Threats against supply chains are growing and the reality is that the size, cost, and sophistication of these threats make it difficult for anyone organization to control or protect against them. Supply chain threats are a risk on a global scale and are now affecting a wide range of industries and organizations, from militaries and financial services to consumer electronics, education, and healthcare. Supply chain security is no easy task, and no single entity has end-to-end control. With so many stages, organizations, and companies involved, it is no surprise that hackers are gaining from the lack of sufficient security.
To overcome this, every stakeholder involved must have security at the top of its agenda and come together to boost protection and ensure integrity. To make this a reality, we need industry standards that define, implement, and uphold security guidance.
One weak link
One company, stage, or process with insufficient security makes the entire chain more vulnerable to hackers and can open up a huge amount of risk when we consider the size and value of global chains that span many countries. The sophistication of cyber-attacks is making successful security practices more difficult to implement, as many hackers are now able to stay hidden for longer periods of time. Their malware can be distributed far and wide, without detection, to inflict significant damage. For hackers, supply chain attacks have become an efficient way of targeting many organizations from one single entry point. By finding a loophole at one stage in the supply chain, hackers can impact every organization that purchases hardware or software from that point onwards.
Malicious and counterfeit software or hardware is becoming extremely difficult to identify, with many end users not even considering that purchasing from a third-party vendor may come with risks. If a vendor is legitimate, many will assume that their reliability, reputation, and trustworthiness extend to their products. Unfortunately, this is not always the case. A recent report from the European Union Cybersecurity Agency (ENISA) found that around 62 percent of the analyzed attacks on customers took advantage of their trust in their supplier. This highlights that organizations must prioritize validating third-party code and software to ensure they have not been tampered with or manipulated.
To make things more challenging, many of the existing security methods that we see implemented within supply chains are mostly subjective and rely on human intervention, such as visual inspection. This includes monitoring the alignment or placement of labels, incorrect color, size, or shape of markings and verifying the authenticity of serial numbers. These are all incredibly time consuming and expensive to do at scale, but many organizations simply do not have the expertise, tools, and knowledge to implement more sophisticated and effective methods.
Higher standard of security
Industry-wide standards that offer guidance to ensure integrity of the supply chain are among the best methods of defense against attacks. If all organizations follow open-source technologies and standards, we can close the gaps hackers are using to gain access to supply chain resources.
An example of this guidance is a new Firmware Integrity Measurement (FIM) specification that was released this year by Trusted Computing Group, led by various leading technology members. Previously, there had been no definitive way to determine the security status of multiple endpoints with a network, but the FIM specification provides an official definitive guide for others to follow. It provides product guidelines that can determine the integrity of a device at the manufacturing stage and offers a baseline measurement that allows for security result comparisons throughout its lifetime. This means that at any point of a supply chain, the user or manufacturer can determine the integrity of a device. This is especially significant for large production chains, where the high number of stages, organizations and processes involved make it incredibly challenging to track the security status of devices.
The FIM specification verifies the integrity of each endpoint to prove that a device can be trusted. To do this, a baseline measurement, called a Reference Integrity Measurement (RIM), must be taken before any hacker has a chance to tamper with a device in the supply chain. This is usually done before the device is shipped at the very start of the manufacturing process. Once the device reaches the end customer, FIM can be measured and compared to RIM to confirm that a device has not been compromised at any point in the chain.
The malware installed by hackers can be extremely hard to detect as it travels through the supply chain. The FIM specification can help with this, as the integrity of devices and networks can always be verified. Widespread adoption of FIM and RIM will boost device security as the integrity can be determined at any point of the supply chain.
Improving supply chain security
Supply chain attacks are growing, and there have been multiple examples over the past few months that highlight this. Organizations within global supply chains must utilize the tools and technologies that are available to detect malware and determine integrity. The sooner a threat is identified, the less damage it can cause to the rest of the supply chain. Global supply chains are complex and with no end-to-end control resting with one company, every player needs to do their part. With so much at risk, every aspect of the supply chain will benefit from a security-first approach.