There’s an old security adage: a chain is only as strong as its weakest link. The sentiment long predates Information and Communications Technology (ICT), but it’s never been more relevant. With modern ICT connecting millions of systems worldwide, there are exponentially more “links” to worry about. That’s especially true when we shift our focus from defending against external threats, which organizations have gotten pretty good at, to those originating inside an organization’s sphere of trust. Here, we have work to do — starting with the ICT supply chain itself.
Today’s supply chains are a modern marvel. Vast webs of suppliers, manufacturers, integrators, shipping carriers, and others allow vendors to build ICT products more cost-effectively and to quickly deliver them to customers anywhere. But modern supply chains also increase the number of parties with access to those products — and the number of potential weak links that cybercriminals could seek to exploit. By targeting an organization’s hardware or software supply chain, hackers can compromise an ICT product before it’s even deployed. And, since that product is coming from a supplier the target implicitly trusts, the compromise may go undetected until it’s too late.
It’s no wonder that ICT supply chains have become a highly attractive attack vector for cybercriminals. In a 2020 Deloitte brief, 40% of manufacturers reported being affected by a security incident in the past year. A study of recent supply chain attacks by the European Union Agency for Cybersecurity found that, in 66% of incidents, attackers focused on a suppliers’ code in order to compromise targeted customers.
Why are ICT supply chain attacks so dangerous, and what can organizations do to protect against them? Let’s take a closer look.
A growing threat
The National Counterintelligence and Security Center (NCSC) defines supply chain cyberattacks as “using cyber means to target one or more of the resources, processes, developers, or services of a supply chain,” with the goal of gaining access to the underlying system for malicious purposes. NCSC identifies three broad types of supply chain cyberattacks:
- Software-enabled attacks: These exploit software vulnerabilities to disrupt systems or open backdoors for remote access and control. For example, in 2021, attackers exploited a vulnerability in the open-source logging utility Log4j, which many vendors had incorporated into their software products. Any organization using such software could be targeted for attack.
- Hardware-enabled attack: Attackers may seek to compromise the hardware or firmware of ICT devices — routers, switches, servers, or workstations — at some point in the supply chain. Hardware backdoors can be especially difficult to detect.
- Software supply chain attack: Here, attackers infiltrate a software vendor to inject malicious code into their products. When customers download the software package (often via automatic updates) it infects their system with malware. The infamous SolarWinds hack of 2020 attacked a widely used network management product this way, allowing state-backed hackers to compromise dozens of U.S. federal agencies and enterprises.
If successful, any of these attacks can wreak havoc on an organization. And since so many parties participate in modern supply chains, the threats grow quickly. To protect against Log4j, for example, organizations can’t simply avoid using that utility in their own systems and products. They have to make sure that every single supplier they work with does too.
Defending supply chains with Zero Trust
If securing a supply chain seems like a big, complicated job, it is — especially when many organizations still implicitly trust their suppliers. Indeed, it’s that implicit trust that makes supply chains such an attractive attack vector for hackers. In our increasingly interconnected world, every organization should consider adopting Zero Trust as the core principle (“never trust by default, always verify”) for improving their security posture. Verification is key. And ICT customers need to demand that vendors provide easy mechanisms to verify the end-to-end authenticity, integrity, and confidentiality of their products.
- Authenticity: Organizations should be able to verify that ICT hardware they buy is authentic — that they haven’t been shipped a counterfeit product of poor quality or receive a product infected with malware. One way to do this is via the Trusted Platform Module (TPM) 2.0 standard. TPM provides a “hardware root of trust” capability at the processor level, allowing vendors to create unique, cryptographically bound device IDs for their products. These function like birth certificates attesting to the authenticity of every device, and they can’t be removed or modified.
- Integrity: Even if an organization verifies a device’s authenticity, how do they know that no one installed malware on it while it sat in a warehouse somewhere, or modified its firmware? How can they confirm that hackers haven’t added a secret backdoor to a vendor’s pending software update? Much like police evidence collected after a crime, there needs to be a continuous chain of custody throughout a product’s lifecycle. Vendors should use certificate frameworks to attest to software integrity at every point where a product changes hands, and secure boot capabilities to verify that device firmware hasn’t been tampered with.
- Confidentiality: It’s easy to understand why hackers would want to access a hard drive full of customer records. But system and configuration data in other ICT equipment, like routers and switches, can be just as sensitive, potentially providing a roadmap for future attacks. Vendors should use native file encryption to protect data at rest on their products, and MACsec or IPsec encryption to protect data in motion.
Strengthening the chain
ICT supply chains have always been complex systems with many stakeholders, making them inherently challenging to secure. As our digital world grows more closely interconnected, the challenge — and the threat — will only grow. It’s a problem for every organization, but not one that customers can solve on their own. To protect ICT supply chains, vendors must take the lead.
By adopting a Zero Trust approach to verify the authenticity, integrity, and confidentiality of ICT products, organizations can push their vendors to adopt more secure and transparent supply chains. Together, we can build a future where we all benefit from global interconnectivity, without unacceptable risk.