If you are a Star Wars fan, you probably are familiar with order 66. A chip was inserted in the brain of Clones to moderate their behavior and insert instructions. This chip included Order 66, an instruction to eliminate Jedis. Although Jedis did hire Kaminoans to build a Clone Army, Emperor Palpatine exploited his position of power to manipulate the instructions in the chip for his future benefit. And here you have an example of why you need to protect your hardware from long before it is installed in your facilities or other equipment.
According to Gartner, in 2019, 65% of smart products were “hackable”. For example, in 2015 a toy manufacturer launched an interactive doll which turned out to be vulnerable to attacks. As we have been discussing in our Cybersecurity Blog Series, recent famous attacks focus on the software and network levels because it is easier to gain digital access than physical access. However, we have also proven that hardware attacks are not uncommon, and its consequences can be devasting for businesses.
Moreover, in our blogs we have been discussing strategies, technologies, and best practices you can leverage to protect your company starting at the hardware level. Nevertheless, we haven’t discussed yet how to protect hardware while in supply chain.
As stated above, gaining physical access is difficult but not impossible and sometimes that means tampering with hardware while it is being manufactured and exploit the vulnerability later, just like Emperor Palpatine with the Clone Army.
At first, this might seem like a crazy conspiracy theory out of fan fiction. Nevertheless, keep in mind that hardware attacks can disrupt business operations, lead to great financial losses, physical damage, destruction of company’s reputation, among other devastating consequences.
What are the Security Challenges in Supply Chain?
As companies implement automation and digital strategies, they also increase their attack surface and vulnerability risks. As a result, data and IT infrastructure protection (applications, servers, networks, customer data, supplier data, bills of materials, transportation management systems) have been a major priority for supply chain information protection for years. However, product protection has not been a priority even though the number of products that can connect to internet or are considered “smart” continues to increase.
These “smart” products usually include embedded code, logic bearing components, or microcontrollers. Before, only high-tech companies concern themselves with the challenges of protecting products in supply chain. However, nowadays, transportation, healthcare, and consumer products are becoming smarter, thus, increasing the need to protect them.
A related challenge in protecting supply chain is technology for operations. As Edge Computing and IOT allows us to experience computing closer to the user, new vulnerabilities are introduced. The equipment used for manufacturing and logistics is now usually connected to internal networks, at least, to monitor their performance and predict problems. Just make sure that you analyze the possible threats of connecting this equipment to the Internet along with the productivity gains of installing monitoring software and hardware.
As a result of protecting IT, operating technology and products, governance rises as a challenge. In many companies each department takes care of their own piece and lack a cross-functional team that minds security holistically and enterprise-wide. This translates into IT, engineering, research and development, facilities, and operations solving vulnerabilities within the boundaries of their responsibilities and neglecting product protection. In fact, commonly, IT departments take care of data and IT infrastructure and operations. In some companies, there is an IT team and a separate operations team which deals with OT/IOT/physical technology security. In certain companies you can find a security group which can be a part of the IT group.
This is a particularly challenging issue given the growth of attacks and their spreading rate plus the perpetual efforts to balance innovation initiatives with regular operations. More than ever, supply chain organizations need to understand that security is one of their responsibilities. Furthermore, the whole organization needs to work together to protect products holistically while responding to immediate threats or attacks.
Protecting the Hardware of Smart Products
As with the example of Order 66, the motivation behind the attack can be to sabotage your operations by tampering with hardware, leading to financial losses, damaged reputation, business disruptions, among others. Nonetheless, the attacks could also aim at counterfeiting products or stealing design information to be able to beat you to market which can put you out of business or cost you a huge amount of sales.
Hardware security risks exist throughout the lifecycle: from initial design and manufacturing, to recycle and disposal. State-of-the-art integrated circuits are complex which means that it is impossible for a single company to design, manufacture, and test a chip. As a result, chip manufacturing is now a value-add chain of multi-national companies.
Even before the pandemic started, companies were pressured to look for advanced and cheaper electronic products. This led to unparalleled levels of hardware outsourcing. Now we are still experiencing the side effects of travel restrictions and business disruptions which has caused shortage of components. Consequently, companies developing electronic systems are working with brokers and third-party suppliers, instead of original suppliers, to meet demand, to improve lead times, or to reduce price. The risk of these practices is acquiring counterfeit chips which can be out of specifications, recycled or cloned (The irony!). These counterfeited chips can later be installed in sensitive or critical systems and open vulnerabilities for attacks (Just like in Star Wars).
Recommendations to Reduce Vulnerabilities in Hardware Supply Chain
The single most important recommendation is considering product security a priority for the whole organization. Eliminate barriers so that cross-functional teams including operations, IT, research and development, marketing, PR, and human resources work together to identify and solve vulnerabilities in the complete product life cycle.
You also need to guarantee that the extended supply chain can meet efficiency, cost, service, quality, and security requirements for all your products, especially the “smart” ones, from the design phase to decommissioning and disposal.
Create and implement disaster recovery plans and business continuity assessments. Remember that external factors or Acts of God, like a pandemic, can change your business strategy and needs quickly. At least gather some information on how you can quickly adapt to a changing logistics or supply chain situation along with information on possible threats and vulnerabilities. Vendor risk assessment and management should be part of the business continuity plans. That way if you can’t wait for your regular providers lead time, you have pre-approved secure second options. Finally, make sure all these plans and assessments stick to industry approved standards because those usually provide a useful guide on scope of work and time frames.
If you want to know more about how a Hardware OEM can help you improve security starting at the hardware level, you can read this blog. You can also continue reading our Cybersecurity Blog Series.