Presented by Intel
How do you know that the critical parts inside your servers and devices are not poor quality, ready to fail at a crucial moment? Or, worse, hide malware with nefarious intentions like key-stroke logging, data theft, or sabotage?
Outside of leading-edge advances like Intel® Transparent Supply Chain protecting globally linked sellers, buyers, and partners from these kind of threats is difficult. Leaders like GE are embracing new risk management approaches that provide component level traceability and authentication.
Yet many enterprises and vendors remain poorly prepared to prevent or detect growing supply chain cyber-risks. They cannot easily spot compromised parts or breaches that expose their organizations and partners to data loss and widespread disruption.
From not good to worse
Two years ago, Steve Durbin, Managing Director of the Information Security Forum (ISF), warned: “When I look for key areas where information security may be lacking, one place I always come back to is the supply chain.” A widely cited study found 16% of companies purchased counterfeit IT equipment.
Since then, things have gotten worse. A recent global survey of 1,300 companies found 90% were “unprepared” for supply chain cyber-attacks
False alarm or wake-up call?
So it’s no surprise that widespread anxiety followed a sensational report in late 2018 claiming China had hidden tiny spy chips on servers shipped to major companies.
The allegations were quickly denied and eventually debunked. But the incident raised troubling questions: “A lot of people asked: ‘What if that could happen?’” says Charlie Stark, an Intel Supply Chain specialist and engineer.
It’s a critical concern, and not just for industry manufacturers and procurement pros. Supply chains are lifelines for tech sellers and buyers alike. Over the last few years, they’ve increasingly become a battlefield, under incessant attack by nations and criminals. A small but tellingly grim sign of popularity: Presentations on hacking supply chains at Black Hat and Defcon.
Whether you are a technology buyer, seller, manufacturer, investor, or security professional, here are five reasons why supply chain cybersecurity belongs on your radar and action list.
1. Supply chain hacks are growing
Experts says threats are both skyrocketing and under-reported. They now make up as much as 50% of all cyberattacks, according to industry estimates, spiking 78% last year-over-year. As many as two-thirds of companies have experienced an incident. Average cost: $1.1 million. A 2018 study by the Ponemon Institute found 56% of organizations suffered a breach caused by one of their vendors. Federal watchdogs report widespread counterfeiting of ICs and other electronic parts in the DoD supply chain.
Several forces are feeding this troubling growth. Cloudification of supply chains, IoT, globalization, and shifts to vast, interlinked digital ecosystems are major factors. Geopolitics is another. Organized crime also is eager to exploit weak supply chain links. “Hack once-exploit many” is a lucrative business model, with low cost and high ROI, according to researcher Cybereason.
2. Everybody is seeking solutions
Predictably, public and private sector voices are raising alarms. Recent reports by Accenture and BSI, for example, identify supply chain cybersecurity as a top challenge. A leading public-private coalition recently called for rapid and rigorous cooperation on the issue. The most influential of these partnerships, the ICT Supply Chain Risk Management Task Force, includes more than 50 government bodies and businesses, led by the Department of Homeland Security.
The National Institute for Standards and Technology (NIST) issued new guidelines for supply chain risk management. So great is the concern that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has proclaimed a “National Supply Chain Integrity Month.” A major agency task force report issued in September outlined key threat scenarios, recommendations, and baselines.
3. Hack once, hurt many
Supply chain attacks are actually two kinds of threats. The first seeks to disrupt or cripple actual supply chains. Think of nation-state assaults on key infrastructure or energy systems.
But others use supply chains as a channel to attack dozens, hundreds, or potentially thousands of connected partners. By finding and exploiting weak links, attackers can hop between linked entities, stealing data, and spying or destroying as they go. This is what makes the attacks so dangerous — and attractive for hackers.
4. Hardware is a new target
Kingslayer, CloudHopper, CCleaner, ShadowPad, ShadowHammer, Black Ghost Knifefish, Heriplor. All these recent attacks on supply chains used or targeted software. Now, hackers have upped the ante. Thwarted by better software protection, they’re targeting hardware. Such nefarious burrowing into the hardware stack — down to firmware and BIOS and UEFI — is a big threat in any environment. But it is magnified many-fold in a supply chain.
5. Damage can be widespread
Harm from supply chain breaches is insidious. It sows doubt about product reliability and security. As the figure below shows, there’s a spectrum of potential harm in manufacturing, with supply chain attacks at the apex.
The U.S. Cybersecurity and Infrastructure Security Agency warns of supply risks at every stage: Design, development and production, distribution, acquisition and deployment, maintenance, and disposal.
Similarly, breaches cause a range of organizational harm, including damaged reputations, non-compliance, and lost business.
Tech and electronics are favorite targets, as are defense, financial services, and energy, but no industry is immune. The 2019 Global Threat Report found more than half of cyberattacks now leverage what it calls “island hopping.” That means attackers aren’t targeting just one organization. “Attackers… don’t just want to rob you and those along your supply chain,” authors warned. “[They] want to ‘own’ your entire system.”
Source: Global Threat Report
The importance of ecosystem protections
All these factors combine into a grim reality: Supply chain threats are bad — and likely to worsen.
There’s widespread agreement: organizations must be proactive in developing information-driven cyber-defense of supply chains. But what’s the most effective approach? For many buyers and sellers, it’s participation in a certified eco-system.
“Companies should consider defining reasonable levels of security and associated controls requiring sub-contractors, vendors, and critical supply chain partners to meet or exceed those standards as part of established business agreements,” advises Chadd Carr, director of PricewaterhouseCoopers (PwC) National Cyber Threat Research Center.
Accenture makes similar recommendations: ”Organizations should routinely seek full awareness of their threat profiles and points of supply chain vulnerability. [They should] try to improve processes that guard against the cybersecurity risks inherent in the landscape of modern global business operations by integrating cyberthreat intelligence into M&As and other strategically important actions, incorporating vendor and factory testing into their processes, and implementing industry-focused regulations and risk assessment standards.”
To understand the critical key role played by ecosystem protections, and how they work, read Part 2.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact firstname.lastname@example.org.