• United States



Contributing Writer

Dell Warns of Malicious Code on Server Motherboards

Jul 22, 20102 mins
Cisco SystemsData and Information Security

An example of cyber supply chain risk management

A recent Network World article stated that Dell is warning customers that a small number of PowerEdge server motherboards sent out through service dispatches may contain malware.Here is a link to the article in question: is doing the right thing by alerting potentially impacted customers but questions remain:1. How did the malware get there?2. Were the motherboards assembled in a certain place or by a specific manufacturer?3. What processes does Dell (and other server vendors) have in place to ensure that this doesn’t happen?I could go on and on.To me, the Dell incident demonstrates an important but relatively unknown concept called cyber supply chain assurance. Servers, software, and other IT equipment is made up of millions of lines of code, a potpourri of components, and hundreds or even thousands of specialized electronic gear. If any one of these elements is compromised, the whole enchilada could be a ticking time bomb. Malware on a server motherboard is just the beginning. A bit of a tangent: Back in 2004, the U.S. federal government issued a report stating that only 21% of semiconductor manufacturing remained in the United States while the bulk of capacity was migrating to China. This caused great concern in the Dept. of Defense as most our weapons systems, communications, and logistics all depend upon IT. This led to the creation of the Trusted Foundry program, a DOD/industry initiative to ensure microprocessor domestic microprocessor design and manufacturing capabilities. I bring up this example to illustrate a point. DOD realized that it was dependent upon technology and thus vulnerable to a breach of the cyber supply chain. Outside of the defense community however, cyber supply chain risk management is nearly invisible. While the Dell incident is minor and seems contained, it is a further warning about the risk we all face. Let’s hope it wakes up some security professionals outside of the Pentagon.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author