The global technology supply chain has never been so immense and complex – or so vulnerable. As IoT and connected devices become increasingly sophisticated and ubiquitous around the world, cyber attackers are, unfortunately, keeping pace and finding new ways to infiltrate and attack our critical infrastructures. As we now find ourselves in the midst of a new trade war, it is particularly important that we turn our attention to cybersecurity and how we can deploy new solutions to safeguard our many connected devices as they travel through the supply chain.
Certainly, the vulnerability of the global technology supply chain has already caught the attention of government leaders who are concerned with issues of national security. But considering how pervasive connected devices have become in our society, it is not just the government who needs to worry about cybersecurity, but manufacturers who build and distribute connected devices every day and sit at the root of the larger supply chain.
Consider the massive number of connected devices that surround you on a regular basis. From smart phones to smart meters to growing smart city and connected car initiatives, Gartner estimates that there will be over 20 billion IoT devices deployed globally by 2020. And an alarming amount of these chips and hardware are manufactured overseas in China or other Asian countries. While advantageous in some respects, this long-distance workflow means Western industrial manufacturers lose a great deal of oversight and control over the path that their products take while in production. During this time, connected devices can all too easily be exposed to cyber threats and be manipulated by bad actors who are looking for an easy point of entry to infiltrate and sabotage the entire supply chain.
For sophisticated attackers, one small device is all it takes to compromise the entire chain of command – and there are many opportunities to do so. For example, an attacker could create a device that looks exactly like the genuine product produced by the manufacturer and slip into the supply chain unknowingly, or a disgruntled employee who has (or simply once had) access to critical devices could seize control and infect devices’ entire lifecycles, from production line through the supply chain to field operations and even remote software updates.
One particularly chilling example involves Amazon Web Services (AWS), startup Elemental Technologies, servers from Super Micro Computer Inc., and a potential hardware attack in the supply chain. Here, Bloomberg shares details on the purported attack, in which manufacturing subcontractors in China allegedly infected the servers’ motherboards with a tiny microchip. Although the investigation is still underway, it is a frightening wake-up call for the cybersecurity industry to tackle the notion that an overseas manufacturer could very well have compromised servers used in the Department of Defense data centers, CIA drone operations, and Navy warships.
Even for companies who are not involved in manufacturing overseas, the supply chain is still ripe with opportunities to fall prey to vicious cyberattacks. Despite the fact that you may have robust security measures to protect you from cyberthreats, the partners and vendors with whom you work may not be so well-armed, making every interaction between you an open door for bad actors to jump ship and attack your company infrastructure. A study from Opus and Ponemon reveals that 59% of organizations have been cyber-attacked via third party companies. The now infamous Mirai botnet attack, for instance, compromised Dyn, a provider of domain name services, ultimately affecting dozens of companies, including Airbnb, Amazon.com, CNN, GitHub, Reddit, and more.
Already, the list of reports in the last few years of highly suspect dangerous activity in the global technology supply chain is alarmingly high. From Russia’s alleged manipulation of antivirus software used by a U.S. National Security Agency contractor in 2015 to the Chinese state-sponsored hacking group APT10’s suspected involvement in a slew of attacks on U.S. utilities companies and cellular networks in August of this year, the risks for dangerous attacks in the supply chain are abundant. To try to combat these attacks and keep our devices – and society – safe from bad actors, leaders in both industry and government have efforted to improve inspection processes within the supply chain – but these attempts may not be enough as inspections, though they may be robust in design, and are too easily evaded in practice by sophisticated, persistent attackers.
Instead, in order to truly safeguard IoT and connected devices as they travel through our ever-growing and increasingly-complex supply chain, we must turn to a solution that can provide both monitoring and management. This new solution, called the flash-to-cloud approach, moves the root of trust out of the controller operating system (OS) and into the flash memory to effectively block code modifications done during the supply chain. By moving the control of the device to a trusted entity on the company’s premises or cloud, this approach creates a secure channel from the cloud to the flash memory of the device, making it impossible for attackers to alter the firmware with any malicious code. Moreover, because this approach displaces control from the processor to the flash, it is both processor- and operating system-agnostic and, thus, requires no additional cost resources for the processor, enabling manufacturers to achieve ironclad security with both low power usage and low-cost processors. The expanding global technology supply chain requires a cybersecurity solution that can withstand external and internal attacks, and the flash-to-cloud solution is an approach that should be considered.