Risk
11/5/2009
01:45 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Securing The Cyber Supply Chain

Many parties touch your organization's systems and software, potentially exposing them to malware, breaches, or worse. A new end-to-end approach is required to minimize the risks.

Total Trust

One way that DOD and the National Security Agency are tackling this issue already is by commissioning custom chipsets for some of their most critical systems. Only a few chipmakers, like Intel, still manufacture their chips in their entirety. Most are now fabless, and in the process, they've given up a measure of security, something the military and intelligence communities can't accept for their most critical systems. "Maliciously tampered integrated circuits cannot be patched," retired Army Gen. Wesley Clark recently wrote in Foreign Affairs magazine. "They are the ultimate sleeper cell."

The Defense Department requires chips used in critical systems to be built by and procured from trusted companies and facilities within the continental United States. In 2003, NSA joined with DOD to create the Trusted Access Program Office, also known as Trusted Foundry. That program enables DOD and NSA to track their chips through the supply chain from design to delivery.

The National Security Agency and the Defense Department have a 10-year contract with IBM through 2013 and work with other manufacturers that build components at more than a dozen factories in the United States. In fiscal 2008, the Trusted Foundry program delivered more than 21,000 parts and 340 chipset designs for more than 70 DOD and NSA programs and contracts, according to budget documents.

The agencies plan to spend about $41 million this year to develop custom chips. Last year, NSA spent about $13 million just to form partnerships and to accredit suppliers.

In fiscal 2010, the agencies plan to redouble their Trusted Foundry efforts, developing new sources across the supply chain, according to budget documents. Under a Congressional requirement in this year's defense budget, DOD is to team up with the intelligence community, private industry, and academia to assess ways to verify the authenticity and "trust" of chips that the Defense Department buys from commercial sources.

The Defense Advanced Research Projects Agency is in the middle of a $19 million, three-year program called Trust in Integrated Circuits that tries to determine ways to quickly verify that chips are built to carry out only the functions for which they're intended. The agency employed MIT engineers to compromise chips, and three companies to develop and test new ways to sort the compromised chips from real ones.

As the evidence shows, the IT risks and vulnerabilities in an improperly managed supply chain, from counterfeit equipment to malware to other avenues of attack, are real and growing. It may be unrealistic to lock down your organization's IT supply chain from end to end, but IT pros can't afford to ignore the issue. IT departments must keep a more watchful eye on vendors, partners, and others in their cyber supply chains and adopt best practices for mitigating risks across their systems and processes.

Previous
5 of 5
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web