Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Daniel Wood
Daniel Wood
Connect Directly
E-Mail vvv

What Your Company Needs to Know About Hardware Supply Chain Security

By establishing a process and framework, you can ensure you're not giving more advanced attackers carte blanche to your environment.

In Dun & Bradstreet's 2019 "Compliance and Procurement Sentiment" report, respondents cited cybersecurity as their top concern, yet 48% had not integrated associated risks into their third-party risk management. While developing and implementing a supply chain security program can be daunting, it should be the first item on your company's to-do list — with an emphasis on hardware security, which is often given short shrift.

Information security programs typically focus on managing software patches and keeping anti-malware engines and network security gear up to date. As a result, hardware components are often deprioritized, even though they are also vulnerable to advanced attackers and nation-state threats. The manipulation of physical components during building stages or transportation routes is a threat to all physical products. Faulty parts cause recalls, and when the part is relied on by global systems and contains sensitive data, the scale of the potential carnage becomes exponential. Successfully attacking firmware can create a vulnerability that attackers covet because, unlike most software-based attacks that can be fixed by resetting a device back to default, many hardware attacks can survive firmware reflashing or operating system reinstallations.

Threats to the hardware supply chain are not theoretical, and security teams need to develop stronger policies to mitigate supply chain threats and risks. Securing the supply chain needs to happen at various levels — each carrying its own complexities. The first step is ensuring the supply chain is part of your organization's threat model. At a minimum, a good grasp of the risks associated with the supply chain could change your acceptable business risks.

Here are 10 best practices for designing a strong supply chain security program.

1. Perform a risk analysis of the business: Risk is defined as the cost of system loss multiplied by the probability that the loss may occur through malicious action. Such a risk analysis can help an organization triage incidents and prioritize mitigations. Rooting out hardware implants from the supply chain is an expensive process, and a risk analysis can weigh the benefits of implementing the controls in this list against the cost of a security incident. It may not make sense for every organization, or every business unit inside an organization, to prioritize threats from hardware implants. Determine your team's risk analysis first before implementing any security measures.

2. Create and maintain an inventory of third-party hardware providers: This should be an extension of the hardware and software inventory already dictated by your organizational policy.

3. Identify the devices that provide business-critical functionality and services: Critical devices are defined as any hardware that is a single point of failure in an organization's security model or that implements a critical security-relevant service.

4. Perform a third-party risk assessment on each critical provider/device: If necessary, once the assessment is complete, re-evaluate contractual language to include security addendums and clauses around mandates that your service provider maintains and a request for periodic proof of its continued adherence to security standards.

5. Establish a communication plan with each critical provider: This should be bidirectional and allow each organization to be informed when issues arise that could increase exposure to risk.

6. Build and maintain a software dependency tracker for your organization's hardware: Through this, you can determine whether servers or appliances are vulnerable to security flaws in software components and initiate discussions with vendors about timely patching.

7. Establish an assessment process for third-party hardware that is delivered to your organization: This can include testing the security of your hardware, establishing traffic baselines in a lab environment, and reviewing the security of your supplier's supplier.

8. Conduct ingress and egress filtering: Do this on any network-attached components, blocking unexpected requests from entering or leaving the operating environment.

9. Request documentation and proof of assessment for devices that implement critical infrastructure: Devices should be resilient to, and subjected to, network, local, and physical attacks. To specifically resist hardware implants, anti-tamper controls should be tested and reverse-engineering efforts against devices should be limited through technical controls.

10. Understand your vendors' supply chains as part of the system selection process: Vendors should be able to share the origin of each device component and provide an overview of how the component is secured from manufacturer to customer.

Though these recommendations cannot totally prevent the compromise of mission-critical hardware, they are a foundation to help mitigate your overall risk.

Hardware interdiction is a real threat, and supply chain security assessments must be part of most organizations' threat models and risk mitigation strategies. Hardware attacks are unique in that they provide access and persistence at levels that are challenging and near-impossible to adequately address. By establishing a process and framework for addressing these concerns, you can ensure you're not giving more advanced attackers carte blanche to your environment.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Daniel Wood (CISSP, GPEN) is the Associate Vice President of Consulting at Bishop Fox, where he leads all service lines and develops strategic initiatives. He has over 15 years of experience in cybersecurity and is a subject matter expert in red teaming, insider threat, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...