As global supply chains become more complex, so does the ability to identify vulnerabilities that lurk within the supply chain, not the least of which is cyber risk.
The scary possibility that hackers can infiltrate a global supply chain in stealth mode and compromise the security of even the world’s most sophisticated companies made headlines this month, when Bloomberg BusinessWeek published a special report claiming that the servers of several U.S. companies were compromised by Chinese spies in a sophisticated supply-chain attack.
The report focused on software company Elemental Technologies and Supermicro, one of the world’s largest suppliers of motherboards. Bloombergclaimed, in part, that at the time Amazon acquired Elemental in 2015, it was aware that Supermicro motherboards in Elemental’s hardware contained modified hardware or malicious chips. It made similar claims against Apple.
Both Apple and Amazon adamantly refute these claims. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems,” Amazon Chief Information Security Officer Steve Schmidt wrote in a blog post. “Nor have we engaged in an investigation with the government.”
Apple went so far as to respond in a letter to Congress. “You should know that Bloomberg provided us with no evidence to substantiate their claims, and our internal investigations concluded their claims were simply wrong,” Apple Vice President of Information Security George Stathakopoulos wrote in the letter.
“Apple has never found malicious chips, ‘hardware manipulations,’ or vulnerabilities purposely planted in any server,” Stathakopoulos wrote. “We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.”
Whether or not Bloomberg’s claims prove to be true, companies should take it as a wake-up call concerning what cyber risks can lurk in the supply chain. “The Bloomberg article, if nothing else, regardless of its truthfulness, brings to light the importance of security and the potential of what could happen,” says Eric Bednash, CEO and co-founder of RackTop Systems, an enterprise data management provider.
Security experts say that most companies have a long way to go in this regard. “When people think about security, they’re looking at their internal network and their externally facing exposure,” says Kevin Gorsline, chief operating officer at information-security consulting firm TBG Security. “Typically, they’re not looking real hard at the supply chain at all.”
Cyber supply-chain best practices
Reducing cyber supply chain risks, including reducing the risk of hardware being compromised, requires an enterprise-wide approach, involving senior leadership, supply chain and logistics, procurement, IT, compliance, risk, and other relevant functions.
According to the National Institute for Standards and Technology (NIST), “managing cyber supply chain risks require ensuring the integrity, security, quality, and resilience of the supply chain and its products and services. Cyber supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain.”
Consider the following steps:
Establish stringent security requirements for suppliers. “Put security requirements in every RFP and contract and be as explicit as possible about what those security requirements are,” Gorsline says. Such security requirements should cover both physical and technical safeguards (i.e., what measures they have in place to ensure hardware is not compromised). Once a vendor has been onboarded, the information security team should work with the vendoron-site to address any vulnerabilities and security gaps.
Another best practice is to request that suppliers certify to an industry-specific compliance standard, of which there are many. ISO 28000, for example, specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain, and applies to all size organizations. “It starts there, but it doesn’t end there,” Bednash says.
Amazon, for example, employs “stringent security standards across our supply chain—investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply-chain partners,” Schmidt wrote in a blog on the company’s website. “We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.”
Develop a cyber-security questionnaire. “Whether your supply-chain manufacturers are local or overseas, it’s important to know what their processes and policies are around security and what steps they’re taking to minimize any sort of risk or threat within their products,” Bednash says.
In the federal contracting industry, for example, several federal contractors have partnered to develop a consolidated cyber-security questionnairedesigned to help suppliers understand their own cyber-security posture and their ability to protect any sensitive information shared with them. Companies involved in this collaborative effortare BAE Systems, Boeing, Lockheed Martin, Northrop Grumman, Raytheon, and Rolls-Royce.
According to NIST, examples of questions that companies can ask to determine the risk level of their suppliers’ cyber-security practices include:
Is the vendor’s software and hardware design process documented? Repeatable? Measurable?
What controls are in place to manage and monitor production processes?
What levels of malware protection and detection are performed?
What steps are taken to “tamper proof” products? Are back doors closed?
What physical security measures are in place? Documented? Audited?
How does the vendor assure security through the product lifecycle?
Trust, but verify. After establishingcyber-security requirements for suppliersand sending out a cyber-security questionnaire, have in place appropriate due-diligence checks and balances. “Companies’ typical response to supply chain is to send out a questionnaire, expect the vendors to honestly answer those questions, check a box, and call it a day,” Gorsline says. “Due diligence needs to go beyond simply sending out a questionnaire.”
Require suppliers to provide some sort of proof along with that cyber-security questionnaire—such as evidence that they have certified to an industry-specific compliance standard like ISO 28000—and validate that the cyber-security requirements you expect from your suppliers are being enforced enterprise-wide. If it is within budget, Gorsline further recommends having a third-party service provider, like TBG Security, thoroughly vet that supplier to ensure it is truly compliant.
Apple, for example, applies “rigorous and ongoing diligence to vendors,” Stathakopoulos explained in the letter to Congress refuting Bloomberg’sreport. “Before we begin a relationship, vendors are submitted to a review process which can incorporate, depending on the criticality of the services offered, a layers-deep study of the security infrastructure of the vendor in question. The hardware incorporated into our environment is also placed in the scope of Apple’s Vulnerability Management Program, which makes these products subject to ongoing vulnerability scans, patching, and security reviews.”
Implement technology controls. Large, global companies tend to have more sophisticated cyber-security measures. Companies with mature cyber supply chain risk management programs are starting to employ automation tools to prevent thetampering of products in the supply chain from point-of-origin to the end-user, says Jonathan Halstuch, chief technology officer and co-founder of RackTop Systems.
As just one example, some companies implement a software and hardware security “handshake,” which is when “secure booting processes look for authentication codes, and the system will not boot if codes are not recognized,” NIST said.
Another best practice is to put tight controls around component purchases. This means “component purchases from approved vendors are pre-qualified,” NIST said. “Parts purchased from other vendors are unpacked, inspected, and x-rayed before being accepted.”
Establish a no-tolerance policy. “We like to see language that references a ‘one strike and you’re out’ policy, so that the vendor is aware that you’re prepared to disengage, should there be an event of any type,” Gorsline says. Egregious examples include hardware that is compromised, as what was described in the Bloombergreport, or a vendor providing counterfeit goods.
Once hardware has been compromised, you can start monitoring for anomalous network behavior from a detection standpoint, Gorsline says, “but at that point it might be too late.”