Supply Chain Assessment: 4 Important Considerations
How can we be assured that our electronics and phones and stuff haven’t had “extra things” added to them before being sold to us? Is our data safe when using some apps? Practicing good Supply Chain Assessment can prevent these scenarios
One aspect of cybersecurity is being aware of the products and hardware we use for our network infrastructure at our homes and businesses. This also means that we need to take into consideration all of the parts that go into each product.
Supply chain assessment enables us to create a more secure working space in an unsecure environment by mitigating the risks of the supply chain.
An organization must ensure that the operation of every element (hardware, firmware, driver, OS, and application) is consistent and tamper resistant to establish a trusted computing environment… also an organization’s risk appetite plays a role.
Let’s go over 4 important considerations that can help us buy secure electronics.
1. Due Diligence
A legal principle identifying a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system
- properly resourced cybersecurity program
- security assurance and risk management processes — this provides assurances that a vendor is a valid organization, and that they themselves have processes for conducting due diligence on the supply chain
- product support life cycle —for example, if you buy Microsoft Windows, you know they provide patches and support for their OS product
- security controls for confidential data —for example, if you plan to give a SaaS company access to your data you deserve to know if they have the proper security measures in place to ensure data confidentiality
- incident response and forensics assistance — ask yourself, will a vendor, or any other type of 3rd party, be there to help if an attack does occur?
- general and historical company information — this means considering a manufacturers track record and a company’s financials and so on
Due diligence should apply to all suppliers, but also contractors. Furthermore, this must be applied to vendors and contractors who are friends or family members. They might not intentionally harm you or your organization but they may be unaware of their own vulnerabilities, which can affect you.
2. Trusted Foundry
Conceptually, this can refer to a microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software do not deviate from their documented function).
However the US government runs their own program that deals with this. According to the DMEA, which is the program manager for the DoD Trusted Foundry program, a “trusted source” will:
- Provide an assured “Chain of Custody” for both classified and unclassified integrated circuits
- Ensure that there will not be any reasonable threats related to disruption in supply
- Prevent intentional or unintentional modification or tampering of the integrated circuits
- Protect the integrated circuits from unauthorized attempts at reverse engineering, exposure of functionality or evaluation of their possible vulnerabilities
The DoD created this program to secure the manufacturing infrastructure for information technology vendors providing hardware to the military. This is due to their need to ensure that technology used for fighter jets and missiles and such are reliable and secure.
3. Hardware Source Authenticity
Regular folk like us don’t need go as far as following the trusted foundry program, but never a bad idea. However, incorporating hardware source authenticity practices can also keep you secure.
This is the process of ensuring that hardware is procured tamper-free from trustworthy suppliers. There’s greater risk of inadvertently obtaining counterfeited or compromised devices when purchasing from second-hand or aftermarket sources.
Basically, anytime new hardware is purchased it is safest to buy it as close to the source as possible to minimize the chance of tampering.
4. Root of Trust
I’ll reference the NIST because they provide a pretty good definition for this somewhat abstract concept:
Stronger security assurances may be possible by grounding security mechanisms in roots of trust. Roots of trust are highly reliable hardware, firmware, and software components that perform specific, critical security functions. Because roots of trust are inherently trusted, they must be secure by design. As such, many roots of trust are implemented in hardware so that malware cannot tamper with the functions they provide. Roots of trust provide a firm foundation from which to build security and trust.
The sections below describe some common variations of implementation.
Hardware Root of Trust (ROT)
A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.
A hardware root of trust is used to scan the boot metrics and OS files to verify their signatures, which we can then use to sign a digital report.
Trusted Platform Module (TPM)
A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.
TPM can be managed in Windows via the
tpm.msc console or through group policy.
Access this by opening Windows Command Prompt and typing:
Hardware Security Module (HSM)
This is an appliance for generating and storing cryptographic keys that is less susceptible to tampering and insider threats than software-based storage
Many types of these are available and they come in many different ways for example, they can be installed as an internal card, a rack mounted system and even more.
The advantage to these systems is that they are automated so the keys cannot be compromised by human involvement.
Methods that make it difficult for an attacker to alter the authorized execution of software.
A non-technical example of this would be like the sealed caps on a beverage, or checking your Halloween candy before eating it.
When applied to technology, anti-tamper mechanisms include a field programmable gate array (FPGA) and a physically unclonable function (PUF). These mechanisms can detect tampering and then wipe the data to ensure the infiltrator can’t access it.
Thanks for reading
If you’ve been mildly entertained, consider following me on Medium.