By Marvin Marin One of the thorniest aspects of cybersecurity is how it’s impacted by an organization’s supply chain. A security manager may never know the pedigree of each chip, transistor or diode that is a part of the enterprise, yet those pieces can and do have an effect on the security posture of the organization. Recently two large corporations drew negative attention due to security issues in the software they deployed with their products. In one case, the vendor provided private encryption keys by default, allowing the key to be extracted trivially by an outsider and used to sign fraudulent websites, thereby opening an exploitable security hole in to the network. In another case, the vendor pre-installed software that allowed for advertisements to be injected into an otherwise encrypted communication –more commonly known as a Man-In-the-Middle attack. Both of these cases illustrate how software provided by a vendor may introduce security risk into an environment. While these types of built-in security flaw are not common, security managers need to be alert for the possibilities and devise a plan to proactively handle security issues within their supply chain. On the industrial security side, Supervisory Control and Data Acquisition (SCADA) systems or Platform Information Technology (PIT) present unique challenges. User interfaces can be limited, and many security professionals might not understand how to secure and assess these systems. For instance, how should they audit a weapons or life support system to find vulnerabilities and not harm the system, causing a weapon to misfire or a networked medical device to shut down? Additionally, as some SCADA systems are meant to be monitored by non-cyber professionals (e.g., plumbers, electricians, etc.), how would such personnel recognize a cyber issue even if they could ‘see’ it? How is a security manager even to know that their SCADA or PIT system may be infected with malware or that a vendor hasn’t overlooked a security problem such as a default password? There have been congressional efforts to address the supply chain cybersecurity issue (see, for example H.R. 5793, introduced in December 2014), but so far no bill has seen major action. As the tech industry generally prefers to remediate problems without legislation, here are some high-level recommendations:
- When purchasing new IT products, such as a laptop, wipe the OS and replace it with a standard image of software the organization has vetted and approved.
- Test IT products in an integration lab or cyber range, and check to see if the system tries to communicate outbound or demonstrates any other anomalous activity.
- As it may be impractical or impossible to check IT firmware source code (e.g. for logic bombs), the last option available is to monitor trusted IT lists such as those maintained by Defense Information Security Agency (Approved Products List) or Defense Advanced Research Projects Agency Vetting Commodity IT Software and Firmware program. It’s a best practice to monitor security lists and news sources for information about security problems with organization owned IT products.
While these recommendations don’t address hostile intent from a vendor or a vendor’s suppliers, being forewarned assists security managers in understanding their threat landscape and tailoring the risk to their organization. It might be impossible to rid the supply chain of all vulnerabilities, but there are best practices that can ameliorate the situation.