Authored By: Gail Ow, Senior Industrial Solutions Manager, Keysight Technologies
Supply Chain describes the entire process of producing and delivering product. One could argue that the Supply Chain defines the success or failure of a company and its products because, the better one manages the supply chain, the better the outcome for both consumer and producer in terms of costs, quality, delivery, safety, customer satisfaction, and revenue.
Hardware and Firmware Supply Chain
The supply chain is an easy concept to grasp in today’s global economy. For example, we understand the components built into the laptop I’m typing on are manufactured all around the world. Not just the obvious ones, like metal enclosures and keyboard caps, but all the components. The threat of tampering with hardware components somewhere along the manufacturing process isn’t unheard of. But it’s not the keyboard caps that hackers care about. It’s the firmware that controls devices like webcams, trackpads, hard drives, and network interface cards that have been proven to be hackable, that hackers seek.
We all know that firmware is a software program that’s been ‘etched’ onto the hardware. It’s what makes the device function. Unfortunately, ‘etched’ is not as permanent as it used to be. Firmware is stored on flash ROMs that can be erased, infiltrated with malware, and rewritten. The beauty of firmware hacking is that it’s difficult to detect and cumbersome to remove (return to manufacturer for repair). And it’s pretty much god power with invisibility included. So successful firmware hackers gain direct access to not just one device, but every device the manufacturer makes, sells and delivers to customers. Hacked, and you didn't even know it!
And if firmware is hackable, how much more vulnerable are all those fun free apps that make life interesting? More importantly, in the industrial control systems/operational technologies (ICS/OT) world, how carefully managed is the software supply chain of your PLC, your HMI, and your SCADA?
Software Supply Chain
As a Product Manager, I worked with Engineering to build products that solved real world problems that customers would buy. I understand the need for a carefully managed hardware/firmware supply chain. While the concept of a supply chain in the hardware world is an easy concept, I didn’t think much about the software supply chain until I observed my college-aged son download clever new font modules to his computer. What we don’t often think about is the fact that coders around the world make extensive use of shared libraries and modules. As a result, the concept of a supply chain also applies to software, which in the grand scheme of things is a relatively new concept. New, that is, until NOBELIUM - a Russia-based hacking group best known for the SolarWinds cyberattack of December 2020.
Nobelium has in fact targeted over 150 organisations worldwide, including government agencies, think tanks, consultants, and non-governmental organisations across at least 25 countries. And then there was the cyberattack that derailed the Colonial Pipeline for over a week, impacted 45% of the U.S. East Coast region’s fuel supply, created panic at the pump and caused price hikes, which brought software supply chain hacks to the forefront. Gas shortages ensued for weeks as the pipeline shutdown all systems to contain the effects of a ransomware attack, and ultimately paid the US$4.4 million dollar ransom to regain control and access over their network and data.
Supply Chain Security and What it Means to Critical Infrastructure
As a result of the recent but ongoing attacks on our critical infrastructure in the U.S., President Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (‘NSM’) on July 28, 2021. Light on details, but more information was promised.
On August 25th, the U.S. National Institute of Standards and Technology (NIST) announced their leadership in creating a new framework to improve the security and integrity of the technology supply chain.
Technology Supply Chain
The focus of the NIST announcement is the technology supply chain as it applies to critical Infrastructure. Devices that used to be driven by the physical, like pneumatics or electro-mechanical, have been transformed into improved, digital, internet connected, and ahem—now hackable devices. Securing the supply chain is of paramount importance.
It is important to note that hackers have also noticed the internet connectedness of factories and critical infrastructure. They’ve settled into their newfound power as gods of the ICS/OT world and they’re unrelenting in their attempts to break into everything ICS/OT-- but of particular interest is critical infrastructure. Because now they can not only extort money from their unwitting victims, they also have the power to poison communities, stop oil production, blow stuff up, make headline news, and destroy the economic health of entire countries. In addition to the millions of dollars they extort in the process.
Hacking the ICS/OT environment allows hackers the ability to create their own weapons of mass destruction, especially if the victim is one of 16 sectors of critical infrastructure.
Reducing Technology Supply Chain Risk is for Everyone
So this is serious. How do we secure the technology supply chain? The sweet spot to reducing risk in the near term, is a Hardware, Software and Firmware Bills of Materials that let you know what’s inside, so you can check to make sure. With that, we can see if the manufacturer gave us exactly what we expected, and then check to see if that’s what we have. We can decide based on what's in there; where to put it from an architecture perspective, how isolated it has to be, how to manage it, how to do incident response. But because of the ongoing threat to the technology supply chain, nobody is excused. Everybody needs to come together- manufacturers, critical infrastructure, and consumers all have an active role to play in making our world a safer place.