In Dun & Bradstreet’s 2019 “Compliance and Procurement Sentiment” report, respondents cited cybersecurity as their top concern, yet 48% had not integrated associated risks into their third-party risk management. While developing and implementing a supply chain security program can be daunting, it should be the first item on your company’s to-do list — with an emphasis on hardware security, which is often given short shrift.
Information security programs typically focus on managing software patches and keeping anti-malware engines and network security gear up to date. As a result, hardware components are often deprioritized, even though they are also vulnerable to advanced attackers and nation-state threats. The manipulation of physical components during building stages or transportation routes is a threat to all physical products. Faulty parts cause recalls, and when the part is relied on by global systems and contains sensitive data, the scale of the potential carnage becomes exponential. Successfully attacking firmware can create a vulnerability that attackers covet because, unlike most software-based attacks that can be fixed by resetting a device back to default, many hardware attacks can survive firmware reflashing or operating system reinstallations.
Threats to the hardware supply chain are not theoretical, and security teams need to develop stronger policies to mitigate supply chain threats and risks. Securing the supply chain needs to happen at various levels — each carrying its own complexities. The first step is ensuring the supply chain is part of your organization’s threat model. At a minimum, a good grasp of the risks associated with the supply chain could change your acceptable business risks.
Here are 10 best practices for designing a strong supply chain security program.
1. Perform a risk analysis of the business: Risk is defined as the cost of system loss multiplied by the probability that the loss may occur through malicious action. Such a risk analysis can help an organization triage incidents and prioritize mitigations. Rooting out hardware implants from the supply chain is an expensive process, and a risk analysis can weigh the benefits of implementing the controls in this list against the cost of a security incident. It may not make sense for every organization, or every business unit inside an organization, to prioritize threats from hardware implants. Determine your team’s risk analysis first before implementing any security measures.
2. Create and maintain an inventory of third-party hardware providers: This should be an extension of the hardware and software inventory already dictated by your organizational policy.
3. Identify the devices that provide business-critical functionality and services: Critical devices are defined as any hardware that is a single point of failure in an organization’s security model or that implements a critical security-relevant service.
4. Perform a third-party risk assessment on each critical provider/device: If necessary, once the assessment is complete, re-evaluate contractual language to include security addendums and clauses around mandates that your service provider maintains and a request for periodic proof of its continued adherence to security standards.
5. Establish a communication plan with each critical provider: This should be bidirectional and allow each organization to be informed when issues arise that could increase exposure to risk.
6. Build and maintain a software dependency tracker for your organization’s hardware: Through this, you can determine whether servers or appliances are vulnerable to security flaws in software components and initiate discussions with vendors about timely patching.
7. Establish an assessment process for third-party hardware that is delivered to your organization: This can include testing the security of your hardware, establishing traffic baselines in a lab environment, and reviewing the security of your supplier’s supplier.
8. Conduct ingress and egress filtering: Do this on any network-attached components, blocking unexpected requests from entering or leaving the operating environment.
9. Request documentation and proof of assessment for devices that implement critical infrastructure: Devices should be resilient to, and subjected to, network, local, and physical attacks. To specifically resist hardware implants, anti-tamper controls should be tested and reverse-engineering efforts against devices should be limited through technical controls.
10. Understand your vendors’ supply chains as part of the system selection process: Vendors should be able to share the origin of each device component and provide an overview of how the component is secured from manufacturer to customer.
Though these recommendations cannot totally prevent the compromise of mission-critical hardware, they are a foundation to help mitigate your overall risk.
Hardware interdiction is a real threat, and supply chain security assessments must be part of most organizations’ threat models and risk mitigation strategies. Hardware attacks are unique in that they provide access and persistence at levels that are challenging and near-impossible to adequately address. By establishing a process and framework for addressing these concerns, you can ensure you’re not giving more advanced attackers carte blanche to your environment.
Daniel Wood (CISSP, GPEN) is the Associate Vice President of Consulting at Bishop Fox, where he leads all service lines and develops strategic initiatives. He has over 15 years of experience in cybersecurity and is a subject matter expert in red teaming, insider threat, and … View Full Bio