Dell Warns of Malicious Code on Server Motherboards

An example of cyber supply chain risk management

A recent Network World article stated that Dell is warning customers that a small number of PowerEdge server motherboards sent out through service dispatches may contain malware. Here is a link to the article in question: Dell is doing the right thing by alerting potentially impacted customers but questions remain: 1. How did the malware get there? 2. Were the motherboards assembled in a certain place or by a specific manufacturer? 3. What processes does Dell (and other server vendors) have in place to ensure that this doesn't happen? I could go on and on. To me, the Dell incident demonstrates an important but relatively unknown concept called cyber supply chain assurance. Servers, software, and other IT equipment is made up of millions of lines of code, a potpourri of components, and hundreds or even thousands of specialized electronic gear. If any one of these elements is compromised, the whole enchilada could be a ticking time bomb. Malware on a server motherboard is just the beginning. A bit of a tangent: Back in 2004, the U.S. federal government issued a report stating that only 21% of semiconductor manufacturing remained in the United States while the bulk of capacity was migrating to China. This caused great concern in the Dept. of Defense as most our weapons systems, communications, and logistics all depend upon IT. This led to the creation of the Trusted Foundry program, a DOD/industry initiative to ensure microprocessor domestic microprocessor design and manufacturing capabilities. I bring up this example to illustrate a point. DOD realized that it was dependent upon technology and thus vulnerable to a breach of the cyber supply chain. Outside of the defense community however, cyber supply chain risk management is nearly invisible. While the Dell incident is minor and seems contained, it is a further warning about the risk we all face. Let's hope it wakes up some security professionals outside of the Pentagon.

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful cybersecurity companies