants. The transactions history can be tracked and audited. In addition, smart contracts can be used as brokers for authentication between devices and their associated gateways, and can match roles and authorizations.

Tackling the issue – a Capgemini project

An approach to IoT management has been developed by Capgemini. It incorporates two protocols that use blockchain technology for support.

The first is the device enrolment and identification protocol, which addresses the secret data pre-injected into the device by its manufacturer. The administrator enters device information (including data related to the device lifecycle and deployment context) on a UI platform. All this, together with the encrypted pre-loaded data, is then hashed and stored on the ledger as the device Identity, after consensus by validating peers. This process is termed an identification smart contract, which queries the ledger to verify the previous existence of an identity, and writes it on the ledger as necessary.

The second protocol enables a device to be authenticated to its associated gateway. This assumes that the device already had an identity stored at the ledger level. Again, the process is based on an authentication smart contract. It works like this. At first, the device sends its public information to the gateway. The gateway then queries the blockchain to retrieve the appropriate data on device (namely the encrypted pre-loaded data, via the authentication smart contract). After that, the gateway generates a challenge and sends it to the device. Finally, an OTP-like authentication protocol is activated between the device and the gateway to authenticate the device.

This project is still at a development stage. It aims to provide a response to scalability and also to decentralized identification issues for IoT, taking into account the characteristics and ecosystems of devices. It will also address other issues, such as managing the possible mobility of devices, or the flexibility of the solution to adapt to different use case models according to their security needs.

IoT in action – tracking valuable assets

High-value, sensitive equipment

Susceptible to excessive tilt or shock

  • Problem – standard indicators only reveal something happened after the event – and not when or where
  • Solution – smart IoT approach alerts a central dashboard to time and place of any incident, facilitating investigation and measures to prevent repeat occurrences.

Goods at risk of theft

Consumer electronics, branded pharmaceuticals, and more

  • Problem – package-level tracking can be expensive, and analog devices don’t properly address theft issues
  • Solution – GPS-enabled tracking monitors the entire shipment for the entire journey, and in real-time, reporting if a single item is separated from the others.


Need to stay within set temperature boundaries to prevent spoilage and meet compliance requirements

  • Problem – analog devices only provide after-the-fact information, and are cost-prohibitive for package-level tracking
  • Solution – cost-effective IoT sensors monitor interior and exterior temperatures in near-real time.


[1] Iansiti, Marco; Lakhani, Karim R. (January 2017). “The Truth About Blockchain”. Harvard Business Review. Harvard University.