There’s an outdated safety adage: a series is barely as sturdy as its weakest hyperlink. The sentiment lengthy predates Info and Communications Expertise (ICT), however it’s by no means been extra related. With trendy ICT connecting hundreds of thousands of programs worldwide, there are exponentially extra “hyperlinks” to fret about. That’s very true once we shift our focus from defending in opposition to exterior threats, which organizations have gotten fairly good at, to these originating inside a company’s sphere of belief. Right here, we’ve work to do — beginning with the ICT provide chain itself.
In the present day’s provide chains are a contemporary marvel. Huge webs of suppliers, producers, integrators, transport carriers, and others permit distributors to construct ICT merchandise extra cost-effectively and to shortly ship them to prospects wherever. However trendy provide chains additionally enhance the variety of events with entry to these merchandise — and the variety of potential weak hyperlinks that cybercriminals might search to take advantage of. By concentrating on a company’s {hardware} or software program provide chain, hackers can compromise an ICT product earlier than it’s even deployed. And, since that product is coming from a provider the goal implicitly trusts, the compromise could go undetected till it’s too late.
It’s no surprise that ICT provide chains have change into a extremely engaging assault vector for cybercriminals. In a 2020 Deloitte transient, 40% of producers reported being affected by a safety incident previously 12 months. A examine of current provide chain assaults by the European Union Company for Cybersecurity discovered that, in 66% of incidents, attackers centered on a suppliers’ code to be able to compromise focused prospects.
Why are ICT provide chain assaults so harmful, and what can organizations do to guard in opposition to them? Let’s take a better look.
A rising menace
The Nationwide Counterintelligence and Safety Middle (NCSC) defines provide chain cyberattacks as “utilizing cyber means to focus on a number of of the assets, processes, builders, or companies of a provide chain,” with the purpose of having access to the underlying system for malicious functions. NCSC identifies three broad varieties of provide chain cyberattacks:
- Software program-enabled assaults: These exploit software program vulnerabilities to disrupt programs or open backdoors for distant entry and management. For instance, in 2021, attackers exploited a vulnerability within the open-source logging utility Log4j, which many distributors had integrated into their software program merchandise. Any group utilizing such software program could possibly be focused for assault.
- {Hardware}-enabled assault: Attackers could search to compromise the {hardware} or firmware of ICT gadgets — routers, switches, servers, or workstations — sooner or later within the provide chain. {Hardware} backdoors will be particularly troublesome to detect.
- Software program provide chain assault: Right here, attackers infiltrate a software program vendor to inject malicious code into their merchandise. When prospects obtain the software program package deal (typically by way of computerized updates) it infects their system with malware. The notorious SolarWinds hack of 2020 attacked a broadly used community administration product this fashion, permitting state-backed hackers to compromise dozens of U.S. federal companies and enterprises.
If profitable, any of those assaults can wreak havoc on a company. And since so many events take part in trendy provide chains, the threats develop shortly. To guard in opposition to Log4j, for instance, organizations can’t merely keep away from utilizing that utility in their very own programs and merchandise. They need to ensure that each single provider they work with does too.
Defending provide chains with Zero Belief
If securing a provide chain looks as if a giant, sophisticated job, it’s — particularly when many organizations nonetheless implicitly belief their suppliers. Certainly, it’s that implicit belief that makes provide chains such a pretty assault vector for hackers. In our more and more interconnected world, each group ought to think about adopting Zero Belief because the core precept (“by no means belief by default, all the time confirm”) for bettering their safety posture. Verification is essential. And ICT prospects must demand that distributors present straightforward mechanisms to confirm the end-to-end authenticity, integrity, and confidentiality of their merchandise.
- Authenticity: Organizations ought to have the ability to confirm that ICT {hardware} they purchase is genuine — that they haven’t been shipped a counterfeit product of poor high quality or obtain a product contaminated with malware. A technique to do that is by way of the Trusted Platform Module (TPM) 2.0 commonplace. TPM supplies a “{hardware} root of belief” functionality on the processor stage, permitting distributors to create distinctive, cryptographically certain system IDs for his or her merchandise. These operate like delivery certificates testifying to the authenticity of each system, and so they can’t be eliminated or modified.
- Integrity: Even when a company verifies a tool’s authenticity, how do they know that nobody put in malware on it whereas it sat in a warehouse someplace, or modified its firmware? How can they verify that hackers haven’t added a secret backdoor to a vendor’s pending software program replace? Very like police proof collected after against the law, there must be a steady chain of custody all through a product’s lifecycle. Distributors ought to use certificates frameworks to attest to software program integrity at each level the place a product adjustments palms, and safe boot capabilities to confirm that system firmware hasn’t been tampered with.
- Confidentiality: It’s straightforward to know why hackers would need to entry a tough drive stuffed with buyer data. However system and configuration knowledge in different ICT gear, like routers and switches, will be simply as delicate, doubtlessly offering a roadmap for future assaults. Distributors ought to use native file encryption to guard knowledge at relaxation on their merchandise, and MACsec or IPsec encryption to guard knowledge in movement.
Strengthening the chain
ICT provide chains have all the time been advanced programs with many stakeholders, making them inherently difficult to safe. As our digital world grows extra carefully interconnected, the problem — and the menace — will solely develop. It’s an issue for each group, however not one which prospects can clear up on their very own. To guard ICT provide chains, distributors should take the lead.
By adopting a Zero Belief method to confirm the authenticity, integrity, and confidentiality of ICT merchandise, organizations can push their distributors to undertake safer and clear provide chains. Collectively, we will construct a future the place all of us profit from international interconnectivity, with out unacceptable threat.
Copyright © 2022 IDG Communications, Inc.
