Attributed to: Matthew Bennett, Vice President and Managing Director, Asia Pacific and Japan, Carbon Black
The recent findings on hardware implants and supply-chain compromise are troubling and should be seen as an opportunity to assess our current threat model and security approach. In truth, we’re not all Apple or Amazon. The impacts and risks of supply-chain compromise are very different depending on the type of target our organization represents.
Hardware supply-chain compromises have the potential for a lot of “drive by” collateral damage. Even if an organization is not the ultimate target, like the one described in the press, there is a chance that adversaries could acquire critical components.
You may think, “This would never happen to me”, but this is something we should all consider in our daily electronics use. Do you know where all of the hardware components in your data centre are sourced? Where do automation systems powering IoT devices, such as refrigeration and home security cameras, come from? This is a very real problem in our globalized and interconnected economy.
There are a number of incremental improvements we could make in our industry. The first and biggest would be the curation and publishing of a “Google for hardware” – a database where consumers can plug-in their hardware/software serial numbers and see where every component was manufactured.
Supplier diversification in hardware is also a mitigating control that organizations should consider, not just for security but for many other reasons as well (contract leverage, insulation from shortages or disasters etc). If your server hardware, storage, network gear, OSes, hypervisors, and other software (think POS or industrial controls) all come from one vendor, the impact of a supply-chain compromise is much higher to your ecosystem. While single-vendor solutions have advantages, they are also single points of failure.
This is another reminder that the security problem is a multi-dimensional, ever-changing game of cat and mouse. Determined adversaries with resources and creativity will always find a vulnerability. As defenders, we need to continue taking these eye-opening opportunities to think outside the box and find new ways to gain visibility and data about what is really going on.”