With the development of the information technology industry and the increase of the number of IoT devices, the difficulty and complexity of IoT security defense are rising continuously. Major security incidents for IoT and the supply chain occur frequently, which reveals the complexity of the security management of the IoT supply chain. Nowadays, there are kinds of public knowledge bases about information security which can be used for the IoT security threat analysis. However, the heterogeneity of these knowledge bases makes it difficult for threat assessment. Aiming at improving the capabilities of threat elements assessment of IoT security, which used disclosed threat events, we exploit multiple information security knowledge bases, integrate the sources of security knowledge which the defenders are concerned about, and the tactics, attack patterns, attack techniques of attackers into a unified relational mapping linkages graph knowledge base. An IoT security ontology, namely, Risk Analysis of IoT Supply Chain Ontology (RIoTSCO) is constructed. Based on RIoTSCO, the inference rules of IoT security are defined to establish the semantic relationship among the knowledge bases of IoT security which can solve the semantic heterogeneity of multi-source knowledge. Meanwhile, based on the IoT security knowledge reasoning method proposed above in this paper, we conduct a security threat assessment on an IoT supply chain scenario. Moreover, RIoTSCO can also automatically infer mitigations in respond to threats, and describe the overall perspective of the inbound and outbound supply chain intelligences related to the threat events.