Connecting tracks and microchips showing supply chain attacks

Securing Supply Chains Against the Threat of Attacks

It is clear to see that supply chain attacks are on the rise. Recent research shows that the US saw a rise of 42% in the first quarter of 2021 alone, and supply chain attacks could increase by four-fold in the remainder of the year. The changing nature of cyber-attacks require ever-evolving solutions to combat them, but we must first identify why supply chain attacks are becoming so prevalent, and how they cause such widespread devastation.  Only then can we identify and implement solutions that secure the supply chain.

An efficient means of attack

A supply chain attack means that someone has infiltrated a manufacturing system, typically through tampering with a physical component in the chain, or during the distribution of a software component. This means any organisation which produces software or hardware for secondary organisations is at risk. Each step in the supply chain offers a new opportunity for attackers to infiltrate, meaning one weak link can endanger the rest of the chain. In other words, the more steps that are present in a supply chain, the more opportunities exist for attackers to damage and disrupt. The size and complexity of many large-scale operations means larger companies do not always have a clear map of the entire chain, allowing opportunity and anonymity for potential attackers.

By infecting or damaging legitimate applications, malware or malicious codes are then distributed throughout the rest of the chain with the same trust and permissions as the original application. This provides hackers with a veil of security, and their malware is able to be distributed far and wide without detection. When an end user purchases a piece of software or hardware directly from a third-party vendor, they have no reason to believe it is anything but legitimate, when in actuality, the malpractice may have occurred much earlier in the lifecycle of the product.

For hackers, supply chain attacks are an efficient way of harming a multitude of organisations from one single entry point. With one carefully placed attack to a specific point in the supply chain, they can impact every organisation that purchases hardware or software from that point onwards. Metaphorically speaking, it is like poisoning the water supply at source, rather than each individual drink.

Why are attacks so devastating?

Not only are there multiple entrance opportunities for attackers, but the information available to them is more sensitive than ever. In a world where we are using increased amounts of Internet of Things (IoT) infrastructure for health, financial, and military data, a breach in security could be disastrous.

An example of a sophisticated supply chain attacker is the cyber espionage group ‘Dragonfly’, who has targeted energy companies across Europe and North America in recent years. Operating since 2011, the group have become known to target companies via their supply chains, first gaining access to legitimate industrial control system (ICS) software, then replacing files with their own infected versions. Essentially, they use legitimate files as Trojan Horses for their own malware, allowing malicious codes to go unidentified. Once downloaded or obtained by users, the malware may contain remote access functionalities, giving the hackers some control over the system it has been installed on.

In the first half of 2021, Shell launched an investigation into a supply chain attack which impacted organisations including Shell itself, the Reserve Bank of New Zealand, Bombardier, and Kroger. Hackers were able to gain access to files owned by these organisations and their stakeholders, through one targeted breach of IT provider Accellion’s File Transfer Appliance. It does not matter how sophisticated the security measures of the end user are. If a manufacturer in your supply chain has a weakness, you are automatically at risk.

The same principle applies for hardware and IoT devices. If attackers are able to identify a weakness in the supply chain and tamper with the physical components of a device, compromised hardware is distributed to the vendor, and eventually to all of its end users without detection. Although these attacks are more rare, due to the need to physically handle components, the risks are not to be underestimated.

Detecting malware at the point of attack

Until recently, preventing supply chain attacks has been a major industry challenge, with no definitive way to determine the security status of multiple endpoints within a network. The latest Firmware Integrity Measurement (FIM) specification, released this year by Trusted Computing Group, provides a framework to establish the integrity baseline of the firmware running on a device at the manufacturing stage. It offers a process for baseline measurement that allows for security result comparisons throughout its lifecycle. In other words, at any point in a products’ lifecycle, the user or manufacturer can determine the integrity of a device. This is indispensable for large production chains, where a complete map of the components’ journeys may be tricky to obtain.

By comparing the integrity of firmware to manufacturer endorsements, users can identify what should be running on the device, and therefore know whether it has been tampered with. This is a significant advancement in the security of supply chains, since it disrupts one of the main assumptions of supply chain attackers – that their malware is undetectable as it travels through the supply chain. Whether you are a secondary manufacturer, or the end user of a device, it is now possible to verify the integrity of devices and networks within enterprise systems.

Not only can end users gain another level of assurance in their devices, but by testing products throughout the chain, access points for attackers can be identified and strengthened. This way, compromised devices are not only identified to minimise fallout, but potential future attacks can be mitigated.

To address supply chain attacks, the latest Firmware Integrity Measurement (FIM) specification provides a framework to establish the integrity baseline of the firmware running on a device at the manufacturing stage. #cybersecurity #respectdataClick to Tweet

Securing the future of supply chains

By identifying an infiltration at the point of attack, manufacturers can prevent malware being passed further through the supply chain. As a result, compromised hardware and software does not continue its journey into the hands of end users, where the impacts of such attacks may be devastating. By establishing the integrity of hardware and software at each point in the supply chain, points which are vulnerable to attack are identified, and the chance for hackers to remain undetected is significantly mitigated.

 

Chair of PC Client work group at Trusted Computing Group