Cyber Crime
Assessing and protecting the technology supply chain – Pt I
Supply chains play a critical role in supporting the global economy.
Save to Folio
But as organisations increasingly digitise their operations and relationships with partners and suppliers, threat actors are finding more opportunities to make them pay. The challenge is that supply chains threats span numerous scenarios and technology environments—not all of which are well understood.
Here we’ll take a look at how to mitigate risks impacting digital artefacts in industrial equipment/operational technology (OT) and consumer devices.
Devices under fire
Sometimes threat actors are able to compromise devices and their firmware before they’ve even been shipped to customers. That’s what the “Lemon Group” did in an audacious recent campaign, in which it claimed to have infected nearly nine million Android handsets with malware we dubbed "Guerrilla”. It’s still not clear exactly how and where the malware is inserted into devices: it could come in compromised master images for flash memory, or via the QA phase, or another stage in the supply chain. All we know is it happens before they are packaged. The bottom line is that users get a brand-new phone straight out of the box that contains malicious software designed to spy on their messages, social media activity, phone book and more.
It shows that we can’t place blind trust in the security and integrity of devices. Granted, Apple controls the entire manufacturing ecosystem of its handsets and so it’s less likely to be impacted by supply chain risks like those above. Android’s ecosystem of approved suppliers also makes it extremely difficult for threat actors, by controlling and verifying the environment extensively. That makes security out of the box very high, even if rooting devices can open the door to threats.
But what about generic devices, often only equipped with standard distribution, like those impacted by Guerilla? Here the responsibility falls on the user to try and verify the integrity of the device. Digital signatures can help, confirming the software/firmware comes from a trusted vendor and hasn’t been tampered with. Hardware security modules (HSMs) can provide additional protection against compromise. However, in non-walled garden ecosystems like those generic devices, users are dependent on the manufacturer to provide these signatures. And even if they are provided, which isn’t a given, it doesn’t mean that they are validated in the underlying system or by the hardware (HSM).
Why OT integrity matters
While some manufacturers of consumer products can pass on validation of the integrity of their hardware to the user, this is not an option for manufacturers of industrial equipment. Here, too, familiar technologies such as digital signatures and HSMs are used, although often applied much earlier in the production of (sub-)assemblies. Not only do OT makers have a vested interest in the integrity of their equipment, but by law they’re mandated to ensure this integrity is maintained from manufacture through delivery, operation and decommissioning. That’s because while compromise of a user device could lead to loss of personal and potentially corporate data, an OT breach may have serious repercussions for critical infrastructure.
It's not just the equipment itself that must be secured against supply chain attacks, but also the process in which the equipment is used. With the help of "digital twins", it’s possible to simulate the function of devices and assemblies in advance and to verify them later. The information required for this is stored in so-called "Asset Administration Shell" which contain meta-descriptions of the assembly as well as documentation, links to firmware/software and much more.
Assessing risk in digital artefacts
The integrity of digital artefacts in the supply chain is critical to the security and reliability of IT systems. Whether it’s an end user device or a critical piece of OT equipment, IT administrators have a responsibility to assess risk and take appropriate action to mitigate it if required. Yet despite a growing regulatory mandate, this is not always as high up on the to-do list as it should be.
Stay tuned for Part II of this series when we’ll be taking a look at software artefacts.