Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Daniel Wood
Daniel Wood
Connect Directly
E-Mail vvv

What Your Company Needs to Know About Hardware Supply Chain Security

By establishing a process and framework, you can ensure you're not giving more advanced attackers carte blanche to your environment.

In Dun & Bradstreet's 2019 "Compliance and Procurement Sentiment" report, respondents cited cybersecurity as their top concern, yet 48% had not integrated associated risks into their third-party risk management. While developing and implementing a supply chain security program can be daunting, it should be the first item on your company's to-do list — with an emphasis on hardware security, which is often given short shrift.

Information security programs typically focus on managing software patches and keeping anti-malware engines and network security gear up to date. As a result, hardware components are often deprioritized, even though they are also vulnerable to advanced attackers and nation-state threats. The manipulation of physical components during building stages or transportation routes is a threat to all physical products. Faulty parts cause recalls, and when the part is relied on by global systems and contains sensitive data, the scale of the potential carnage becomes exponential. Successfully attacking firmware can create a vulnerability that attackers covet because, unlike most software-based attacks that can be fixed by resetting a device back to default, many hardware attacks can survive firmware reflashing or operating system reinstallations.

Threats to the hardware supply chain are not theoretical, and security teams need to develop stronger policies to mitigate supply chain threats and risks. Securing the supply chain needs to happen at various levels — each carrying its own complexities. The first step is ensuring the supply chain is part of your organization's threat model. At a minimum, a good grasp of the risks associated with the supply chain could change your acceptable business risks.

Here are 10 best practices for designing a strong supply chain security program.

1. Perform a risk analysis of the business: Risk is defined as the cost of system loss multiplied by the probability that the loss may occur through malicious action. Such a risk analysis can help an organization triage incidents and prioritize mitigations. Rooting out hardware implants from the supply chain is an expensive process, and a risk analysis can weigh the benefits of implementing the controls in this list against the cost of a security incident. It may not make sense for every organization, or every business unit inside an organization, to prioritize threats from hardware implants. Determine your team's risk analysis first before implementing any security measures.

2. Create and maintain an inventory of third-party hardware providers: This should be an extension of the hardware and software inventory already dictated by your organizational policy.

3. Identify the devices that provide business-critical functionality and services: Critical devices are defined as any hardware that is a single point of failure in an organization's security model or that implements a critical security-relevant service.

4. Perform a third-party risk assessment on each critical provider/device: If necessary, once the assessment is complete, re-evaluate contractual language to include security addendums and clauses around mandates that your service provider maintains and a request for periodic proof of its continued adherence to security standards.

5. Establish a communication plan with each critical provider: This should be bidirectional and allow each organization to be informed when issues arise that could increase exposure to risk.

6. Build and maintain a software dependency tracker for your organization's hardware: Through this, you can determine whether servers or appliances are vulnerable to security flaws in software components and initiate discussions with vendors about timely patching.

7. Establish an assessment process for third-party hardware that is delivered to your organization: This can include testing the security of your hardware, establishing traffic baselines in a lab environment, and reviewing the security of your supplier's supplier.

8. Conduct ingress and egress filtering: Do this on any network-attached components, blocking unexpected requests from entering or leaving the operating environment.

9. Request documentation and proof of assessment for devices that implement critical infrastructure: Devices should be resilient to, and subjected to, network, local, and physical attacks. To specifically resist hardware implants, anti-tamper controls should be tested and reverse-engineering efforts against devices should be limited through technical controls.

10. Understand your vendors' supply chains as part of the system selection process: Vendors should be able to share the origin of each device component and provide an overview of how the component is secured from manufacturer to customer.

Though these recommendations cannot totally prevent the compromise of mission-critical hardware, they are a foundation to help mitigate your overall risk.

Hardware interdiction is a real threat, and supply chain security assessments must be part of most organizations' threat models and risk mitigation strategies. Hardware attacks are unique in that they provide access and persistence at levels that are challenging and near-impossible to adequately address. By establishing a process and framework for addressing these concerns, you can ensure you're not giving more advanced attackers carte blanche to your environment.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Daniel Wood (CISSP, GPEN) is the Associate Vice President of Consulting at Bishop Fox, where he leads all service lines and develops strategic initiatives. He has over 15 years of experience in cybersecurity and is a subject matter expert in red teaming, insider threat, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.