There is an old security adage. A chain is only as strong as its weakest link. This sentiment predates information and communication technology (ICT), but is more relevant than ever. With modern ICT connecting millions of systems worldwide, the number of “links” to worry about increases exponentially. This is especially true as organizations shift their focus from defending against external threats with which they are quite proficient, to threats that originate within the organization’s circle of trust. Here we have work to do, starting with the ICT supply chain itself.
Today’s supply chain is a modern marvel. A vast web of suppliers, manufacturers, integrators, carriers, and others enables vendors to build ICT products more cost-effectively and quickly deliver them to customers anywhere. However, modern supply chains increase the number of parties that have access to these products and the number of potentially weak links cybercriminals can exploit. Hackers can target an organization’s hardware or software supply chain and compromise ICT products before they are deployed. And because the product comes from a vendor that the target implicitly trusts, the damage may not be detected until it’s too late.
It is not surprising that the ICT supply chain has become a very attractive attack vector for cybercriminals. in 2020 Deloitte Overview, 40% of manufacturers reported being impacted by a security incident in the last year. all study Of the recent supply chain attacks by the European Union Agency for Cybersecurity, 66% of attackers focused on a supplier’s code to compromise their target customers.
Why are ICT supply chain attacks so dangerous and what can organizations do to prevent them? Let’s take a closer look.
growing threat
National Counterintelligence and Security Center (NCSC) define A supply chain cyberattack is the use of cyber means against one or more of a supply chain’s resources, processes, developers, or services in order to gain access to underlying systems for malicious purposes. The NCSC identifies three broad types of supply chain cyber attacks.
- Software-based attacks: They exploit software vulnerabilities to sabotage systems or open backdoors for remote access and control. For example in 2021 An attacker exploited a vulnerability in Log4j, an open source logging utility., many vendors have incorporated into their software products. Any organization using such software could be a target for attack.
- Hardware-based attacks: An attacker may attempt to compromise the hardware or firmware of an ICT device (router, switch, server, or workstation) at any point in the supply chain. Hardware backdoors can be particularly difficult to detect.
- Software Supply Chain Attacks: Here, attackers infiltrate software vendors and inject malicious code into their products. When customers download software packages (often through automatic updates), their systems become infected with malware. The infamous SolarWinds hack of 2020 attacked a popular network management product in this way, allowing state-sponsored hackers to compromise dozens of US federal agencies and businesses.
If successful, these attacks can cause damage to an organization. And with so many parties involved in a modern supply chain, the threat grows quickly. For example, to protect against Log4j, organizations cannot avoid using that utility on their systems and products. They should check: All suppliers we work with too.
Protect your supply chain with Zero Trust
If securing the supply chain seems like a big and complex undertaking, it is especially true when many organizations still place absolute trust in their suppliers. Indeed, it is implicit trust that makes the supply chain an attractive attack vector for hackers. In an increasingly interconnected world, every organization should consider adopting Zero Trust as a key tenet (“trust by default, always verify”) to improve its security posture. Verification is key. In addition, ICT customers should require their suppliers to provide an easy mechanism for verifying the authenticity, integrity and confidentiality of their products end-to-end.
- certainty: Organizations need to be able to verify that the ICT hardware they purchase is genuine—that is, they have never shipped poor-quality counterfeit products or received malware-infected products. One way to do this is to use the Trusted Platform Module (TPM) 2.0 standard. The TPM provides a “hardware root of trust” capability at the processor level, allowing vendors to generate unique, encrypted device IDs for their products. These features are like birth certificates that prove the authenticity of any device and cannot be removed or modified.
- verity: Even if an organization verifies the authenticity of a device, how does it know that the device is being stored somewhere or that no one has installed malware on it while the firmware is being modified? How can I be sure that hackers haven’t added a secret backdoor to the vendor’s pending software update? Similar to evidence collected by the police after a crime, there must be ongoing management throughout the product lifecycle. Vendors must use a certificate framework to prove software integrity at every point a product is changed, and secure boot capabilities to ensure that device firmware has not been tampered with.
- Confidentiality: It’s easy to understand why a hacker would want to access a hard drive full of customer records. However, system and configuration data from other ICT equipment such as routers and switches can be just as sensitive and potentially provide a roadmap for future attacks. Vendors must use native file encryption to protect data at rest on their products, and MACsec or IPsec encryption to protect data in motion.
strengthen chain
The ICT supply chain has always been a complex system with many stakeholders, making it inherently difficult to secure. As our digital world becomes more closely interconnected, the challenges and threats will only grow. It’s a problem for every organization, but it’s not something customers can solve on their own. Securing the ICT supply chain requires vendors to lead the way.
By adopting a Zero Trust approach to verifying the authenticity, integrity and confidentiality of ICT products, organizations can put pressure on their suppliers to adopt more secure and transparent supply chains. Together, we can create a future where we all benefit from global interconnection, without unacceptable risks.
Copyright © 2022 IDG Communications, Inc.