Supply chain risk: Addressing a multitude of single points of failure

By John Loucaides,
VP, R&D

By John Loucaides

|

As recent attacks have demonstrated, supply chain risks extend to the software and update process as well.

 

It's well understood that the technology supply chain introduces risk, but until recently, the focus has been on people and processes, leaving the technology itself as a major visibility gap. To effectively manage supply chain risk, government organizations must understand and address the full scope of the supply chain. As recent attacks have demonstrated, that extends to the software and update process as well.

When considering supply chain risk, an attack during product transport can cause irreparable harm. However, physically tampering with hardware is not scalable. Manipulating the software inside hardware (firmware), on the other hand, very much is. In the Sunburst campaign, attackers delivered a malicious backdoor to over 18,000 SolarWinds customers by compromising the authorized software update infrastructure. This is similar to the previous ShadowHammer attack, where compromised ASUS update servers were used to push malware to hundreds of thousands of customers. In both cases, the updates were properly signed and appeared valid.

Scope explosion makes it worse

Every single laptop, desktop, server or other information technology device is composed of dozens of components. Each of those components has a supply chain of its own. At any point in the process, an attacker could modify or insert additional code, or the code could have been created with an accidental vulnerability, such as a logic bug or buffer overflow, or even a deliberate backdoor. As is often the case with network devices, hard-coded username and password backdoors end up being the initial vector that allows adversaries to gain access to additional attack surfaces on the device operating system or in the organization.

Risk naturally increases as the attack surface grows, but supply chain risk is also heightened by its concentration. Every piece of modern technology is built upon assumptions and abstractions from lower layers. One issue anywhere in the supply chain of any component can usually break the assumptions of every operating system and application. Given the scope of the supply chain, there isn't just one single point of failure – there are hundreds, possibly thousands, of single points of failure in an IT environment.

To make matters worse, one failure can equate to multiple compromises. While the components themselves are discrete, the pieces of software within each component may be used in components across multiple products from different manufacturers. As a result, if a software library is compromised anywhere, it's compromised everywhere. The same is true of software libraries included in firmware, many of which are common to many components and rarely updated.

Similarly, supply chain risks are particularly impactful to large, homogeneous environments, such as data centers, cloud infrastructure and virtual environments within the enterprise. A single vulnerability in a Baseboard Management Controller (BMC) can lead to the compromise of the entire data center.

The implications of supply chain risk

Supply chain security is not a "point in time" affair. Manufacturers can build good security mechanisms, but systems evolve, vulnerabilities surface and attackers improve their methods. Bottom line: something trusted today may not be trustworthy tomorrow.

Given the vast quantity of components that make up any given system, there are countless opportunities for vulnerabilities to show up. There can be a high concentration of critical risk duplicated a thousand times through the long supply chain, and any one of them is enough to cripple infrastructure.

While the federal government has a number of processes for validating the supply chain, these are not necessarily scalable or practical. One cannot conclude that a product made in the United States is robust against these issues; the problem is much more complicated than manufacturing origin. Even if a system is deconstructed, analyzed and reconstituted, the need for software/firmware updates usually invalidates that work. Systems designed to address this complexity with continuous and rigorous verification are badly needed but far off. There are "turtles all the way down," and they bite.

How to address supply chain risk

When you find yourself stuck in a deep hole, the first step is to stop digging. This means establishing a baseline of visibility into the firmware and hardware present in every component of every device. Without this visibility, the risk to the enterprise (or the mission) cannot even be quantified and registered, let alone managed down to acceptable levels. Once the organization has visibility, it can begin to apply the same processes used to manage risk at the OS, network and even physical or business layers. Deploying updates, patch and configuration management can and should be made to work for each component inside of each device.

Managing supply chain security with a vendor-independent tool allows organizations to centralize risk management efforts for all the systems in their heterogeneous environment. Independent checks also provide added assurance and eliminate the risk of vendor lock-in. Manufacturers have a key role in this story, too. By building transparency, secure attestation solutions and sharing BOM integrity data with 3rd party solutions, they can enable this increased visibility that is so badly needed. Building upon such increased visibility, both public and private organizations can work together to create a reasonable foothold in understanding and responding to supply chain risk.

Supply chain risk isn't new. But the supply chain is becoming a bigger target as attackers look for easier ways to increase the severity and scale of their attacks. Government organizations need policies and procedures that think holistically about the supply chain and implement a pragmatic approach to reducing supply chain risk, one that extends to and includes the continuous monitoring of supply chain threats in the operational environment.

NEXT STORY: House Oversight presses for details on TMF repayment plans

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.