Vulnerabilities throughout the software supply chain represent the main security threat today, but others are quickly catching up. Supply chains are subject to multiple security threats and they happen at several links in the chain. Today’s security gaps are huge, and supply chain terrorists are taking full advantage.
In a 2018 IT survey by CrowdStrike, the lack of readiness is apparent given the responses by the 1,300 IT security participants:
“… seven in ten or more respondents’ organizations are not ready to defend against attack types like ransomware (76%), phishing/spear-phishing (71%), general malware (72%), or password attacks (69%). And it is advanced targeted attacks, the attack type most likely to be seen to be posing a high risk where the fewest (21%) respondents feel fully prepared to defend against…”
The CrowdStrike survey concentrated on software vulnerabilities yet it’s the combination of software and hardware that gathers, delivers and invites others to spy, steal and disrupt. Mentioned above are the more common attacks, however, the hackers are becoming even more sophisticated. Where is hacking happening within the chain? Points of weakness include:
- Counterfeits – Counterfeiting product assets that can impact operations and/or gain malicious access to systems
- Transport – Malicious code can be downloaded to component SPI memory by loading unauthorized firmware via cable.
- Delivery/Installation – Installation of unauthorized firmware when a server is configured to customer requirements.
- Cloud Access – The mismanaged use of clouds can introduce security complexities and risks into supply chain IT infrastructure
- Manufacturing – Compromised firmware can be installed during the manufacturing process
- Backdoors – These hidden methods offer access that bypasses typical authentication methods. They also enable hijacking, theft, tampering, introducing malware, and eavesdropping.
- Third-Party Vendors – This represents a potential gaping hole as it is unclear to supply chain members when and where this vulnerability actually exists.
- The IoT – This sensor-rich environment contains critical supply chain data. Encryption should be used at all points within the IoT ecosystem.
- Disposal – Even the end-of-life disposal of products represents a vulnerability, especially where memory is retained on a device.
Vulnerabilities in the chain should be addressed at each level. Where are your company’s weaknesses, and how can you mitigate them immediately and over time? There are a plethora of new methods and technologies involving authentication, the chain of custody, serialization, blockchain, and more.
Within the electronics industry, the U.S. National Institute of Standards and Technology (NIST) recently announced the SP 800 specification. SP 800-193 addressing firmware, describes security methods that protect a platform against unauthorized changes and detecting unauthorized changes, creating a Root-of-Trust on all system firmware. Products adhering to the specification that provides protection, detection and recovery are beginning to hit the marketplace.
Where do you start? With an audit that exposes where you are most vulnerable. Clearly, many companies are doing little to address supply chain security gaps and often find that the ramifications of hacking are much more expensive and long-lasting than instituting security protection.