Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Daniel Wood
Daniel Wood
Connect Directly
E-Mail vvv

What Your Company Needs to Know About Hardware Supply Chain Security

By establishing a process and framework, you can ensure you're not giving more advanced attackers carte blanche to your environment.

In Dun & Bradstreet's 2019 "Compliance and Procurement Sentiment" report, respondents cited cybersecurity as their top concern, yet 48% had not integrated associated risks into their third-party risk management. While developing and implementing a supply chain security program can be daunting, it should be the first item on your company's to-do list — with an emphasis on hardware security, which is often given short shrift.

Information security programs typically focus on managing software patches and keeping anti-malware engines and network security gear up to date. As a result, hardware components are often deprioritized, even though they are also vulnerable to advanced attackers and nation-state threats. The manipulation of physical components during building stages or transportation routes is a threat to all physical products. Faulty parts cause recalls, and when the part is relied on by global systems and contains sensitive data, the scale of the potential carnage becomes exponential. Successfully attacking firmware can create a vulnerability that attackers covet because, unlike most software-based attacks that can be fixed by resetting a device back to default, many hardware attacks can survive firmware reflashing or operating system reinstallations.

Threats to the hardware supply chain are not theoretical, and security teams need to develop stronger policies to mitigate supply chain threats and risks. Securing the supply chain needs to happen at various levels — each carrying its own complexities. The first step is ensuring the supply chain is part of your organization's threat model. At a minimum, a good grasp of the risks associated with the supply chain could change your acceptable business risks.

Here are 10 best practices for designing a strong supply chain security program.

1. Perform a risk analysis of the business: Risk is defined as the cost of system loss multiplied by the probability that the loss may occur through malicious action. Such a risk analysis can help an organization triage incidents and prioritize mitigations. Rooting out hardware implants from the supply chain is an expensive process, and a risk analysis can weigh the benefits of implementing the controls in this list against the cost of a security incident. It may not make sense for every organization, or every business unit inside an organization, to prioritize threats from hardware implants. Determine your team's risk analysis first before implementing any security measures.

2. Create and maintain an inventory of third-party hardware providers: This should be an extension of the hardware and software inventory already dictated by your organizational policy.

3. Identify the devices that provide business-critical functionality and services: Critical devices are defined as any hardware that is a single point of failure in an organization's security model or that implements a critical security-relevant service.

4. Perform a third-party risk assessment on each critical provider/device: If necessary, once the assessment is complete, re-evaluate contractual language to include security addendums and clauses around mandates that your service provider maintains and a request for periodic proof of its continued adherence to security standards.

5. Establish a communication plan with each critical provider: This should be bidirectional and allow each organization to be informed when issues arise that could increase exposure to risk.

6. Build and maintain a software dependency tracker for your organization's hardware: Through this, you can determine whether servers or appliances are vulnerable to security flaws in software components and initiate discussions with vendors about timely patching.

7. Establish an assessment process for third-party hardware that is delivered to your organization: This can include testing the security of your hardware, establishing traffic baselines in a lab environment, and reviewing the security of your supplier's supplier.

8. Conduct ingress and egress filtering: Do this on any network-attached components, blocking unexpected requests from entering or leaving the operating environment.

9. Request documentation and proof of assessment for devices that implement critical infrastructure: Devices should be resilient to, and subjected to, network, local, and physical attacks. To specifically resist hardware implants, anti-tamper controls should be tested and reverse-engineering efforts against devices should be limited through technical controls.

10. Understand your vendors' supply chains as part of the system selection process: Vendors should be able to share the origin of each device component and provide an overview of how the component is secured from manufacturer to customer.

Though these recommendations cannot totally prevent the compromise of mission-critical hardware, they are a foundation to help mitigate your overall risk.

Hardware interdiction is a real threat, and supply chain security assessments must be part of most organizations' threat models and risk mitigation strategies. Hardware attacks are unique in that they provide access and persistence at levels that are challenging and near-impossible to adequately address. By establishing a process and framework for addressing these concerns, you can ensure you're not giving more advanced attackers carte blanche to your environment.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Daniel Wood (CISSP, GPEN) is the Associate Vice President of Consulting at Bishop Fox, where he leads all service lines and develops strategic initiatives. He has over 15 years of experience in cybersecurity and is a subject matter expert in red teaming, insider threat, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-02
Blackboard Collaborate Ultra 20.02 is affected by a cross-site scripting (XSS) vulnerability. The XSS payload will execute on the class room, which leads to stealing cookies from users who join the class.
PUBLISHED: 2021-03-02
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.
PUBLISHED: 2021-03-02
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
PUBLISHED: 2021-03-02
An issue was discovered on LG mobile devices with Android OS 11 software. They mishandle fingerprint recognition because local high beam mode (LHBM) does not function properly during bright illumination. The LG ID is LVE-SMP-210001 (March 2021).
PUBLISHED: 2021-03-02
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is &...