SUPPLY CHAIN INTEGRITY

SUPPLY CHAIN CYBERSECURITY: WHY IT MATTERS

Operational resiliency is a key approach to managing all-hazard risks in an organization. Maintaining operational effectiveness in the face of supply chain attacks and disruptions, cyberattacks, and business disruptions from natural hazards is the ultimate objective.

CHAT WITH THE TEAM AND ENQUIRE ABOUT HARDWARE ASSESSMENTS TODAY

Many organizations have expanded their supply chains globally even into obviously unfriendly countries, with components, hardware, equipment, software, and human resources operated, manufactured, and sourced worldwide.

Globalization has provided a wealth of opportunities for business growth and efficiencies, and operational fragility resulting from long, complex supply chains. Currently, there are material changes to the global security environment driven by a revival of great power competition, which is helping accelerate an effort to reshoring critical manufacturing capabilities and capacity.

Furthermore, the risk of cyberattacks against the supply chain continues to hinder business growth and expansion. In 2019, SolarWinds’ digital supply chain was compromised by threat actors who infected a software update pipeline with malicious code known as Sunburst. In total, 18,000 customers were originally thought to have installed a subsequent malicious update unwittingly released by the company. SolarWinds later revised this figure to approximately 100 customers, including government agencies such as Microsoft, FireEye, and Intel, highlighting the severe consequences of an insecure supply chain.

Another notable supply chain security event in recent years is known as Log4j, a critical vulnerability discovered in the Apache Log4j open source logging system used by countless systems and Java-based software solutions worldwide. At its peak in 2021, security researchers recorded over 10 million exploit attempts per hour, risking the security of hundreds of millions of devices.

Several years later, the risk to digital supply chains continues to plague even today’s most high-profile technology firms. Recently, Microsoft President Brad Smith was questioned by members of Congress in relation to the compromise of Microsoft Exchange email accounts belonging to State Department officials.

Hardware, too, can compromise the stability of today’s supply chains. The chip shortages during and post-pandemic also demonstrate the fragility of specialized global supply chains, causing production issues for countless companies and restricted supplies available to consumers. Organizations must now also account for changes in the semiconductor space, such as the 2022 US CHIPS Act, which restricts federal funding to semiconductor organizations outsourcing development to specific countries.

For example, since 2019, Huawei has been placed on a US trade blacklist. These restrictions were strengthened this year, with US chip makers including Qualcomm and Intel unable to export or sell specific goods to Huawei. There are allegations that Huawei has ties to the Chinese military.

However, securing the supply chain and ensuring its end-to-end integrity has always been a complex and, in some cases, deeply challenging task.

Organizations must consider more than software issues, logistics problems, counterfeit or faulty hardware, and insider threats. In recent years, IOActive has observed a shift in tactics towards more sophistication, with intended victim companies becoming compromised indirectly through chained exploitations, such as upstream manufacturers and third-party suppliers.

The supply chain is an entry point into corporate networks that threat actors, in their droves, are now targeting.

Maintaining supply chain integrity requires dedicated robust security practices at each link in the value chain. Suppliers, vendors, and their suppliers and vendors must also earn and maintain a high level of trust. The slightest taint in one third party’s operations can undermine the security of the whole supply chain, degrading integrity and trust, disrupting operations, and causing reputational harm.

Today’s supply chains must achieve a state of resiliency, built from root(s) of trust at the silicon level and structured in a way that implements security throughout each layer of technology and tier of the supply chain.

Herein lies the challenge. As supply chains grow in size and complexity, risk can increase exponentially. According to McKinsey analyst estimates, on average, an automotive company will have ties with approximately 250 tier-one suppliers, but this number increases to approximately 18,000 across the full supply chain. Comparatively, a technology firm will work with around 200 tier-one suppliers, increasing to roughly 12,000 over all supply chain tiers.

Few businesses will reveal exactly how many suppliers they have, but when you consider Walmart alone operates a supply chain with over 100,000 suppliers, we can see that supply chain security cannot be achieved with a traditional approach to cybersecurity defense and risk management.

IOActive takes a unique “attacker’s mindset” approach to security and combines expert research with time-tested techniques to protect modern supply chains at all levels of the technology stack including the silicon level. In this guide, we will discuss how to manage the operational risks of modern supply chains and why implementing a secure-by-design framework is crucial to supply chain integrity today.

Supply Chain Security, Explained

Supply chains are made up of a network of entities, including manufacturers, companies, distributors, and partner vendors that produce products or services.

These chains, otherwise described as steps in a production network, are now heavily influenced by technology and can include everything from physical components to human operators and next-generation technologies such as automation and artificial intelligence (AI).

Physical products and components, including processors and other critical computing hardware, are manufactured and move along a supply chain, eventually reaching end-user organizations or consumers. Digital supply chains, too, are similar in that software development lifecycles progress through development stages, potentially including code and configuration changes, before being released to licensees and end users.

However, each link in a value chain – whether or not we are considering hardware, software, or services – creates an expanded attack surface. Risk factors include outdated, vulnerable components, counterfeit and fake hardware, insider threats, zero-day and known, unpatched, or mitigated vulnerabilities, and failures to communicate or establish baseline security standards between supply chain partners.

Organizations must maintain supply chain resiliency and integrity while preventing operational disruption. For the best outcomes, organizations need to be able to deal with incidents quickly to return to pre-crisis operational levels and capabilities.

The urgency of implementing robust security practices within a supply chain and the modern risks associated with the production of highly integrated, complex products have not gone unnoticed, but we have a long way to go to achieve true supply chain integrity and resiliency.

According to a recent survey and report issued by the European Union Agency for Cybersecurity (ENISA), 86 percent of those surveyed implement information and communication technology (ICT) and operational technology (OT) supply chain cybersecurity policies, but less than half – 47 percent – have allocated budgets for associated activities.

In total, 61 percent of organizations involved in supply chains require security certification from suppliers, 43 percent use security rating services, and 37 percent claim to conduct due diligence or risk assessments. Unfortunately, 9 percent of respondents of the surveyed organizations indicate that they do not evaluate their supply chain security risks.

Establishing suitable security policies and response plans for managing supply chain risks can be difficult as there is a widely varying understanding of cybersecurity threats: When will they happen? Where will they originate? What will the repercussions be? What attacks are possible?

These problems impact all industries, including critical infrastructure, energy, manufacturing, telecommunications, technology, logistics, and transport. As today’s economy relies on products and services being available in a timely manner, one disruption – such as a chip shortage or a factory closing its shop floor due to a cyberattack – can have wide-reaching consequences.

Instead of focusing solely on high-impact but low-risk events, such as attacks conducted by state-sponsored cyberattack groups, most organizations today should enhance their overall supply chain resiliency by creating a secure foundation at each step of production and distribution.

“Usually supply chain attacks are not about the initial target. They are about leveraging their initial target to move laterally across a supply chain.“ John Sheehy, SVP, Research and Strategy at IOActive

A secure supply chain must place security at its heart. For modern businesses, this means security must be considered from the lowest layer of the technology stack, the silicon level.

Implementing security controls at the traditional information technology (IT), network, and application level is no longer enough. Hardware-based supply chain attacks are on the rise, including the insertion of counterfeit hardware into supply chains, intellectual property theft to enable future attacks, and silicon-based cyber attacks including data theft and surveillance, implants, backdoors, and individuals obtaining access to corporate assets without authorization.

At IOActive, we know that it is crucial for components and hardware to be verified before entering a supply chain. Our silicon security team assists clients in understanding the emerging risks of silicon-level attacks, and we can support legitimate organizations in assessing chips, devices, and systems to improve overall supply chain resiliency.

Over the past several decades, IOActive has led the way in hardware and embedded systems cybersecurity research, harnessing our expertise in these areas to refine our attack techniques in operationalizing attack and defense of supply chain and silicon security.

IOActive adopts a unique “attacker’s mindset” in performing silicon-based attacks, including white, gray, and black-box activities that contribute to the creation of custom threat models valuable to our clients. Our services include:

Research and analysis
Security feature assessment and confirmation
Data and netlist extraction (NVMs)
Supply chain risk sampling and threat modeling
Hardware backdoor detection
IP infringement support
Risk assessments

The security of the supply chain relies upon proper hardware security design and implementation. An understanding of chips, their security architecture, and risk profiles leads to informed business decisions regarding suppliers, partnerships, business initiatives, and protecting intellectual property.

IOActive specializes in full-stack security assessments and can assess security at every level, starting with silicon and hardware all the way up to programs, policies, and governance, to provide our clients with a holistic impression of how resilient their supply chains are to exploitation.

To find out more about our silicon and full stack assessment services, contact us today.

GET THE SILICON SECURITY SERVICES DATA SHEET

How new chip regulations impact the Supply Chain

Threats in the manufacturing process pose risks to global supply chains and have, therefore, impacted the political space. Regulators worldwide are examining the threats posed by counterfeit hardware and components introduced into supply chains that may risk national security and public safety, alongside the dangers of cyberattacks.

In response to geopolitical tensions which necessarily include a lack of trust, and spurred on by a desire to promote domestic economic growth, numerous governments are attempting to bring the critical elements of the supply chain back within national borders through reshoring efforts.

A great example of this effort is the US CHIPS Act. The law, which became effective in 2022, restricts federal funding and subsidies by prohibiting recipient semiconductor organizations from expanding their operations in any country deemed a “national security threat” to the United States. At present, these countries include the People’s Republic of China (PRC).

A comparable law is the European Chips Act. With an estimated one trillion microchips manufactured globally in 2020 and demand expected to double by 2023, this law proposes a framework to bolster semiconductor production by European Union (EU) member states, improve the resiliency of supply chains, and reduce external dependencies on critical technologies and components.

Having come into force in 2023, the European Commission says the act “will bolster Europe’s competitiveness and resilience in semiconductor technologies and applications.”

How to begin securing your Supply Chain

Securing the supply chain is full of complex challenges, and fully verifying every component, processor, physical device, vendor, piece of source code, and development or distribution process is almost certainly impossible.

However, this does not mean we are powerless to improve the resiliency of today’s supply chains and reduce the risk of operational disruption – far from it.

Securing the supply chain is an ongoing process rather than the result of a single audit or verification check. To assist you on the journey, below, we will discuss the most important aspects of securing your supply chain to face modern-day threats.

Create a secure hardware foundation

In recent years, IOActive has noted a shift in cybercriminal tactics. There is now an unfortunate interest in compromising hardware to infiltrate global supply chains. This includes placing implants, rootkits, malware designed to target embedded systems, and the exploitation of unintentional flaws in computing components and configurations.

As the semiconductor space continues to expand and the operational importance of consumer and business devices increases, ensuring the integrity of hardware is crucial to the security of the supply chain.

Where possible, supply chains should be designed for security, resiliency, and integrity with assessments performed on a risk-appropriate basis – either by organizations themselves or trusted third parties – to verify components and ensure that their performance and output match expectations.

Furthermore, organizations should consistently perform firmware checks and focus risk management strategies on the broader issues of quality and integrity of components rather than just the low-frequency, high-consequence events, such as the risk of state-sponsored attacks. Open Compute Project’s (OCP) supply chain assessment framework, OCP SAFE is a great example of an informed approach to managing the risks of hardware and firmware integrity.

LEARN MORE ABOUT IOACTIVE OCP SAFE SERVICES

Software: Develop Secure Code

While hardware must be central to true supply chain integrity, we must not forget the importance of software security as every level of the technology stack must be secured against attack.

There are challenges associated with software integrity and verification checks, such as potentially limited access to source code and IP, but we do have many scalable tools available that can assist in reviews and third-party assessments including security reviews of binaries.

Organizations should integrate code signing and encryption checks, review supplier changelogs, and ensure they are made aware of any significant changes to software and updates, regardless of whether it is proprietary or open source.

Consider the Secure Product Development Lifecycle (SDL)

The secure product development lifecycle (SDL) is paramount in securing software supply chains.

An SDL involves the creation and enforcement of a set of practices for quality, security, and privacy assurance in all stages of a product’s development. By mapping the full software development process and integrating checks, audits, and reviews at each stage, organizations can resolve vulnerabilities, remove potential avenues for exploitation, and enhance the security of products prior to deployment.

As explained by the US Cybersecurity and Infrastructure Security Agency (CISA), SDL frameworks define the procedures and policies in production, outlining how and when product development, verification, and validation will occur. These may include secure coding practices, code reviews, testing, vulnerability assessments, quality assurance controls, and how safe distribution and deployment channels will be established and managed. A great example of a standardized SDL framework for a specific, vertical industry is SAEISO 21434, which “includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk.”

A thought on AI

It is also important to consider the changes machine learning (ML) and artificial intelligence (AI) will inevitably make to the SDL process and supply chain integrity as a whole.

AI, going beyond chat assistants and basic machine learning (ML) models, could become an invaluable tool for reducing insecure code. However, in the same breath, organizations need to consider how AI could be used for malicious purposes, such as in supporting the writing of malware specifically designed to target particular components or software, which would otherwise be outside the skills of many threat actors.

Supply chains, by their nature, must be fluid and flexible. Disruptive technologies including AI and other next-generation technologies on the horizon could change the face of global manufacturing and distribution. By focusing on resiliency and integrity, organizations will provide themselves with the best chance of weathering any future disruption to their operational effectiveness.

Firmware updates for physical products

Over the past decade, we’ve observed a lack of robust security practices regarding firmware updates for physical products, including a lack of secure updates, strong cryptographic integrity checks, strong firmware encryption to resist reverse engineering, and unnecessarily delayed updates.

With billions of devices now connected worldwide, many of which still contain hardcoded credentials and are produced by vendors who fail to provide timely patch processes, examining the firmware of physical products is crucial to securing the supply chain.

As noted in a 2022 report published by the US Departments of Commerce and Homeland Security, many of today’s OEMs also outsource firmware development to third parties, which “introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”

While the security of some physical products is limited by embedded chip capabilities and power budgets, firmware, like traditional computing software, must be protected against cyber threats with regular security updates. This is especially true considering the privileges assigned to firmware, which, in the wrong hands, could lead to security controls being bypassed.

Chip Architecture: Why does it matter?

As consumer and business devices grow exponentially, managing and verifying the chips powering them is critical to ensuring supply chain integrity.

Selecting the right chip architecture and vendor informed by performing security assurance tests is necessary to prevent problems that could disrupt the entire production process and cause consequential reputational impacts, whether related to a software supply chain or industrial production line.

For example, if counterfeit chips are indistinguishable from genuine designs without specialized assistance, their use could eventually lead to data breaches and/or hardware failures. Comparatively, some chip architectures may contain inherent design flaws that could be exploited by threat actors.

Organizations should also ensure they are versed in regulatory and compliance-related changes in the semiconductor space. This is particularly important at a time when governments around the globe are encouraging chip development within their borders, and introducing penalties in some scenarios where chip production is outsourced beyond their borders.

Reversing the Chip: Minimizing risk in routers, switches, and counterfeit hardware

Organizations should proactively assess and validate hardware, including routers and switches, to minimize the risk to their supply chain.

Vetting partners and manufacturers within the supply chain can also considerably reduce the risk of operational disruption, technical problems, legal issues, and reputational damage.

An example of hardware verification failures with catastrophic consequences was highlighted by the FBI, which uncovered counterfeit Cisco goods manufactured by Chinese partners that eventually made their way into the US military supply chain.

Fake goods producers undercut genuine products, whereas organized crime and foreign government entities may add malicious implants such as code or covert subroutines into counterfeit chips.

National security concerns aside, substandard and counterfeit networking equipment, hardware, and processors often lead to instability within authentic products, with the legitimate manufacturer bearing the consequences and costs.

Detecting such compromises within a supply chain can be difficult, especially when performing due diligence at the silicon level. It requires specialized equipment, microcode extraction, source material, and skilled specialists able to sift through microprocessor operations at the deepest level.

However, as IOActive has shown in its research and ability to detect fake chips within the supply chain, cost-effective methods are available that reduce the attack surface and improve the resiliency and integrity of today’s supply chains.

Strategies for securing the Supply Chain

The threatscape is constantly evolving and with it, developing a supply chain based on integrity is the best way to mitigate the risk of compromise. You cannot trust what you cannot verify.

Unmitigated threats and vulnerabilities in software, hardware, and services supply chains pose a significant risk to organizations. Cyber threat actors have demonstrated that a supply chain is only as strong as the security of the weakest organizations involved within it.

As organizations have matured their cybersecurity operations and improved their security posture, their supply chain becomes a more practical target to a highly rational threat actor. Hardware, firmware, operational procedures, vendors, or human elements offer alluring targets to a threat actor facing a target with solid cyber hygiene that enables them to execute their attack sequence to infiltrate and move laterally across a network, and produce consequential effects in their wake.

According to the Word Economic Foundation’s 2023 Global Cybersecurity Outlook study, a majority of business executives surveyed believe that cyber threat actors are now more likely to focus on business disruption and reputational damage. As a result, today’s business leaders say that cyber resilience is integrated into their organization’s enterprise risk-management strategies.

The supply chain is not exempt from these concerns, and resilience is needed to combat them.

Organizations should focus on prudently managing risk and continuing operational effectiveness during security incidents or supply chain disruptions to achieve true resiliency and security maturity.

IOActive recommends the following steps to begin your supply chain integrity and security journey:

Identifying the entities within your supply chain, including inventories of products, components, software libraries, and firmware usage Using SBOM and HBOM materials would be helpful here, and their use is backed by a 2021 executive order that requires federal organizations to utilize these documents.
Launch a supply chain integrity program that combines earned trust and verification processes for partners, suppliers, and hardware
Collaborate with partner organizations to raise the security posture of your full supply chains – as well as increase the technical cost and consequences for cyber attackers keen to strike them
Prioritize technical and risk assessments of high-risk, high-impact areas, such as silicon and firmware-based attacks, which may produce comprehensive compromises
Create threat models, to enumerate and understand attack vectors, risks, and consequences, and roadmaps for reaching desired security maturity levels
Reassess controls and supply chain components on a regular basis
Be aware of next-generation tools and attack vectors that may impact supply chain integrity and security, including artificial intelligence.

“Don’t bother looking for malicious nation-state implants if you don’t look for quality issues that have a security impact, such as counterfeits. There’s no need for a threat actor to use a slow, high-risk, costly supply chain compromise if you don’t patch your servers.” John Sheehy, SVP, Research and Strategy at IOActive

ADDITIONAL RESOURCES

FAQ

I need to assess my software and hardware integrity, where do I start?

Assessing the integrity of your software and hardware is an essential step in ensuring the overall security of your organization’s supply chain. The US national Institute of Standards (NIST) has published a standard for Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations in NIST SP 800-161. This standard builds on top of existing, key cybersecurity standards such as the NIST Cybersecurity Framework (NIST CSF), NIST 800-53, and NIST 800-171. NIST also has made available a quick start guide for C-SCRM. Likewise, the European Union Agency for Cybersecurity (ENISA) has published a Good Practices for Supply Chain Cybersecurity.

To begin this process, follow these high-level steps:

Conduct a thorough inventory: Identify all connected devices and systems within your organization, including desktops, laptops, mobile devices, servers, network equipment, and any other IT or operational technology (OT) assets.
Evaluate each asset’s security posture: Use tools like vulnerability scanners (e.g., Nessus, OpenVAS) or penetration testing frameworks (e.g., Metasploit) to assess the security of each device and system. This will help you identify potential vulnerabilities, misconfigurations, and other weaknesses that could be exploited by attackers. These asset assessments should be prioritized by potential impact to your organization’s operations.
Review and update policies and procedures: Ensure that your organization’s policies and procedures for managing software and hardware are up-to-date and aligned with industry best practices. This includes implementing a robust patch management program, regularly updating operating systems and applications, and using secure protocols for data transmission. These policies or something more secure should be followed by your suppliers as requirement of any contract to purchase products or services.
Consider hiring a third-party assessor: If you’re unsure about how to conduct an assessment or need expert guidance, consider hiring a third-party security consultant or auditor who can provide independent evaluation and recommendations.

At IOActive, we understand the importance of ensuring the integrity of your organization’s software and hardware. That’s why we offer Full Stack Security Assessments, a comprehensive evaluation of your entire system, from the facility and semiconductor level all the way up to strategic impacts on personnel, process, and supply-chain security. Our team of experts can help you conduct a thorough assessment of your IT assets, identifying potential vulnerabilities and misconfigurations that could be exploited by attackers.

Our state-of-the-art assessment drills down to every layer in between, identifying potential gaps throughout your environment. We carefully assess every aspect of your technology stack, including:

Physical infiltration and close-access-enabled assessments
Embedded device hardware and firmware
Network and application-level threats
Conducting a comprehensive inventory of all connected devices and systems within your organization
Evaluating each asset’s security posture using industry-leading tools and techniques
Identifying potential weaknesses and providing recommendations for remediation
Developing a customized plan to address identified vulnerabilities and improve overall IT,OT, or product security

By evaluating all levels of the technology stack, we provide a truly one-stop-shop for high-end cybersecurity expertise – the only one of its kind in the industry. Our layered security strategy provides increased protection, making it more difficult for attackers to exploit vulnerabilities

What should I prioritize when securing my supply chain?

Securing your supply chain requires a multi-faceted approach that addresses various risks and vulnerabilities. To ensure the integrity of your supply chain, prioritize the following key areas by potential impact to your organization’s operations:

Identify and mitigate third-party vendor risks: Assess the security posture of all third-party vendors who provide goods or services to your organization. Ensure they have robust security controls in place, including access controls, authentication mechanisms, and regular vulnerability assessments.
Implement robust access controls and authentication mechanisms: Use multi-factor authentication (MFA), secure passwords, and other access control measures to prevent unauthorized access to sensitive data and systems.
Conduct regular security audits and vulnerability assessments: Regularly assess your organization’s security posture using tools like vulnerability scanners or penetration testing frameworks. This will help you identify potential weaknesses and take corrective action before they can be exploited by attackers.
Ensure compliance with relevant regulations and standards: Familiarize yourself with industry-specific regulations and standards, such as PCI DSS for payment card data, HIPAA for healthcare data, or GDPR for EU personal data. Ensure your organization’s security practices align with these requirements.

At IOActive, we understand that a comprehensive approach to supply chain security requires careful consideration of various risks and vulnerabilities.

Our Supply Chain Security service includes:

Identifying and mitigating third-party vendor risks through thorough assessments and risk-based mitigation strategies
Conducting regular security assessments and vulnerability assessments to identify potential weaknesses and take corrective action before they can be exploited by attackers
Supporting compliance efforts with relevant regulations and standards, such as PCI DSS for payment card data or GDPR for EU personal data

Is there a framework to follow to ensure secure code?

Yes, there are established frameworks that provide guidance on writing secure code. Consider following these industry-recognized guidelines:

Open Web Application Security Project (OWASP) Secure Coding Practices: OWASP provides a comprehensive guide for secure coding practices, including secure coding principles, threat modeling, and vulnerability assessment.
National Institute of Standards and Technology (NIST) Guidelines for Secure Code Development: NIST offers guidelines for secure code development, including secure coding principles, secure coding practices, and secure testing methodologies, or NIST guidance on verification of code in support of Executive Order 14028.
Industry-specific guidelines: Familiarize yourself with industry-specific guidelines, such as the Payment Card Industry Data Security Standard (PCI DSS) for payment card data or the Health Insurance Portability and Accountability Act (HIPAA) for healthcare data.

At IOActive, we believe that writing secure code is an essential aspect of maintaining the trust and confidence of your customers, partners, and stakeholders. Our team of experts can help you develop a comprehensive approach to secure coding practices, ensuring that your organization’s code meets industry standards for security and reliability.

Our Secure Coding service includes:

Developing customized secure coding guidelines based on industry-recognized frameworks, such as OWASP Secure Coding Practices or NIST Guidelines for Secure Code Development
Providing Secure Development Lifecycle (SDL) services to ensure that your development process is designed with security in mind from the outset
Conducting regular code reviews and vulnerability assessments to identify potential weaknesses and take corrective action before they can be exploited by attackers