Securing The Cyber Supply Chain

Security pros draw a line at the firewall--what happens "out there" might be beyond their control, but a secure perimeter is intended to protect the data and systems within. That view, however, fails to take into account the role of developers, vendors, customers, users, and others along the supply chain of IT systems, hardware, and software coming into the enterprise. A new school of practice advocates a more encompassing approach to security that leaves none of those touch points unchecked.

It's called the cybersecurity supply chain, and, as it sounds, it applies the principles of supply chain management--product assembly and acquisition, data sharing among partners, governance, and more--to the security of IT systems and software. "Organizations need to realize that their borders are porous," says Jim Lewis, director and senior fellow of the Center for Strategic and International Studies' technology and public policy program. "We're no longer living behind a moat. It's not just how secure you are, but how secure the people you connect with are as well."

What comprises a cyber supply chain? Researchers at the University of Maryland's Robert H. Smith School of Business and the IT services firm SAIC, in a white paper published in June, define it as "the mass of IT systems--hardware, software, public, and classified networks--that together enable the uninterrupted operations" of government agencies, public companies, and their major suppliers. "The cyber supply chain includes the entire set of key actors and their organizational and process-level interactions that plan, build, manage, maintain, and defend this infrastructure."

Foreign nations already are carrying out supply chain attacks on IT systems belonging to the U.S. government, according to a presentation by Mitch Komaroff, director of the Department of Defense CIO's globalization task force. A simple example is hardware being delivered with malware installed. In the private sector, financial firms have become regular targets. These two sectors are also the most aggressive in looking at ways to fight the problem.

Two government efforts--the Bush administration's Comprehensive National Cyber Initiative and the Obama administration's Cybersecurity Policy Review--direct federal agencies to shore up their cyber supply chains. "The growing sophistication and diversity of cyberattacks makes this a threat," says Nicole Dean, deputy director of the Department of Homeland Security's National Cybersecurity Division, which oversees the Comprehensive National Cyber Initiative.

DIG DEEPER

Government IT On The Leading Edge

Learn more about how government agencies are helping to drive what's next in the technology industry, including software that learns your schedule and networks resilient enough for the rigors of outer space.

Download this
Analytics Report

>> See all our Analytics Reports <<

Avenues of attack include malware inserted into software or hardware, vulnerabilities found by hackers poking and prodding software, and compromised systems that are unwittingly brought in house. In recent years, Apple, Hewlett-Packard, Sony, and others have shipped pre-owned laptops, hard drives, and other devices with viruses, worms, and Trojans on them, according to a 2007 presentation to the Internet Security Alliance by Verizon executive Marcus Sachs, who's also director of the SANS Internet Storm Center.

In most companies, tackling this problem will require new levels of collaboration among security, IT, and supply chain managers. "From a defensive standpoint, few supply chain managers or supply chain risk managers have aligned their mission with their computer security center, and they're not commissioned to conduct joint operations," says Hart Rossman, CTO of cybersecurity solutions with SAIC and co-author of the cyber supply chain white paper. "If you think hardware or software has been compromised out of the box and you call your cybersecurity team, they're probably not prepared to deal with it because they're looking for viruses."

Counterfeiting is another risk. The Department of Justice recently arrested three California residents on counterfeiting charges. According to the indictment, the three imported counterfeit microprocessors from China. They also obtained legitimate chips, removed their original markings, then resold them to government agencies as "military grade" components.

Target: Financial Systems

In the private sector, financial systems are being targeted, says Paul Kocher, president and chief scientist of Cryptography Research, which advises companies on cybersecurity, designs tamper-resistant chips, and licenses technology to protect against "differential power analysis," an advanced technique where an attacker analyzes power consumption of, say, smart cards to determine cryptographic keys.

"Someone will target an individual or organization and invest a nontrivial effort to get that data," he says. For example, cybercriminals have surreptitiously inserted their own router into a company's network and "started pulling out information for fraudulent purposes," Kocher says.

The Financial Sector Information Sharing and Analysis Center, an industry organization, recently created a working group to address IT supply chain integrity. Its members include Goldman Sachs, Depository Trust and Clearing Corp., Citigroup, Morgan Stanley, the Bank of New York Mellon, J.P. Morgan, Bank of America, and NYSE/Euronext.

"We face organized cyberenemies who are hell-bent on positioning themselves to bring down the entire U.S. financial services system," said Donald Donahue, CEO of Depository Trust and Clearing Corp., a holding company that processes many of the nation's capital market transactions, at a financial services industry conference in May. "Their intent to penetrate the supply chain exploiting whatever vulnerabilities that may exist is very clear."

Point-of-sale systems and ATMs are among the most commonly attacked financial systems, says Cryptography Research's Kocher. Among the techniques that have been employed: ATMs have been delivered with malicious code pre-installed, hackers have created fake endpoints on ATM networks, and the people servicing machines have turned out to be fraudsters, says Kocher.

Security and IT managers need to develop strategies for dealing with the IT supply chain threat in a comprehensive way. Measures for minimizing the risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threat and protective measures they can take.

Depository Trust and Clearing Corp. has implemented governance for vulnerability management throughout its supply chain and looks at IT security along "the entire life cycle," Donahue said. That includes where software was coded and hardware manufactured, access controls throughout software development and delivery, and security within DTCC itself.

The first step in any cyber supply chain action plan should be to categorize and catalog the risks, says Lewis from the Center for Strategic and International Studies. For the most critical functions at the highest security levels--systems used for nuclear weapons testing, for instance--an organization might need to use a "100% reliable" supply chain, though that gets prohibitively expensive very quickly. That level of reliability would require fully documented software development and hardware by trusted partners in controlled environments.

SAIC and the University of Maryland's School of Business have developed a cyber supply chain "assurance model" to help organizations tackle the issue in a methodical way. The model is the result of an 8-month study that included an assessment of the state of the art in supply chain management and cybersecurity, interviews, and focus groups. "Everybody viewed themselves as the terminus in the supply chain, even though when people procure IT these days it's often for their customer or their customer's customer," says SAIC's Rossman. "Most organizations don't have good visibility into their tier 1 supply chain providers, much less their lower-tier suppliers."

The cyber supply chain assurance model is comprised, visually, of nested circles (see chart, p. 46). At the center is governance, managed by a supply chain orchestrator. Beyond that are systems integration and shared services; it's here that the model introduces the concept of an "enforcer" of supply chain custody. The outside circle, or "field layer," addresses cybersecurity in software code, IT hardware, enterprise applications, networks, and people.

The report authors cite the need for a "chain of custody," including real-time documentation of systems development practices, among participants in the supply chain. They point to the quality-control measures used in the pharmaceuticals industry, with extensive online documentation and product tracking, as a model for cyber supply chains.

Beware Back Doors

Software pedigree--knowing who developed code at every step, and being able to verify its trustworthiness--is one of the most critical, yet challenging, steps. Earlier this year, Arab telecom provider Etisalat pushed to BlackBerry users what it said was a software update for improving performance. In fact, it was spyware capable of providing access to information on the devices.

Brian Chess, chief scientist at Fortify, a company that specializes in assuring software security, recommends a three-step process: Take a software inventory and apply tools that analyze code for vulnerabilities; ask software vendors to document the steps in their development processes; and recognize that neither of those steps is enough, and therefore be rigorous in your other cybersecurity efforts.

Once software is installed, to make sure hackers aren't using back doors built into code, it's important to baseline network traffic, says NetForensics VP Tracy Hulver. If something looks amiss, "I can be alerted and do something about it," he says. That applies to anomalies in user behavior, as well. "You say, I'm getting database access from an IP address that's outside the United States, and that's unusual, so I need to terminate that," Hulver says.

Verizon's Sachs recommends a multitiered approach to risk mitigation, including establishing new coding standards in the software industry, close monitoring of offshore software development, and a mandate that all critical software used by government agencies be written domestically.

The software industry is in the early days of figuring out how to discuss supply chain issues. SAFECode is working with Adobe, EMC, Juniper, Microsoft, Nokia, SAP, and Symantec to develop best practices in secure software development. "We discovered there really wasn't a common lexicon or template for describing supply chain integrity," says Paul Kurtz, executive director of SAFECode and a top White House cybersecurity official in the Bush administration. "Now they're looking at this collectively, which is incredibly important because they're developing a common framework."

Bill Billings, chief security officer for Microsoft's federal group, believes the computer industry should adopt what he calls the Campbell's soup model, where a product-tracking number on every can makes it possible for consumers to get information on where and when soup was made. "You're not changing the quality of it, but you are changing the fact that it comes from somebody you knew rather than somebody you didn't," he says. "It's getting rid of the man-in-the-middle attacks."

Assigning Responsibility

The Department of Defense's fiscal 2010 budget requires DOD to identify vulnerabilities at multiple levels of the supply chain for a number of major IT acquisition programs. The DOD will have to prioritize those vulnerabilities and their potential effects, create recommendations for managing risk, and identify someone to lead development of "an integrated strategy for managing risk in the supply chain."

The Comprehensive National Cyber Initiative, meanwhile, includes a group working on standards, another on sharing supply chain vulnerabilities, and a third on policy, chaired by DOD and the Department of Homeland Security, with participation from the National Institute of Standards and Technology.

Uncle Sam wants to ensure that when agencies purchase products, especially classified as high-impact systems (critical business and national security systems, among others), agencies think about "the threats that can come from the supply chain as systems and software are being built and delivered," says NIST computer security division IT specialist Marianne Swanson, who's heading up the standards working group.

NIST's draft guidelines include elements such as procurement strategies requiring suppliers to carry out specific risk mitigation processes. The departments of Defense and Homeland Security are testing these processes in a pilot project, and their findings will be integrated into a draft report early next year for public comment. The draft identifies 32 practices, such as using contract language that requires suppliers to inform agencies of the identities of their contractors and subcontractors and obvious steps like focusing on the supply chain security of agencies' most critical IT components.

It's too early to tell just what the final draft will look like, but a NIST presentation online lays out security steps throughout the technology life cycle, from design to retirement. The prototype strategy encourages the use of trusted suppliers, service-level agreements related to quality and security during the manufacturing stage, vetting of software updates, use of secure distribution channels, and secure destruction of media after use.

Once DOD and DHS carry out their pilot programs, the General Services Administration will use "market incentives" to make security a bigger part of hardware and software product designs and to encourage development of new security technologies and secure managed services. This process began late last year, when the Federal Acquisition Regulatory Council released a draft notice of proposed rule-making that would create an authenticity guarantee for federal contractors and software and hardware vendors. SAIC's Rossman expects policy to be rolled out formally in the next year.

Total Trust

One way that DOD and the National Security Agency are tackling this issue already is by commissioning custom chipsets for some of their most critical systems. Only a few chipmakers, like Intel, still manufacture their chips in their entirety. Most are now fabless, and in the process, they've given up a measure of security, something the military and intelligence communities can't accept for their most critical systems. "Maliciously tampered integrated circuits cannot be patched," retired Army Gen. Wesley Clark recently wrote in Foreign Affairs magazine. "They are the ultimate sleeper cell."

The Defense Department requires chips used in critical systems to be built by and procured from trusted companies and facilities within the continental United States. In 2003, NSA joined with DOD to create the Trusted Access Program Office, also known as Trusted Foundry. That program enables DOD and NSA to track their chips through the supply chain from design to delivery.

The National Security Agency and the Defense Department have a 10-year contract with IBM through 2013 and work with other manufacturers that build components at more than a dozen factories in the United States. In fiscal 2008, the Trusted Foundry program delivered more than 21,000 parts and 340 chipset designs for more than 70 DOD and NSA programs and contracts, according to budget documents.

The agencies plan to spend about $41 million this year to develop custom chips. Last year, NSA spent about $13 million just to form partnerships and to accredit suppliers.

In fiscal 2010, the agencies plan to redouble their Trusted Foundry efforts, developing new sources across the supply chain, according to budget documents. Under a Congressional requirement in this year's defense budget, DOD is to team up with the intelligence community, private industry, and academia to assess ways to verify the authenticity and "trust" of chips that the Defense Department buys from commercial sources.

The Defense Advanced Research Projects Agency is in the middle of a $19 million, three-year program called Trust in Integrated Circuits that tries to determine ways to quickly verify that chips are built to carry out only the functions for which they're intended. The agency employed MIT engineers to compromise chips, and three companies to develop and test new ways to sort the compromised chips from real ones.

As the evidence shows, the IT risks and vulnerabilities in an improperly managed supply chain, from counterfeit equipment to malware to other avenues of attack, are real and growing. It may be unrealistic to lock down your organization's IT supply chain from end to end, but IT pros can't afford to ignore the issue. IT departments must keep a more watchful eye on vendors, partners, and others in their cyber supply chains and adopt best practices for mitigating risks across their systems and processes.